Free Malware Removal Forum

[st00rmy2006]

Further update:
-Ran SpyBot: 15 Items found, all cleaned or deleted
-Ran Ad-Aware: 296 privacy items found and deleted, no critical items found

[suebaby41]

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.

Please disable the following programs:

Disable Windows Defender

1. Click Start > Programs > Windows Defender or launch from the system tray icon.
2. Click on Tools
3. Click on General Settings
4. Scroll down to Real-time protection options
5. Uncheck Turn on Real-time protection (recommended)
6. Click Save
7. Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defender's page, uncheck under Administrator Options, use Windows Defender and then Save.
8. Exit the program.

Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

Step 2

You will be removing the program from your startup but you will not be removing the program itself.

Please run HijackThis and click Scan. Place checks next to the following entries:

You have jusched.exe running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

OneTouch.EXE (MaxtorOneTouch) process can be removed to free up resources without compromising system performance. One Touch keyboard driver. Required if you use the additional keys. onetouch.exe is a process belonging to the OneTouch backup system and allows this product to be accessed when pushing the button on your external Maxtor disk drive. This is a valid program but it is not required to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

MXOALDR.EXE ( Maxtor OneTouch) process can be removed to free up resources without compromising system performance. Maxtor includes a driver to bypass the Windows certified drivers check just when it detects an external drive. MXOaldr.exe is installed with the new driver and if disabled the button on a Maxtor OneTouch External Store no longer functions. This is a valid program but it is not required to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

ATIPtaxx.exe is the tray bar process for your ATI graphics card drivers. It gives you easy access to your graphic card settings. It is the control panel for the ATI series of video cards allowing access to such features as display resolution, color depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimized their settings. This process can be removed to free up system resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

SSBkgdUpdate.exe (ScanSoft OmniPage) process can be removed to free up resources without compromising system performance. ScanSoft OmniPage auto updater. Can be disabled using the main program's options. This program is also installed with other Nuance products. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

pptd40nt.exe (PaperPort PTD) process can be removed to free up resources without compromising system performance. "PaperPort" software associated with scanners. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

IndexSearch.exe (ScanSoft PaperPort scanner) process can be removed to free up resources without compromising system performance. IndexSearch.exe is normally a file that comes from a company named Scansoft. They typically use this file name in their paperport scanner software, as a scanner software program. Associated with PaperPort scanner software from ScanSoft. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

BrStDvPt.exe (Brother MFC printer/copier/scanner) process can be removed to free up resources without compromising system performance. BrStDvPt.exe is a file that was most likely installed at some time after you purchased your computer. The exact disk location is C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe so you can verify it is not spyware related. This is from Brother Industries, and its purpose is to work with your printers and scanners to check or set the default printer on your computer. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

brctrcen.exe (Brother Scan, Copy & Fax Control Center) process can be removed to free up resources without compromising system performance. Brother Scan, Copy & Fax Control Center. System Tray program installed by the drivers for Brother MFC Multi-Function printers (Printer/Scanner/Photocopier/Fax) which enables the user to perform scanning, faxing, and copying functions directly from their PC. This program enables you to do more things than you can do from the printer's own Control Pad. Typically you can scan directly to file, scan to email, scan to fax (if you have a fax modem in your PC or if your Brother Multi-Function printer has faxing capabilities), scan to Word Processor via OCR conversion, manage photocopying jobs, or fax from your PC. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

apdproxy.exe (adobe photo downloader) process can be removed to free up resources without compromising system performance. Apdproxy.exe is software program that is from Adobe. This software is graphics related software and it is part of the Adobe Photoshop. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

nerocheck.exe (Nero CD writing or Nero CD/DVD software) is a process associated with the Nero CD writing or Nero CD/DVD software. It is used to install or control the Nero driver nerocd2k.sys application. This process should not be removed while using the Nero CD Writing software. This program constantly checks for known drivers that can conflict with our Nero/Nero Express/NeroVision Express software. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog. qttask.exe produced by Apple, installs a tray bar icon which links to the Apple QuickTime video streaming tool. This program is a non-essential system process, and is installed for ease of use. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime Player itself to keep it from resetting itself. Item(s) to fix in HijackThis:

O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime

There is a small program that will prevent QuickTime from resetting itself.
Please download Engraph-QuickTime-Killer This is a free utility from EnGraph software. For more information about EnGraph, go to http://www.engraph.com. This application is intended for people that use or consume Sprint Video Mail, as Sprint uses QuickTime for viewing thier movies. (or anybody that hates QuickTime) Of course, as soon as QuickTime is ran, it adds itself to startup, which is very annoying to me. This application will remove QuickTime from start up and kill any running QuickTime processes. This application runs silently at start up and closes itself as soon as it takes care of QuickTime.

You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

You have realsched.exe (RealPlayer's autoupdate program) running at Startup. This is RealPlayer's autoupdate program and is not necessary for the program to function properly. realsched.exe is a program which schedules for manual update checks for Real Networks products. This is a non-essential process. Disabling or enabling this is down to user preference however disabling may prevent notification of updates. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in RealPlayer itself to keep it from resetting itself. Item(s) to fix in HijackThis:

O4 ‑ HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" ‑osboot

You have reader_sl.exe running at Startup. This is a process associated with the Adobe Reader. It is used to decrease the load time for the reader when a PDF document is selected. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

msmsgs.exe (MSN Messenger Internet chat tool) is the main process relating to the MSN Messenger Internet chat tool installed by default on most Windows computers. The Windows Messenger (IM, MSN Messenger) from Microsoft provides Online Chat and Instant Messaging. If you don't use Windows Messenger, you can

1. Rename the "Messenger" folder.
2. Uninstall, Stop, Disable or Remove "Windows Messenger (IM, MSN Messenger)".

A tray bar is also installed alongside this process for easy access to its features which include Internet chat, file sharing and audio/video conferencing. This is a non-essential process. Disabling or enabling it is down to user preference. process can be removed to free up resources without compromising system performance. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

NMBgMonitor.exe (Nero Scout) process can be removed to free up resources without compromising system performance. NMBgMonitor.exe is related to Nero Scout. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

usbshare.exe (Belkin) process can be removed to free up resources without compromising system performance. USB sharing switch (Lin-X-Cel) used to share one device between 2 computers. Allows use of Ctrl-f11 key to grab the device. Users Choice (application need to be run at startup, but is not system critical). Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:


O4 - Global Startup: F1U201.401.lnk = ?
(This is O4 - Startup: F1U201.401.lnk = C:\Program Files\Belkin\F1U201.401\usbshare.exe)

osa.exe or Osa9.exe launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it (Osa9.exe is the Office 2000 variant). This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

BrMfcWnd.exe (Brother scanner status monitor) process can be removed to free up resources without compromising system performance. brmfcwnd.exe is a process installed alongside Brother Printers and provides additional configuration options for these devices. Brother scanner status monitor - can be started manually. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

wzqkpick.exe (WinZip) process can be removed to free up resources without compromising system performance. wzqkpick.exe is the tray bar process for WinZip. The process is used to access WinZip from the tray bar. To save resources this process can safely be removed. If you use the WinZip system tray icon, you should leave this process running. Otherwise, this process is not required for the WinZip application to work correctly. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

AppleMobileDeviceService.exe (Apple Mobile Device) process can be removed to free up resources without compromising system performance. Used by iTunes to communicate with the Apple iPhone when it is connected to your computer. This is a valid program, but it is up to you whether or not you want it to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. To change the service to Manual.

1. Right-click on My Computer and choose Manage.
2. Expand the Services and Applications section and click on Services.
3. On the right-side of the screen, find the entry for Apple Mobile Device and double-click on it.
4. Change the Startup Type: to Manual.
5. Hit the OK button and close the Computer Management screen.

It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

ati2evxx.exe is the ATI External Event Utility for your ATI display drivers. It manages the ATI Hotkey feature. This process can be removed to free up resources without compromising system performance. ati2evxx.exe is a process which provides optional features that the majority of us really do not use. The XT's overdrive feature uses this. If you have an XT you'll probably want to leave this on. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources.
To change the service to Manual.

1. Right-click on My Computer and choose Manage.
2. Expand the Services and Applications section and click on Services.
3. On the right-side of the screen, find the entry for Ati HotKey Poller and double-click on it.
4. Change the Startup Type: to Manual.
5. Hit the OK button and close the Computer Management screen.

Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: Ati HotKey Poller - Unknown owner – C:\WINDOWS\system32\Ati2evxx.exe

ipodservice.exe is a process belonging to Apple's iTunes peer-to-peer download tool. The ipodservice.exe process is a utility used to download mp3 files for your iPod. If you do not use it, or do not have an iPod, you can safely disable this process. This process can be removed to free up resources without compromising system performance. It is advised that you disable this program so that it does not take up necessary resources. To disable ipodservice, click Start > Settings > Control Panel > Performance and Maintenance > Administrative Tools > Services. Find the IpodService, Right-click and select Properties. Change the setting in StartUp type: to Disabled or click Start > Run. Type services.msc Find the IpodService, Right-click and select Properties. Change the setting in StartUp type to Disabled to disable the service. Item(s) to fix in HijackThis:

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Please post a new HijackThis log.

[st00rmy2006]

I'ts been a busy week, but I'm back and proceeding...

[st00rmy2006]

I have proceeded with the optional fixes. Log is below. I will proceed with Spyware Blaster as you recommended earlier and will NOT proceed with ATF cleaner unless/until you instruct me to. My computer is starting much faster now! Thanks as usual.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:30:51, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4891 bytes

[suebaby41]

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

You may want to update to Windows XP Service Pack 3. It is faster and more secure. I have it on my computer and I have not had any problems with it.
How to obtain the latest Windows XP service pack.

1. Scroll down the page until you come to Download the Windows XP Service Pack 3 package now.
2. Click on Download the Windows XP Service Pack 3 package now to download the Windows XP Service Pack 3.
3. Save it to your desktop.
4. Click on the file and follow the directions.
5. Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3. The security suite can then be reinstalled after the Service Pack 3 is installed.

How to obtain Windows XP Service Pack 3 on a CD

To order Windows XP SP3 on a CD, visit one of the following Microsoft Web sites, as appropriate for your region:

Asia

Europe and Africa

North America

South America

Your log appears to be clean. Please advise me of any problems you still have.

Tips To Protect Your Computer

• Avoid inviting the monsters in by clicking on links in instant messages.
• Avoid opening email attachments.
• Avoid visiting every poker site on the net.
• Avoid downloading all that free cute junk.
• Avoid using the peer-to-peer file sharing.
• Avoid getting those handy toolbar doodads for your browsers.
• There are horrible critters out there just waiting to pounce on your system if you only pass by where they are lurking, which may be at some seemingly innocent web site. Be careful because some of these monsters are so vicious that no one can possibly save you once you let them in.
• Remember that new bad stuff emerges every week of the year. Take responsibility for protecting your system because you are its first and best defense.

Tools Downloaded To Clean Your Computer

I asked you to install some tools. Whether or not you need to keep these programs must be decided by you. If you choose to uninstall them, follow these directions:

1. Click Start > Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight the program, click Remove.
4. Close the Add or Remove Programs and the Control Panel windows.

Optional Tools:

1. Ad-Aware 2007/2008 scans, detects, and removes spyware on your computer.
2. ATF-Cleaner features include:
   • Cleaning of all user temp folders, administrator only can use this feature.
   • Cleaning of the Java cache, which seems to be harboring more and more malware.
   • Cleaning the cache, cookies, history, download history, visited links and saved passwords.
   • Scan weekly if you have high Internet use.
3. HijackThis may be uninstalled; however, if you should ever encounter another problem and seek help in this forum or others like it, you will need to download this application.

Restore the default settings for files/folders.

1. Go to My Computer.
2. Select the Tools menu and click Folder Options.
3. Click the View tab.
4. Under Advanced Settings, click the Restore Defaults button in the lower right corner.
5. Click Apply and then the OK and close My Computer.

Please take the time to read the "Steps To Keep Your Computer Clean And Secure" below.

Steps To Keep Your Computer Clean And Secure:

Please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. After cleaning, you will need to disable the System Restore function For Windows XP.
   Files placed in the System volume information folder are source files for the System Restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:
   1. Close all open programs. Then right-click My Computer on the Windows desktop
   2. Click on Properties.
   3. Click on the System Restore tab.
   4. Check Turn off System Restore on all drives.
   5. Restart the system.
   6. Enable System Restore by going through the first four steps again and uncheck the item mentioned in Step D.
   7. You can find instructions on how to disable and enable system restore in the Windows XP System Restore Guide.
2. Make your Internet Explorer more secure: This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
   5. When all these settings have been made, click on the OK button.
   6. If it asks you if you want to save the settings, press the Yes button.
   7. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use a Firewall: - I cannot stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
   Computer Safety On line - Software Firewalls. For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.
4. Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones see the link below:
   Computer Safety On line - Anti-Virus
5. Visit Microsoft's Windows Update Site Frequently: It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
6. You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
   Using Spybot - Search & Destroy to remove Spyware from Your Computer
7. You should scan your computer with Ad-Aware 2007/2008 as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
   Ad-Aware 2007/2008.
8. Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firec settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
   Computer Safety on line Anti Malware
9. Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
   
   1. Click the start button on the task bar at the bottom of your screen
   2. Click run
   3. In the dialog box, type services.msc
   4. hit enter, then locate dns client
   5. Highlight it, then doubleclick it.
   6. On the dropdown box, change the setting from automatic to manual.
   7. Click OK.
10. Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
11. Please read Tony Klein's excellent article: How I got Infected in the First Place
12. Please read Understanding Spyware, Browser Hijackers, and Dialers
13. Please read Simple and easy ways to keep your computer safe and secure on the Internet.
14. If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen.
    Another good browser is Opera . Opera 9 comes loaded with the tools to keep you productive and safe. Try it today, it's absolutely free. Some of the Opera features are: Customization, BitTorrent, Content blocker, Add your favorite search engines, Thumbnail preview of tabs, Widgets, Transfer manager, Tabbed browsing, Password manager, Sessions (You can save a collection of open tabs as a session, for later retrieval, or start with the pages you had open when Opera was last closed.), Keyboard Shortcuts, Cookie control, a multitude of languages, Validate code, Toggle graphics and style sheets, and Special features such as Full-screen mode, Kiosk mode.
15. Update all these programs regularly: Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
16. If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!

[NonSuch]

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.