How to Resolve Virus using 100% CPUs In Vista-32 bit

I'm not sure what you did here or why you did it. Qoobox is where Combofix puts the quarantined files. It would not be something you had to submit anywhere for identification. I am not aware of Combofix ever telling someone they needed to submit a file! I would be the one to tell you to submit something and where to submit it.

As for the a key, I doubt that has anything to do with malware. I had to replace the keyboard on a new Dell mini because the G key wouldn't work right!

The only way you can determine anything about the CPU usage is to document what the high users are. If it's usually iexplore.exe now, it could be add-ons working in the background. I can't help you with that problem unless I know what the processes are and what you are doing at the time. Is this CPU usage slowing you down or are you just worried because it seems high?

I'll be back after supper to check the Combofix log.

Combo-Fix

Perhaps the request for submission is addition to the newest version of combo-fix. When I started the process last night, Combo-fix asked me if I wanted to download the most recent version since I wasn't using it. I said yes. Prior to creating the log, the submission occurred as I mentioned. I just followed the prompts. I do have a Qoobox file on my computer now.

Today, my machine seems to be running fairly quickly. I have lost track of what's "normal" anymore since I have had this high CPU usage issue since September. It's certainly faster than it was prior to your help so thank you. Given that a number of files were deleted last night using the custom code I just want to make sure this issue is resolved so I don't encounter it again in the future. I was under the impression that we had elimininated the virus a few days earlier so I was surprised to see another one identified last night. That's my concern. I'm not sure if this is reflected in the log I sent but once you have a look, I am sure you can determine if I still have an issue.

Thanks very much for your ongoing help, It is most appreciated.

Cashcab

CPU USage

Bobbye,

Today, CPU usage is so high that my machine "freezes." This is the same issue I had before. It appears that the big user is whatever I'm using at the time. For example, an active trader program wouldn't open this morning and I received notification from my anti-virus software of high CPU usage. I have resorted to working in "safe mode" all the time. Any ideas? I can't figure out why this seems to "come and go" with the same programs open.

Thank you.

Okay, this should put your mind to rest:
Specifically, the majority of the alerts you're getting from Norton are performance alerts, not malware alerts

Your sensitivity threshold needs to be set higher as the lower it's set, the more alerts you'll get. The following are taken from comments in the Norton Community. I think the will help you set this better and not let it worry you any more:>>>>

Allow Performance Monitoring Alerts to be Configured

Please reset to High and let me know if you notice improvement.

Thanks for this but I don't think it's the settings that is causing my machine to still run painfully slow. It was better for a day but with each passing day it gets slower and slower. The high CPU usage seems to vary depending upon what I am trying to use, sometimes it's internet explorer.exe, sometimes the trading software I use, etc. The main thing is that prior to getting the virus at the hotel in September, I was able to run whatever I wanted and I did not encounter this issue. Did you see anything in the last combofix log that could be causing this?

Thanks very much,

CashCab

Please read through the Norton information I left. This is a new feature from Norton and many users are complaining about it! Isn't it remotely possible that there was an update from Norton with this around the same time you were in the hotel? You should at least change the Performance setting to High.

I am not big on coincidences. But because of what I read on 3 Norton forum, I think this time it should be considered.

Please tell me how much RAM you have installed. And I would like you to open the TaskManager when the CPU is high and see how much memory that process with the high CPU is using at that time.

I will review the Combofix log again and I'd like you to run HijackThis so I can see if there are any bad entries:

Download HijackThis and save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Summary:
1. Reset the Norton Performance Alert to High.
2. Check for the installed RAM
3. Run scan with HJT

HiJack Log and Comment

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:46:54 PM, on 1/20/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Carrie\Desktop\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\IPS\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe"
O4 - HKCU\..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\RMTray.exe /H
O4 - HKUS\S-1-5-18\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\Windows\system32\dldocoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12376 bytes


I did read the Norton Virus info you sent. I had it set to medium and changed it to high as you suggested to run the "hijack log." I didn't have this version of Norton Antivirus installed when my problem first started. I had the 2010 version but it expired about a month ago so I had to purchase a new version. Thus, I don't think it has impacted the high CPU usage as that existed before and after I installed the 2011 version.

I have 2 GB of memory. Recently I was notified that svchost.exe was using high CPU with the following message, "svchost.exe--at least 42% of one CPU is being used." Never do I have any process using more than 50% but it gets very close. The memory was not affected when I received this notification and listed as "normal." That's generally what happens.

Perhaps the hijack log or most recent combofix log provides some additional insight?

As always, thanks for all your help and hanging in here with me still =)

Cashcab

In an effort to help you better evaluate the CPU usage, I have prepared the following for you. It is in 4 steps: Directions will be given for each step. When completed, boot back into Normal Mode. Assess the CPU usage.
It would be very helpful to you to print out the following HJT log instructions as you will need it for the following steps:
Step 1:
Check the running entry in the Hijack log.
=============================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe>
C:\Program Files\iTunes\iTunesHelper.exe> updater
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\Windows\system32\dldocoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

Close all Windows exceot HijackThis and click on "Fix Checked."
=========================================
Please go right on to Step 2,3 & 4 in the next reply.

Continued>
Step 2:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press Enter

Note: Processes for any of the programs and apps that you checked in the HJT log can be unchecked on the Startup menu:

Step 3:
To remove the corresponding entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

Step 4
Change the corresponding Services Startup type to Manual:
Click on Start> Run> type in services.msc> enter> double click on each of the following Services and set the Startup type to Manual: (if you need reference, these services are the 023 entries in the HJT log
Bonjour Service (the entry on the Startup menu for this is DNSResponder.exe for Step 2)
dldoCATSCustConnectService
dldo_device
GoToAssist (this is for remote help at Ctrix. You may have used it at one time. If you are not currently using this, the Service can be Stopped and set to Disabled)
Google Update Service (gupdate)
Google Software Updater (gusvc)
iPod Service
stllssvr
Exit Services
NOTE: If you are not using any of the above programs or apps, use Add/Remove Programs to uninstall them while you are still in Safe Mode.

Reboot into Normal Mode
Check CPU usage.

Edit: Forgot this:
To disable Java Plug-in 2 SSV, click Tools drop down box (or press ALT+T keyboard shortcut), click Manage Add-ons, select / highlight “Java Plug-in 2 SSV Helper” and click Disable button (or right-click the Java plug-in and click “Disable” from the context menu).

If the Java plugin is not shown in the Manage Add-ons window, try to select “All add-ons” of Show option list box (on left-pane of Manage Add-ons window).

Bobbye,

I executed the 4 steps outlined. Unfortuntely, it did not resolve the issue. It actually made it worse because there was still 100% CPU usage and internet explore and outlook took forever to open (over 5 minutes) and when it did open it was minimized and extremely slow. Therefore, I attempted to reverse all the steps. I believe I did this however I now have some type of error which won't allow me to use my computer outside of safemode. Here is the error message in its entirety.

RegSrv32
To register a module, you must provide a binary name

Usage: regsrv32 [/u][/s][/n][/i]:cmdline]]dllnme/u-unregister server
/s-silent;display no message boxes
/i-cll dllInstll passing it an optional [cmdline];
when used w/u calls dll uninstll
/n-do not cll DllRegisterServer; this option must be used with/i

Do you know how I can fix this please.

Thanks much,

Cash Cab

Ignore regsvr3 message

Bobbye,

I restored my system to an earlier point and the REGSVR3 Message is now gone. I'm back to my slow system but at least it works. Perhaps we can't go any further since it seems that nothing we've tried as really reduced the CPU usage? What are your thoughts?

Thanks,

CashCab

RegSrv32 Error

Apparently the RegSvr32 server was not resolved when I restored my system to an earlier point. This morning when I logged on it came up again. I looked up how to fix it on the internet but would prefer if you could tell me the most preferred way to fix as there seems to be many options and many cautions.

Thanks much,

Cashcab

Okay- it is obvious to me that you have system problems, not malware. You probably really caused problems trying to "reverse" whatever you did! You cannot go back and forth- doing and undoing! Every time you do, it changes the system.

I will offer on more suggestion:
Open Norton> Disable or uninstall the Performance monitor.
See if that stops the alerts. You have not given any indication of problems these alerts are causing except an annoyance to you.

And I wasn't aware of a regserv problem you apparently created that when you try to reverse whatever you did.

Recommend you reformat/reinstall. Put only the AV program, 3rd party firewall is you have one, touchpad if laptop and possibly network service>>>> nothing else.

If this is a work computer, perhaps you IT person can give assistance.

I have never been a Norton fan. This is just one more reason why.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html