[Cookiegal]

What shows on the F drive is related to Age of Empires.

Please post a new HijackThis log.

[leelokhin]

Hm. I got another problem. Thanks for all the help you have given me, by the way. I really appreciate it. Anyway, I think I got a ghost or a polterghiest. that is, My mouse seems to move randomly every 5 seconds. I am not using an optical mouse and I understand the occasional standstill because of trapped dust, but my mouse seems to jerk really fast, really randomly all over the screen every now and then, clicking and right clicking everything. I cannot stop it. I don't think it is a hardware problem. Again, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:36:10, on 29/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\HideWindowPlus\HWinPlus.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\xchat\xchat.exe
C:\Program Files\SCAR 3.15\scar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HideWindowPlus] C:\HideWindowPlus\HWinPlus.exe -background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: ACA Capture: Capture all Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: ACA Capture: Capture all images... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: ACA Capture: Capture current image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O8 - Extra context menu item: ACA Capture: Capture webpage contents to image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 超級屏捕: 將網頁內容擷取存為圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有 Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取當前圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.44/uploader2.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printe.../DrPrinter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1186315696984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186316532500
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 8886 bytes

[Cookiegal]

Have you tried a different mouse?

[leelokhin]

No. I'll go and try one now, but I don't think that's the problem. You see, the mouse stops a bit then becomes responsive again if too much dust gets trapped in it. I can live with that, and I just clean it, and it will get all find and dandy again. But now, everytime I clean it it does not have any help, the mouse still stops, it even randomly right clicks, left clicks, shakes around, scrolls up and right clicks.. Etc.

But I will go and try a new mouse now. Thanks again.

EDIT:

Sorry For the trouble, It seemed my new mouse got wet. It is now completely unresponsive, and the optical mouse is working perfectly. Again, sorry. Are there any other problems with my computer, or is the problem solved?

[Cookiegal]

Everything looks fine. How is everything else working with the system now?

[leelokhin]

Everything seems perfectly alright, but could you explain what these processes are?

lsass.exe < It is said to be a windows login function?
reader_sl.exe

Thanks.

[Cookiegal]

reader_sl.exe is the Adobe Reader Speed Launcher and really should be disabled as it takes up a lot of resources and is not necessary to run at startup.

lsass.exe is indeed the login authenticator.

Here are some final instructions for you.

The following program will remove the tools we've used and their associated files and backups and then it will delete itself.

Please download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Make sure you have an Internet Connection.
• Double-click OTMoveIt.exe to run it. (Vista users, please right-click on OTMoveIt2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the cleanup of malware will be downloaded.
• If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.


I also recommend downloading SPYWAREBLASTER for added protection.

Read here for info on how to tighten your security.


Delete Temporary Files:

Go to Start - Run and type in cleanmgr and click OK.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they aren’t required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

[leelokhin]

I have a cftmon.exe located in windows/system32/cftmon.exe CastleCorps seems to identify that as a virus, but I would like to consult your opinion before disengaging it. What is it?

Is spywareblaster compatible with Avast, and Is avast a good antivirus, or are there any better ones floating around the internet?

I unchecked:
reader_sl.exe
ssmgr.exe
skytel.exe <-- That seems to be leftover from an installation that I uninstalled. It can be manually deleted?

Again, Thanks for your help. My computer has been running smoothly for longer than it ever has.

[Cookiegal]

I don't see where you had ssmgr.exe running. Was that listed in msconfig? If so, what was the file path?

cftmon.exe is usually valid but malware can also use that name. However, it's the language/alternative input services that controls the language bar which I suspect you're using since you also have the Microsoft's Input Message Editor (IME) for translating.

skytel.exe is related to Realtek (possibly audio drivers) so I would leave that alone.

[leelokhin]

c:\windows\samsung\panelmgr\ssmgr.exe /autorun

That is what it says at the file path.

[Cookiegal]

Are you sure it's not ssmmgr.exe?

[leelokhin]

*Whoops*

I must be going blind theese days. Yep, its ssmmgr.exe, not ssmgr.exe. Sorry about that.

@SpywareBlaster. you just need to let it protecvt for all three options and that's it?

And. Is Avast a good antivirus, or are there any better ones around the internet?

And. The Avast spining symbol seems to have disapeared from the bottom right corner. I know it is still running from processes, but just letting you know.

[Cookiegal]

OK, thanks for clarifying that file as the other spelling would have likely been malware but this one is fine.

Yes, SpywareBlaster does its own thing but you do have to update it periodically and then apply protection for the new items.


Avast and AVG are fine for free anti-virus programs but the best are not free. They are Nod32 and Kaspersky so I would recommend one of these.


The attached FixAvastIcon.zip file should fix the Avast icon. Save it to your desktop and unzip it then click on the FixAvastIcon.reg file and allow it to enter into the registry.

Reboot and let me know if the icon reappears.

[leelokhin]

Hm .I allowed it to connect to the registry, but it popped up something about another program is acessing it. Should I try again in safe mode?

[Cookiegal]

What generated the popup? Was it one of your security programs?

Exactly what did it say?