Hijack This Log from Work--Please help oh Great OOers

[Enough]

I have decent knowledge of avoiding spyware and regularly run Spybot and Adaware and also have Spyware Blaster. This solution has always worked in the past. But now I am getting popups at work for Adult Friend Finder, which is definitely unfriendly. I tried the Bazooka scanner and it finds nothing, neither does SB or Adaware. Thus I have turned to Hijack This and wanted to post my log here to see if someone more in the know than I could assist. If you have any idea of what is infecting my work PC for the love god please help. I'm just waiting for when I have an important client in my office and one of those popups flashes at an inopportune time.

Logfile of HijackThis v1.98.2
Scan saved at 3:28:46 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\CIODM518.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\system32\wisptis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\temp_profile\DL082004\120704\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Vw.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\Vw.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\j.exe
O4 - HKLM\..\Run: [3950655dfba2] C:\WINNT\system32\CIODM518.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: map lpt1.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20e001604301234581 ... RdxIE6.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/ ... 2AxWin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CNHP2K.ColoState.EDU
O17 - HKLM\System\CCS\Services\Tcpip\..\{75B7FCAB-B416-472B-8DBC-ADFC9E56E59B}: NameServer = 129.82.103.78,129.82.103.79

I've deleted the last few entries with info on my network here at work for privacy reasons but I'm sure those entries are fine anyways.

[Smoove_B]

This could be it:

O4 - HKLM\..\Run: [j.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\j.exe


Let me do some more digging. Not that can tell you how to fix it, but if the problem is "j.exe" then I should be able to find a link to tell you how to get rid of it.

[Smoove_B]

Stumped. I think your best bet is to get this on the Ad Aware forums.

They helped me last year. Just follow their rules and I bet within an hour you'll be pest free.

[Enough]

Yeah, I was wondering about the j.exe thing too. Thanks for the effort in any case. I wonder if Rip has any ideas...

I will definitely try the forums soon.

Edit: Checked out the forum and their rules-- you are smoking some good crack if you think I can get it done in an hour. All new forum accounts have to be individually approved (I registered and am waiting approval) and I am not to post my Hijack This log until I have already posted an Adaware scan to a different forum and so it looks like it could be awhile. Definitely still open for any ideas in the meantime...

[Smoove_B]

Wow. They changed their policy there I guess. Maybe they were being over run or used to test whether or not a hacker could hide something he created.

I'll keep looking.

If I can find out a model's name from a Playboy catalog, I'm confident I can find something more on this.

But having multiple helps elsewhere is a good idea.

[Smoove_B]

Maybe also try the Trend Micro free housecall. It's an online scanner.

http://housecall.trendmicro.com/houseca ... t_corp.asp

[Rip]

I have decent knowledge of avoiding spyware and regularly run Spybot and Adaware and also have Spyware Blaster. This solution has always worked in the past. But now I am getting popups at work for Adult Friend Finder, which is definitely unfriendly. I tried the Bazooka scanner and it finds nothing, neither does SB or Adaware. Thus I have turned to Hijack This and wanted to post my log here to see if someone more in the know than I could assist. If you have any idea of what is infecting my work PC for the love god please help. I'm just waiting for when I have an important client in my office and one of those popups flashes at an inopportune time.

Logfile of HijackThis v1.98.2
Scan saved at 3:28:46 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\CIODM518.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\system32\wisptis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\temp_profile\DL082004\120704\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Vw.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\Vw.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\j.exe
O4 - HKLM\..\Run: [3950655dfba2] C:\WINNT\system32\CIODM518.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: map lpt1.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20e001604301234581 ... RdxIE6.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/ ... 2AxWin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CNHP2K.ColoState.EDU
O17 - HKLM\System\CCS\Services\Tcpip\..\{75B7FCAB-B416-472B-8DBC-ADFC9E56E59B}: NameServer = 129.82.103.78,129.82.103.79

I've deleted the last few entries with info on my network here at work for privacy reasons but I'm sure those entries are fine anyways.

The j.exe looks suspicious and a couple others could be. I see at least 4 or 5 tasks that I have not seen before.
O4 - HKLM\..\Run: [Vw.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\Vw.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\SxgTkBar.exe


The ARCGIS gives away a lot about the work however:) I'm a little swamped right now but will try to research a couple of them as soon as I can.

[Smoove_B]

The j.exe looks suspicious and a couple others could be. I see at least 4 or 5 tasks that I have not seen before.
O4 - HKLM\..\Run: [Vw.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\Vw.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\SxgTkBar.exe

I checked these - though I wouldn't testify in court they all came up as legit software. Soundcard, Epson Printer, and something called "Visual Works" - seemed like business / office software.

But who knows?

[Quaro]

Try the PestPatrol scanner:

http://store.ca.com/v2.0-img/operations ... o53025.htm

[Blackhawk]

The j.exe looks suspicious and a couple others could be. I see at least 4 or 5 tasks that I have not seen before.
O4 - HKLM\..\Run: [Vw.exe] C:\documents and settings\michaelm.cnhp2k\local settings\temp\Vw.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\SxgTkBar.exe

I checked these - though I wouldn't testify in court they all came up as legit software. Soundcard, Epson Printer, and something called "Visual Works" - seemed like business / office software.

But who knows?

I came up with the same thing, except I found a bunch of different things for Vw.exe. A few googles found that lots of people with j.exe are also having browser hijack troubles. It might be coincidence, but looks suspicious. It is certainly looks suspicious when something is set to run from a temp folder, though.

Close everything, open C:\documents and settings\michaelm.cnhp2k\local settings\temp\ and delete everything inside, then reboot. See if it re-creates itself. That temp folder isn't supposed to have anything permanent in it - on a reboot (ideally) it should be emptied, although programs sometimes leave orphans behind.

[Enough]

Thanks for all the advice guys. I will try the nuking the temp folder thing and see what that does. I also found just on the main root of my main drive a definite spyware exstub.exe but none of the signs for that infecting my machine in the registry/etc are present. I will update when I hopefully slay this pest!

[Enough]

Nope, instantly got a pop-up after nuking the temp directory (in safe mode). Weird thing is Hijack This still shows j.exe and vw.exe running out of temp and I clean out my temp dir often with a wiper so... I think I might check other computers on our network to see if they also have it. Will keep you all updated.

[Smoove_B]

The one thing I did come across in my searches last night is that there are a lot of virus / spyware / hijackers that create random file names.

You might not ever find a reference to a "J.exe" because on someone else's computer it would be another random letter.

Sneaky bastards.

[Smoove_B]

Also - check under "Add / Remove" programs in the control panel. Scan the names of the installed programs for things that don't look familiar.

I think that's how I found one of the bugs on my PC a long time ago.

[The Preacher]

I did a search and one other suggestion was found:

Sun Java's cache should be cleared too.
Go to -> control panel java-plugin -> cache tab -> hit clear!
And make sure you have the latest version if you have sunjava.

It worked for that guy even if it was a different problem.

http://forums.thatcomputerguy.us/lofive ... t7751.html

[Enough]

Clearing the java cache was a great idea that unfortunately didn't work. But it was one of the few things I had not tried yet, thank you very much.

I ended up nuking via the Hijack This fix button the j.exe and vw.exe as I have no use for whatever the hell they are doing at my workplace. I checked a coworker's machine who does a lot of what I do and she didn't have either so I figured it would be safe to do. But the popup continues. At least the nasty Adult Friendfinder one hasn't come up lately. I could see my boss no likey that one.

I've received the confirmation of my account at Lavasoft so I guess I will start headed down that road unless anyone else has more ideas? And I didn't mention it earlier but what is up with all the SC4 crap in my hijack this log? I only friggin' downloaded a patch for my home pc here at work and it created all that? EA teh suck.