Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog Virus Has Hijacked Me


  • This topic is locked This topic is locked
28 replies to this topic

#1 Jon_M

Jon_M

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 25 October 2007 - 06:52 PM

Hi--I seem to have whataboutadog and doginhispen hijacking my computer. Sometimes my computer doesn't start and freezes on the blue Windows welcome page. I notice whataboutadog in my history and they add themselves to my safe list under Internet Options security. I have tried AVS and Panda but it is still messing with my computer, which is starting to behave strangely.
I downloaded Hijack This, and here is my log:

Please advise--thank you very much!!!
Jon_M

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:11 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\spysub.exe
C:\Program Files\InterMute\PopSubtract\popsub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BJ2HAPFT\HiJackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/portal/link/main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PopSubtract.lnk = ?
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112880632625
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161396202156
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11029 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 27 October 2007 - 04:27 PM

Hello Jon_M,

I am SifuMike and I will be helping you.


Any idea where you go whataboutadog from?


Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 28 October 2007 - 12:05 AM

Hi! No idea where it came from SufiMike...
I tried to run FindAWF #1 and then Enter, and I got a message saying: C:\Documents and Settings\Owner\Desktop\FindAWF.exe
C:\WINDOWS\SYSTEM32|AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Chose 'Close' to terminate the application.
My choices are Close and Ignore. If I choose either, I get the following:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 10/28/2007
The current time is: 1:01:27.60


bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~


end of report

Thanks! - Jon

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 28 October 2007 - 12:29 AM

Hi Jon_M,


This from the maker of the FindAWF tool.

Have user check the system32 folder for the file autoexec.nt ....... it's probably missing.
Should be a copy in the C:\Windows\repair folder that can be copied and Pasted to system32 folder.
Sometimes, config.nt will also be missing from the C:\Windows folder too.
There should be a copy of it in the repair folder also.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 28 October 2007 - 09:50 AM

Hi SufiMike--
That worked...neither file was in there--thanks! Here's the AVF report:
- Jon_M

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 10/28/2007
The current time is: 10:44:15.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DIGITA~1\BAK

08/18/2004 06:52 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\LEXMAR~2\BAK

04/19/2006 09:57 AM 94,208 ezprint.exe
09/30/2005 10:49 AM 200,704 lxcjmon.exe
2 File(s) 294,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\TOOLBAR\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
02/10/2004 08:51 PM 118,784 hkcmd.exe
02/10/2004 08:55 PM 155,648 igfxtray.exe
3 File(s) 289,792 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/01/2003 03:42 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

07/26/2007 04:33 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\VERIZO~1\SMARTB~1\BAK

04/21/2005 09:37 PM 385,024 MotiveSB.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

09/13/2003 09:36 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/14/2005 08:42 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\117288~1\EE\BAK

04/20/2006 01:10 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 11 2007 "C:\Program Files\Digital Media Reader\shwiconem.exe"
135168 Aug 18 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 11 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
26636 Oct 11 2007 "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
94208 Apr 19 2006 "C:\Program Files\Lexmark 8300 Series\bak\ezprint.exe"
26636 Oct 11 2007 "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
200704 Sep 30 2005 "C:\Program Files\Lexmark 8300 Series\bak\lxcjmon.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\QTTask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
26636 Oct 11 2007 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 Feb 10 2004 "C:\oemfiles\Drivers\hkcmd.exe"
26636 Oct 11 2007 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Feb 10 2004 "C:\oemfiles\Drivers\igfxtray.exe"
26636 Oct 11 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
26636 Oct 11 2007 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Nov 1 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar3user.exe"
26636 Oct 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 26 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26636 Oct 11 2007 "C:\Program Files\Verizon Online\SmartBridge\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\bak\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\Original\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\Updates\MotiveSB.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 14 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Feb 23 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1172887973\ee\bak\AOLSoftware.exe"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 28 October 2007 - 11:43 AM

Hi Jon_M,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored.
Be sure to leave the " around the file names.

"C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
"C:\Program Files\Lexmark 8300 Series\bak\ezprint.exe"
"C:\Program Files\Lexmark 8300 Series\bak\lxcjmon.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Verizon Online\SmartBridge\bak\MotiveSB.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\AOL\1172887973\ee\bak\AOLSoftware.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 28 October 2007 - 11:43 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 28 October 2007 - 04:30 PM

Hi SifuMike (sorry I called you SufiMike before!
Here's my new FindAWF log..
Jon_M

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/28/2007
The current time is: 17:27:06.17


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DIGITA~1\BAK

08/18/2004 06:52 PM 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\LEXMAR~2\BAK

04/19/2006 09:57 AM 94,208 ezprint.exe
09/30/2005 10:49 AM 200,704 lxcjmon.exe
2 File(s) 294,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\TOOLBAR\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
02/10/2004 08:51 PM 118,784 hkcmd.exe
02/10/2004 08:55 PM 155,648 igfxtray.exe
3 File(s) 289,792 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/01/2003 03:42 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

07/26/2007 04:33 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\VERIZO~1\SMARTB~1\BAK

04/21/2005 09:37 PM 385,024 MotiveSB.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

09/13/2003 09:36 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/14/2005 08:42 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\117288~1\EE\BAK

04/20/2006 01:10 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Aug 18 2004 "C:\Program Files\Digital Media Reader\shwiconem.exe"
135168 Aug 18 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 11 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
94208 Apr 19 2006 "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
94208 Apr 19 2006 "C:\Program Files\Lexmark 8300 Series\bak\ezprint.exe"
200704 Sep 30 2005 "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
200704 Sep 30 2005 "C:\Program Files\Lexmark 8300 Series\bak\lxcjmon.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\QTTask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 Feb 10 2004 "C:\oemfiles\Drivers\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Feb 10 2004 "C:\oemfiles\Drivers\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
32768 Nov 1 2003 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Nov 1 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar3user.exe"
68856 Jul 26 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 26 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\bak\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\Original\MotiveSB.exe"
385024 Apr 21 2005 "C:\Program Files\Verizon Online\SmartBridge\Updates\MotiveSB.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
180269 Jun 14 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 14 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Feb 23 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1172887973\ee\bak\AOLSoftware.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 28 October 2007 - 06:34 PM

Hi Jon_M,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Digital Media Reader\bak
C:\Program Files\iTunes\bak
C:\Program Files\Lexmark 8300 Series\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Verizon Online\SmartBridge\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Common Files\AOL\1172887973\ee\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 28 October 2007 - 07:25 PM

Here's the latest report after running option 3...

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 10/28/2007
The current time is: 20:22:51.44


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\TOOLBAR\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 28 October 2007 - 09:18 PM

Hi Jon_M,


Using Windows Explorer, delete the following folders in bold
Be careful to delete only the BAK folder and nothing else.
Folders with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

C:\PROGRA~1\TOOLBAR\BAK <== folder
C:\PROGRA~1\COMMON~1\SYMANT~1\BAK <== folder


Then run FindAWF with option 1 and post the FindAWF log.

Edited by SifuMike, 28 October 2007 - 09:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 29 October 2007 - 06:32 AM

here's the newest log:
-J


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 10/29/2007
The current time is: 7:26:08.15


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 29 October 2007 - 10:49 AM

Hi Jon_M,

Now Run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

*********************

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BJ2HAPFT\HiJackThis[1].exe


You need to put HijackThis into its own folder, but not a temp folder. It won't save the backups if it is run from a temporary folder, and we will be deleting the temp folder.

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder. Put your hijackthis.exe there.


*********************
If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.

Edited by SifuMike, 29 October 2007 - 10:59 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 29 October 2007 - 06:26 PM

Hi SifuMike
I have posted the ComboFix log followed by the HijackThis log... My computer still froze when restarting on the Windows welcome screen. I restarted it again, and it worked. Hope that didn't mess anything up....
thank you again.
- Jon_M

ComboFix 07-10-29.1 - Owner 2007-10-29 18:52:34.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1192447355.old
C:\Program Files\WinBudget\bin\crap.1193175163.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1193175162.old

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-29 18:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 18:01 <DIR> d-------- C:\HiJackThis
2007-10-25 19:46 401,720 --a------ C:\Program Files\HiJackThis.exe
2007-10-21 13:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-21 13:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-21 12:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-21 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-21 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-21 12:49 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-10-21 12:49 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-10-20 15:42 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2007-10-20 15:42 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2007-10-20 14:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-20 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-20 13:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-20 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2007-10-20 12:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-10-14 20:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-14 20:39 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-10-11 21:21 <DIR> d-------- C:\{00001A62-0000-0000-AA32-E252613E0EE0}
2007-10-11 20:05 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-10 21:48 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 11:25 --------- d---a-w C:\Program Files\Toolbar
2007-10-29 11:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-29 02:16 --------- d-----w C:\Program Files\Lx_cats
2007-10-29 00:22 --------- d-----w C:\Program Files\QuickTime
2007-10-29 00:22 --------- d-----w C:\Program Files\Lexmark 8300 Series
2007-10-29 00:22 --------- d-----w C:\Program Files\iTunes
2007-10-29 00:22 --------- d-----w C:\Program Files\Digital Media Reader
2007-10-25 23:47 11,031 ----a-w C:\Program Files\hijackthis.log
2007-10-22 02:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2007-10-20 19:20 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-15 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-10-15 00:40 --------- d-----w C:\Program Files\Kodak
2007-10-11 23:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
2007-10-08 00:24 --------- d-----w C:\Program Files\Charting Companion for FTM
2007-09-27 01:00 --------- d-----w C:\Program Files\Family Tree Maker 2006
2007-09-05 03:58 --------- d-----w C:\Program Files\Java
2005-04-20 00:13 33,304 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 20:47 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 20:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 20:51]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-08-18 18:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 03:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-04-21 21:37]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-14 08:42]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 17:07]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 10:49]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 09:57]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"HostManager"="C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe" [2006-04-20 13:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 03:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 20:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 16:33]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PopSubtract.lnk - C:\Program Files\InterMute\PopSubtract\popsub.exe [2005-04-13 09:12:19]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\spysub.exe [2005-04-13 09:14:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-09-19 04:33:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\spysub.exe [2005-04-13 09:14:16]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2005-04-15 10:03:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-21 12:49 9216 C:\WINDOWS\system32\avgwlntf.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05225899-0878-11d9-8b9b-806d6172696f}]
AutoRun\command


.
Contents of the 'Scheduled Tasks' folder
"2007-08-02 15:05:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 22:53:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-29 00:21:31 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
"2007-10-23 00:04:05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 19:03:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-29 19:09:55 - machine was rebooted
.
--- E O F ---

_____________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:02 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\InterMute\SpySubtract\spysub.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\InterMute\PopSubtract\popsub.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/portal/link/main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172887973\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PopSubtract.lnk = ?
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112880632625
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161396202156
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10707 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:34 AM

Posted 29 October 2007 - 10:26 PM

Hi Jon_M,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
A notepad file will open.
Post the content here in your reply.
Close HijackThis.


*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)

These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
(Description: Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. This task does not actually need to be installed as a startup since iTunes starts it up anyway when it needs it. Let iTunes start it up whenever it needs to, particularly since it has a history of occasionally conflicting with other software and it uses nearly 6Mb of memory.)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

Post a fresh Hijackthis log, the uninstall manager log, and tell me how your computer is running.

Edited by SifuMike, 29 October 2007 - 10:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Jon_M

Jon_M
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 29 October 2007 - 11:29 PM

Hi SifuMike,
I have a question: I have not been able to install the upgrades for Java that appear from time to time (at least I think it is Java--the yellow icon with the black exclamation point) because I do not have the Microsoft Office CD. Do you think that will mess anything up? Thanks,
- Jon_M




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users