Alureon virus, after SP3 100% CPU usage by svchost.exe

beckysellsaz · Aug 8, 2011

Hi,
Thanks in advance as all I've done to cure my computer in the past few months has failed and I am at my wits end and realize I am way out of my league with how to fix it. I will try to give a brief explanation of what I have tried and timeline and then my logs as requested will be pasted to the post.Got the Alureon re-direct virus, so to try to get rid of it, I updated AVG2011, ran it, didn't find anything, then Malwarbytes, ran it, found only adware, removed it, then Kypersky rootkit killer found it and I thought it was gone because the redirecting stopped. But computer was still painstakingly slow for even the simplest task. At the same time as this I ran Windows update and got SP3. Nightmare got worse. As soon as I did that I got a huge memory leak. All of a sudden all my disk space is used up, not even enough VM sometimes to run IE, or more than one item at a time, so I ran Process Explorer and found that the svchost was the culprit, furthermore it was the one connected with microsoft updates that came with the SP3. Unfortunately even the fixes from Microsoft didn't work to solve that so I had to disable automatic updates to get my CPU back, which is only a workaround for now, but the slowness, memory leak and buffering make it impossible to do my work, and it is still very slow even with the updates turned off. So yesterday I updated AVG and ran it again, it found one multiple runtime compression aspack,nupx problem that I have no idea how to fix, ran Malwarebytes, found nothing, then today I updated adobe and java, did the GMER scan only in safe mode because it wouldn't run any other way, in fact it gave me a BSOD everytime I tried it otherwise, and it found nothing, then did my DDS logs. Fast forward, I need lots of help.

Thanks,
Becky

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7390

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/6/2011 8:28:30 AM
mbam-log-2011-08-06 (08-28-29).txt

Scan type: Quick scan
Objects scanned: 176030
Time elapsed: 1 hour(s), 19 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Owner at 21:30:27 on 2011-08-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\HPZipm12.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-

US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XBTB03748 Class: {1cbc8587-1e29-4c2b-9739-d0e563905b32} - c:\docume~1\owner\mydocu~1\e-chor~1\e-chords.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture

utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480

\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-

D0C193E10749} - {38e51477-ddb4-4aed-

9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11

\REFIEBAR.DLL
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - hxxp://www.toolkitcma.com/tkweb/tkweb.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{8BCF23E9-2922-45FC-873E-7B0228D8C4A6} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480

\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\07ygroks.default\
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-

3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-

0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5

\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro

pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]
R2 pciinfo;HP Pci Information;c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [2006-6-29 1792]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-5-20 23096]
S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-6 7398752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-2-21 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-2-21 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-2-21 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-2-21 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-2-21 113680]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-5-20 249856]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2011-08-07 20:18:23 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
2011-08-07 18:34:43 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-07 18:34:41 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-07 18:34:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-07 03:44:32 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-08-07 03:41:45 3038 ----a-w- C:\fix_svchost.bat
2011-08-07 03:26:33 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-08-06 14:05:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-09-07 00:16:52 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
2006-07-13 19:57:38 7352104 ----a-w- c:\program files\ewebeditproclient.exe
2006-06-05 20:14:16 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
.
============= FINISH: 21:35:30.90 ===============
.
.

I will paste the 2nd DDS log into a new post.

beckysellsaz · Aug 8, 2011

2nd DDS log

Here is the 2nd DDS attach log. Any ideas or help will be greatly appreciated!.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/12/2005 3:56:16 AM
System Uptime: 8/7/2011 3:52:59 PM (6 hours ago)
.
Motherboard: Hewlett-Packard | | 309D
Processor: Intel(R) Pentium(R) M processor 1.73GHz | U1 | 1729/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 93 GiB total, 10.671 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1530: 5/10/2011 12:24:46 AM - System Checkpoint
RP1531: 5/11/2011 3:29:55 AM - System Checkpoint
RP1532: 5/12/2011 10:17:36 AM - Software Distribution Service 3.0
RP1533: 5/17/2011 3:33:00 PM - System Checkpoint
RP1534: 5/18/2011 4:25:16 PM - System Checkpoint
RP1535: 5/20/2011 12:38:14 AM - System Checkpoint
RP1536: 5/21/2011 4:40:32 PM - System Checkpoint
RP1537: 5/22/2011 5:21:57 PM - System Checkpoint
RP1538: 5/24/2011 2:15:55 PM - System Checkpoint
RP1539: 5/25/2011 2:58:18 PM - System Checkpoint
RP1540: 5/26/2011 3:57:54 PM - System Checkpoint
RP1541: 5/30/2011 5:54:19 PM - System Checkpoint
RP1542: 6/3/2011 8:46:10 PM - System Checkpoint
RP1543: 6/4/2011 9:44:54 PM - System Checkpoint
RP1544: 6/7/2011 10:53:26 PM - System Checkpoint
RP1545: 6/10/2011 11:13:57 AM - System Checkpoint
RP1546: 6/11/2011 11:55:42 AM - System Checkpoint
RP1547: 6/12/2011 8:27:55 PM - System Checkpoint
RP1548: 6/14/2011 6:42:25 PM - System Checkpoint
RP1549: 6/15/2011 7:23:40 PM - System Checkpoint
RP1550: 6/18/2011 8:48:44 AM - Software Distribution Service 3.0
RP1551: 6/19/2011 8:46:47 PM - System Checkpoint
RP1552: 6/20/2011 9:21:32 PM - System Checkpoint
RP1553: 6/30/2011 1:26:51 PM - System Checkpoint
RP1554: 7/1/2011 3:02:41 AM - Software Distribution Service 3.0
RP1555: 7/2/2011 3:02:32 AM - Software Distribution Service 3.0
RP1556: 7/4/2011 12:29:06 PM - Software Distribution Service 3.0
RP1557: 7/6/2011 10:16:20 AM - System Checkpoint
RP1558: 7/7/2011 3:58:21 PM - System Checkpoint
RP1559: 7/8/2011 4:09:41 PM - System Checkpoint
RP1560: 7/13/2011 9:54:03 AM - System Checkpoint
RP1561: 7/17/2011 5:17:45 PM - System Checkpoint
RP1562: 8/5/2011 6:56:34 PM - System Checkpoint
RP1563: 8/6/2011 3:02:52 AM - Software Distribution Service 3.0
RP1564: 8/6/2011 4:13:26 PM - Removed Adobe Reader 9.3.2.
RP1565: 8/7/2011 2:02:50 AM - Installed Adobe Reader X (10.1.0).
RP1566: 8/7/2011 10:41:57 AM - Removed J2SE Runtime Environment 5.0 Update 4
RP1567: 8/7/2011 10:48:48 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP1568: 8/7/2011 10:53:47 AM - Removed Java(TM) 6 Update 2
RP1569: 8/7/2011 11:01:28 AM - Removed Java(TM) 6 Update 11
RP1570: 8/7/2011 11:31:44 AM - Installed Java(TM) 7
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.2
Agere Systems AC'97 Modem
AiO_Scan_CDA
AiOSoftwareNPI
AllMusicConverter 3.8.3
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Duplicate File Finder
AutoUpdate
AVG 2011
AVS DVDMenu Editor 1.0.0.5
AVS Video Tools 5.5
Bonjour
BufferChm
C6100
c6100_Help
Compatibility Pack for the 2007 Office system
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DiscAPI (Studio 10)
Disney Pirates of the Caribbean Online
DivX
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
E-Chords Toolbar
eSupportQFolder
Fax_CDA
FormViewer
FullDPAppQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.5.0.457
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HP Wireless Assistant 1.01 B2
HP_User_Guides_0005
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
Inkscape 0.46
InstantShareDevices
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
Java Auto Updater
Java(TM) 7
LightScribe System Software
LiveUpdate 2.5 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
M4A to MP3 Converter 1.2
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.12)
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer
MUSICMATCH® Jukebox
muvee autoProducer 4.0 - SE
NewCopy_CDA
Nitro PDF Reader
OCR Software by I.R.I.S 7.0
PanoStandAlone
PANTECH UM175 Driver
PhotoGallery
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
PowerTeacher Gradebook
Primo
PrimoPDF -- brought to you by Nitro PDF Software
ProductContextNPI
Quick Launch Buttons 5.10 B5
QuickTime
RandMap
RAPID (Studio 10)
Readme
Roblox for Owner
Runtime
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SkinsHP1
SlideShow
SmartSound Quicktracks Plugin
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Sony Picture Utility
SoundMAX
Station Launcher
Status
Studio 10
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Toolbox
ToolkitCMA
TrayApp
Turbo Lister 2
Unload
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VZAccess Manager
WebFldrs XP
WebReg
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
8/7/2011 4:09:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HP WMI Interface service to

connect.
8/7/2011 4:09:33 PM, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.
8/7/2011 4:09:33 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmi with arguments "-

Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
8/7/2011 4:06:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to

connect.
8/7/2011 4:06:52 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The

service did not respond to the start or control request in a timely fashion.
8/7/2011 4:06:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "-

Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
8/7/2011 4:05:54 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

UMWdf service.
8/7/2011 4:05:54 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

Apple Mobile Device service.
8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The Terminal Services service hung on starting.
8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The Pinnacle Systems Media Service service hung on starting.
8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
8/7/2011 4:00:19 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal

Services service which failed to start because of the following error: After starting, the service hung in a start-pending state.
8/7/2011 3:59:12 PM, error: System Error [1003] - Error code 100000d1, parameter1 0000000c, parameter2 00000005, parameter3

00000001, parameter4 f84675f7.
8/7/2011 3:45:58 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It

has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
8/7/2011 3:41:06 PM, error: Service Control Manager [7022] - The SSDP Discovery Service service hung on starting.
8/7/2011 3:36:55 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

TermService service.
8/7/2011 3:36:55 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal

Services service which failed to start because of the following error: The service did not respond to the start or control request in a timely

fashion.
8/7/2011 3:36:55 PM, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.
8/7/2011 3:27:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in

order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/7/2011 3:27:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in

order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/7/2011 3:26:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
8/7/2011 3:25:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order

to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/7/2011 3:19:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD

Avgldx86 Avgmfx86 Avgtdix eabfiltr Fips intelppm IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss Tcpip
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: A device attached to the system is not functioning.
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: A device attached to the system is not functioning.
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: A device attached to the system is not functioning.
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which

failed to start because of the following error: A device attached to the system is not functioning.
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: A device attached to the system is not functioning.
8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================

Bobbye · Aug 8, 2011

Becky, when you open Notebook for a log, please click on Font and uncheck Word Wrap. I'd appreciate it if you would repost just the DDS.txt log with Word Wrap off. (You don't need to redo the Attach.log. I can't read the entries when they're split over 2 or more lines.You'll see the difference.
==========================================
Please remove any of the scanning programs you used when the panic set in, such as the Kaspersky Rootkit Killer.
===========================================
The Java is way outdated-Java(TM) 7- I think this is actually an update rather than a version as the current version is v6u26 and is a vulnerability, so you need to update now: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
--------------------------------
After the update, you will need to remove malware in the Java cache::
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel. The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
=======================================
Please remove these domains from the Trusted Zone. Security is lower in that zone and nothing needs to be there:
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
=======================================
Please handle the above. I have to leave for a couple of hours and will give you further instructions after I return.

My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

beckysellsaz · Aug 8, 2011

Hi Bobbye,

Thank you so much for helping me. I have re-pasted the DDS log with word wrap off at the end of this post. Sorry I did not know that was on.

I followed your steps in order, however I think the Kapersky rootkit killer was already removed. All I could find was the quarantine folder and 3 logs from the scans. Should I remove those as well? Also, checked for other scans but I don't think I have any except what your site recommends still installed.

Updated Java, no problems but should I remove that Java 7 I installed yesterday?

Emptied Java Cache, no problems, removed the domain names from the trusted sites, and will patiently await your next instructions. My computer seems to be running about the same.

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Owner at 21:30:27 on 2011-08-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\HPZipm12.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XBTB03748 Class: {1cbc8587-1e29-4c2b-9739-d0e563905b32} - c:\docume~1\owner\mydocu~1\e-chor~1\e-chords.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480

\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-

9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - hxxp://www.toolkitcma.com/tkweb/tkweb.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{8BCF23E9-2922-45FC-873E-7B0228D8C4A6} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\07ygroks.default\
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]
R2 pciinfo;HP Pci Information;c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [2006-6-29 1792]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-5-20 23096]
S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-6 7398752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-2-21 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-2-21 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-2-21 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-2-21 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-2-21 113680]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-5-20 249856]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2011-08-07 20:18:23 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
2011-08-07 18:34:43 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-07 18:34:41 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-07 18:34:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-07 03:44:32 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-08-07 03:41:45 3038 ----a-w- C:\fix_svchost.bat
2011-08-07 03:26:33 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-08-06 14:05:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-09-07 00:16:52 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
2006-07-13 19:57:38 7352104 ----a-w- c:\program files\ewebeditproclient.exe
2006-06-05 20:14:16 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
.
============= FINISH: 21:35:30.90 ===============
.
.

Bobbye · Aug 8, 2011

Thank you- that's better! Looks like you hiccuped a couple of times, but it's not a problem.
Regarding "should I remove that Java 7 I installed yesterday?"> Yes it's not the correct Java.
The only Java 7 I see is JDK 7 The Java Development Kit (JDK) from Sun Microsystems aimed at Java developers. So unless you're a programmer, this wouldn't be what you should have.
Get Java v6u26 here> http://www.java.com/en/download/
---------------------
Would you please do this while we're working together:
Go into Pinnacle Studios and turn off the driver check.
If the website moves or is down for a bit and the software checks for a driver from a link that isn't working, you get error type messages. As a general rule, you do not need software checking for driver updates. If the software/hardware is working then the driver is fine so you wouldn't want it updated anyway.
(This is the entry in the log. You don't need to so anything with it, I'll handle that. Just wanted you so see what I'm referring to.)
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
====================================
There are some entries in these logs I can't identify, so I'd like you to run the following:

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===================================
Follow with Combofix. It won't run with AVG, so you will have to uninstall it temporarily as follows:
Download AppRemover and save to the desktop

Double click the setup on the desktop> click Next

Select “Remove Security Application”

Let scan finish to determine security apps

A screen like below will appear:

Click on Next after choice has been made

Check the AVG program you want to uninstall

After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
These 2 scans will help us find and then remove the offenders. Logs for Eset and Combofix in next reply please.
There is no log for the App Remover. But be sure to put of of the AV program on system- after you install it, make sure to check for updates. You do not need to run a scan with it at this time.

__________________

beckysellsaz · Aug 11, 2011

Hi Bobbye,

I am still working on the items from your last post. I have run into a problem and want to ask a question before I continue. I am up to running the combofix scan, but everytime I try to run it I get a warning that says the AVG 2011 reatime scanner is active and to disable it before clicking ok, but there is no trace that I can find of AVG still on the system. I ran the Appremover program and the uninstall said it was complete. Just to be sure after I got the warning I reran it and it could not detect the AVG, I rebooted but no change. I found that the AVG website has a download for a last resort tool that will remove any remaining traces but states that it will remove registry entries, etc. and I remember you said not to use anything you haven't approved so I wanted to check with you before continuing. BTW, the combofix warning states that if I continue without disabling the AVG I will be puting my system at great risk so I will wait til I hear from you before doing the scan.

Thanks,
Becky

Bobbye · Aug 12, 2011

Oh my! AVG give us so much problem! They have left no way for it to be disabled to run scans, so we uninstall it. But it sounds like the Resident Shield is still active. If you can bypass this and run Combofix, okay- but be sure you have added one of the temporary AV programs so the system will be safe.

If you cannot bypass and Combofix won't run, use the following tool:
AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note:

AVG user settings will be removed.

Virus Vault contents will be removed.

All other items related to AVG installation and use will be removed.

You will be asked during the removal procedure to restart your computer. Please do so.

Make sure there is no open work in process prior to launching AVG Remover.

AVG Remover:32bit

beckysellsaz · Aug 14, 2011

Hi Bobbye,

Well that was painful, but we got through it. I have attached the logs from the scans. Here is a rundown of how things went. Java is most recent version only now. I turned off the Pinnacle Studio driver check, then ran the Eset scan. Since my computer is soooo slow, that took 15 hours, but it did find two threats. Next I used the appremover to uninstall the AVG, and installed the Avira AV in its place. Then I installed the Combofix and as you know ran into the problem of AVG still being on the system when I tried to run that scan. So I tried to use the AVG removal tool from AVG to fully remove AVG, but I tried running that scan twice and it froze halfway through both times and would not finish. I finally just ran the combo fix anyway. The only problem I had with that was that it asked to install the recovery console but then could not connect to the internet, so after awhile it just ran the scan by itself without installing the recovery console. So should I try to manually install the recovery console in case I need it later? Also, since AVG has caused me so many headaches, do you recommend another good free one I can use long-term? I will just leave Avira on for now. So far, the speed of everything is still slow, so not much of a change after the scans. I also have a text log of the AVG remover scan if you want to see that.

Eset Scan

C:\Documents and Settings\Owner\autorun.inf INF/Autorun virus
C:\Documents and Settings\Owner\My Documents\2_lnk.zip BAT/TrojanDownloader.Ftp.NIJ.Gen trojan

Combofix scan

ComboFix 11-08-10.03 - Owner 08/13/2011 18:14:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.184 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Cookies.lnk
c:\documents and settings\Owner\g2mdlhlpx.exe
c:\documents and settings\Owner\My Documents\~WRL0884.tmp
c:\documents and settings\Owner\My Documents\~WRL2220.tmp
c:\documents and settings\Owner\My Documents\~WRL2399.tmp
c:\documents and settings\Owner\My Documents\~WRL3252.tmp
c:\documents and settings\Owner\My Documents\~WRL3644.tmp
c:\documents and settings\Owner\Recent\Thumbs.db
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\_000013_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-10 16:30 . 2011-08-10 16:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2011-08-10 04:22 . 2011-08-11 03:16 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-10 04:22 . 2011-08-11 03:16 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-10 04:22 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-08-10 04:22 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-08-10 04:22 . 2011-08-10 04:22 -------- d-----w- c:\program files\Avira
2011-08-10 04:22 . 2011-08-10 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-08-10 00:15 . 2011-08-10 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-09 05:30 . 2011-08-09 05:30 -------- d-----w- c:\program files\ESET
2011-08-08 22:55 . 2011-08-08 17:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-07 20:18 . 2011-08-07 20:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2011-08-07 18:34 . 2011-08-08 17:06 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-07 18:34 . 2011-08-08 17:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-07 08:09 . 2011-08-07 08:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-08-07 03:53 . 2011-08-07 03:54 -------- d-----w- c:\documents and settings\Administrator.PC326916935110
2011-08-07 03:44 . 2011-08-07 03:44 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-08-07 03:41 . 2011-08-07 03:41 3038 ----a-w- C:\fix_svchost.bat
2011-08-07 03:26 . 2011-08-07 03:26 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-08-06 14:05 . 2011-08-06 14:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 02:52 . 2011-03-26 01:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-03-26 01:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-04 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-09-07 00:16 . 2006-09-07 00:16 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
2006-07-13 19:57 . 2006-07-13 19:57 7352104 ----a-w- c:\program files\ewebeditproclient.exe
2006-06-05 20:14 . 2006-06-05 20:14 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 67128]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-04-13 2387968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-12-30 333088]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-14 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-28 438272]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/9/2011 9:23 PM 136360]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/28/2011 10:51 AM 196912]
R2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [5/20/2009 9:50 PM 23096]
S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2010 12:17 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2010 12:17 PM 136176]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/21/2010 1:36 PM 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/21/2010 1:36 PM 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/21/2010 1:36 PM 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/21/2010 1:36 PM 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/21/2010 1:36 PM 113680]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [5/20/2009 9:50 PM 249856]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-04-13 22:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:17]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:17]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\07ygroks.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HP Document Viewer - c:\program files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe
AddRemove-HP Imaging Device Functions - c:\program files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe
AddRemove-HP Photo & Imaging - c:\program files\HP\Digital Imaging\uninstall\hpzscr01.exe
AddRemove-HPExtendedCapabilities - c:\program files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe
AddRemove-HPOCR - c:\program files\HP\Digital Imaging\OCR\hpzscr01.exe
AddRemove-{36C41D70-56F5-4E2B-81DA-6BEB7502D7A1} - c:\program files\InstallShield Installation Information\{36C41D70-56F5-4E2B-81DA-6BEB7502D7A1}\setup.exe
AddRemove-{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C} - c:\program files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe
AddRemove-{D5068583-D569-468B-9755-5FBF5848F46F} - c:\program files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-13 18:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-08-13 19:12:32
ComboFix-quarantined-files.txt 2011-08-14 02:11
.
Pre-Run: 11,706,716,160 bytes free
Post-Run: 12,536,242,176 bytes free
.
- - End Of File - - D539B46286554703F2EF80A58C2B72EC

thanks,
Becky

Bobbye · Aug 17, 2011

Sorry Becky, I've gotten a bit behind.

As you may have seen in the Eset log, you have the Autorun virus, which, as the name suggests, uses the Autorun.inf feature in the Windows OS that is used for launching the programs that are stored in the removable media such as DVDs, USB Devices, CD ROMs, as well as Memory Sticks.

When your computer is infected, viruses can connect to the malicious web site and install the key logger on your PC. The key logger steals all your private information like usernames, account numbers, social security, passwords, credit card information, as well as other sensitive information. So the possibility exists that the computer has been so compromised that only a reformat/reinstall will restore it, as well as changing all of your passwords and carefully monitoring any online financial transactions you have,

If there is autorun.inf virus in USB drive, each time you insert the removable media and double-click your drives to open it, virus files begin executing and infect your computer: which spreads itself onto the computer by making the multiple copies of the autorun.inf and .exe files on every drive of your computer.

So first, you disinfect the flash drive: And note that if they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
Note that the above should be used on all movable nedia by connecting them when you run the disinfection.
================================================
For the Eset entires:
Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Files 
C:\Documents and Settings\Owner\autorun.inf 
C:\Documents and Settings\Owner\My Documents\2_lnk.zip 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================
You surely tried to fix things! My compliments to you. What I need to know is if the following made any difference in the CPU usage. If that has been handled, I can remove those entries with script I'm using for other entries to be removed.

Has anything changes from the original problems?

beckysellsaz · Aug 22, 2011

Hi Bobbye,

Please do not close my thread. I have been working alot the past few days so haven't had time to try to remove the viruses yet. Can you answer one question before I begin cleaning it? Which items do I need to clean? I will list the drives I have that may have been inserted into the computer in the past 4 months, assuming I got the virus the first week of March when all the slowness started. If you could tell me which ones need to be cleaned and which ones I don't need to worry about. I have two digital cameras with memory cards, one external hard drive, 2 different printers, but I don't think they have any memory cards, several ipods that have music and pictures on them, and we have cell phones although none of them have ever been connected through a usb to the computer so I don't know if it is necessary to clean those. Is my email infected as well? because I do get that remotely on my blackberry. I have burned music cds and movie dvds from the computer during this time. Are those infected too? Can I clean them or should I just throw them away and make new ones when it is clean?

Thanks and I will start cleaning all the drives when I hear back from you.

Becky

Bobbye · Aug 24, 2011

Becky, I think this may sum it up:
An analysis from Computer Associates:

According to recent reports by SANS Internet Storm Center there is a new trend to transmit malwares through hardware vehicles like USB ports.

Every device plugged into your PC through a USB port is considered a hard drive, and every device considered a hard drive by your PC can be infected by a compromising malware.

........ USB port is a very powerful channel used to transfer information-data between our PC and an external device. Look at –for example- memory sticks, SD cards for digital camera, GPS devices and external hard drives. The malware (a virus) copies itself to every hard drive internal and external altering the AUTORUN.INF file.

It just not only copies itself to other drives, but according to this incident-analysis I found out it also drops other malwares into your PC starting a hidden connection with a Chinese remote malicious server.

Malware authors have taken full advantage of the uses of these devices by so many. And they are also busy on the social networking sites. And so many users participate in file sharing, so the potential for unprotected systems is great!

beckysellsaz · Aug 29, 2011

Hi Bobbye,

I cleaned all the USB ports and devices using the Flash Disinfector. It worked with no problems on each item except once when the Avira said it blocked the autorun.inf file for protection. After that happened I simply started over and cleaned that flash drive a second time til I got an ok.

Next I followed your instructions for using Old Timer to remove the viruses. My log is attached to this post but unfortunately the computer is still running slowly. I hope you can see something in the log that we can still try to improve the performance of the computer. I just don't understand why it lags so badly after all I have tried to clean it.

Thanks so much for all your help through this.

Becky

Oldtimer log
All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\Owner\autorun.inf not found.
C:\Documents and Settings\Owner\My Documents\2_lnk.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3336 bytes
->Flash cache emptied: 2836 bytes

User: Administrator.PC326916935110
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1127634 bytes
->Flash cache emptied: 2813 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 488372 bytes
->Java cache emptied: 119641 bytes
->Flash cache emptied: 24600 bytes

User: Owner
->Temp folder emptied: 1781296 bytes
->Temporary Internet Files folder emptied: 64830323 bytes
->Java cache emptied: 133230270 bytes
->FireFox cache emptied: 44295562 bytes
->Google Chrome cache emptied: 40164008 bytes
->Flash cache emptied: 3406647 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 896529 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 98968 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1065 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 8014 bytes

Total Files Cleaned = 277.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 08282011_225120

Files moved on Reboot...

Registry entries deleted on Reboot...

Bobbye · Aug 29, 2011

Becky, using the DDS log as a guide, ALL if the following were running:

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\programfiles\sony\sony pictureutility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480
\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

None of the above need to start on boot. None need to be checked on the Startup Menu. Each can be accessed in Programs when needed.

To remove entries from the Startup Menu using the msconfig utility:

Click on Start> Run> type in msconfig> enter>

Click on Selective Startup

Choose the Startup tab:

All images courtesy NetSquirrel

To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.

Uncheck any processes you do not need to start on boot. This would be all of the processes I listed for the programs above[/b]
[*] Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
======================================
These programs aren't to go anywhere if you don't start them on boot. They will sit on your hard drive, only using hard drive 'space', but not system resources. They don't do that until you select the program and open it- effectively saying GO!!!
-----------------------------------
Some may be started by a Service, like 'jqs'- that is JavaQuickStart for instance. For that:
Click on start> Run> type in services.msc> enter> double click on Java QuickStart> Change Startup Type to Disabled> Stop the Service........You don't need this to run at all.

If any of the other programs have a Service, that can be changed to Manual instead of Automatic.

TechSpot

Welcome to TechSpot

Alureon virus, after SP3 100% CPU usage by svchost.exe

beckysellsaz Newcomer, in training

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

beckysellsaz Newcomer, in training

Bobbye Helper on the Fringe Posts: 16,406 +16

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.