1. rkfiles doesn't give you any feedback when it creates its log, it just makes a log file in your main C:\ folder called "log.txt". Open the log.txt file in Notepad and copy the contents into a post here.
2. svchost.exe is a valid Windows system file which manages other groups of Windows components. Because of that, it isn't unusual to see multiple instances of svchost running, or to see one instance of it spike your CPU usage.
Update.exe could be legit, but it's a common filename and could be part of your adware infections.
3. Run HijackThis again and have it fix:
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Delete the following files:
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\hjharl.exe
- Delete the following folder entirely:
C:\Program Files\Cas
- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):
(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)
1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files
- Delete the entire content of your C:\Windows\Temp folder.
- Delete the entire content of your C:\Windows\Prefetch folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
- Reboot normally.
5. Run HijackThis again and post a new log. Also let us know what (if any) visible signs of infection may still exist.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
