cftmon.exe ...the undead (Resolved)

[spaileen]

My google searches have been hi-jacked by a trojan virus with re-directs me when I click on the search results. I have tried all of the suggestions in the introduction to the forum with no success. When I first ran HJT there were about six threats identified which I removed. However the line

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

keeps returning. I know cftmon.exe is a microsoft file for an alternative user in some applications.

Also when I ran AVG Anti-Virus it identified a trojan called Java/byte/verify which it quaranteened. CWShredder did not identify any threats,. I am not using Microsoft Office..only Word.

If anybody could help me finally drive a stake throught the heart of this nasty I would really appreciate it. The HJT file can be seen at the location below.
http://hjt.nethworktechs.com/parse.php?log=340285

My Thanks

[jholland1964]

Please follow the instructions HERE
and when you run a new HJT don't parse the log, just copy/paste it right here in the thread. The parser tends to give false positives. HJT is NOT a FIXER program, it is a scanner. Do you have a record of items you fixed or removed because of or by using HJT?
Plus your link is bad so I cannot see the parsed log.
The O4 entry you noted is connected with Word.

I finally was able to access your link to the parser. You had misspelled the link.
I see you have run the HJT version 2 BETA. Please use the 1.99.1 version when you re-scan the computer.

[spaileen]

Thank you for your reply. I have run all the anti adware and spyware suggested in your link. The new logfile you requested is below. Beneath that I have posted all the lines I edited out from the original parsed file. I hope this will be of help.

Logfile of HijackThis v1.99.1
Scan saved at 1414, on 12/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/...veXClient1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


*****The lines edited out from the original HJT parsed file are below*****


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)File Missing
When a file is missing, you should always have HijackThis fix the item.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeCtfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllSharedTaskSchedule r Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllSharedTaskSchedule r Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

[jholland1964]

Frankly I see absolutely nothing amiss in the log, except that HiJackThis is being run from a temp file. It should always be run from it's OWN folder. The reason being is that HJT will make backups of items removed so that if something removed is incorrect it can be fixed but it will NOT save the back up to a temp file so there are no backups made.
I don't see a firewall anywhere, are you using the Windows Firewall?
The files you previously fixed with HJT are perfectly legal files. So there was nothing to worry about in those.
This entry here;
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
shows why you also have ctfmon.exe running. Perfectly legal file.
If you do not want this to run then you can go to the Control Panel, Text & Speech Services and turn if off it you do not use it.
I really see nothing in either log to indicate a hijacker on the system.
When you say that

google searches have been hi-jacked by a trojan virus with re-directs me when I click on the search results.

exactly WHERE are you taken?

[spaileen]

I created a folder HiJackthis in Program Files and downloaded it to there but each time it is a temporary file? I disabled the Windows firewall as per the instructions in the link (I am not sure how to re-enable it!)
I previousley disabled cftmon.exe as you suggested but it made no difference. I believe cftmon.exe can be used as a back door thing for trojan hijack. After the first couple of clicks on search results the re-direction stops but I am afraid that this could be some keystroke monitoring thing which obviousley is dangerous.
Below are some of the sites I am sent too.

http://www.camouflageclothingonline....t=2&rpt=1&kt=1
http://www.velvetic.com/cfc.cfm?pt=2&rpt=1&kt=1
http://aicse.com/cfc.cfm?pt=2&rpt=1&kt=1
These come with a yellow bar saying a pop up has been blocked

[jholland1964]

cftmon.exe is a perfectly legitimate file. You have Word on the machine, and even though you said you don't have Microsoft Office you do as shown by the entry in your HiJackThis log
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
As long as Office loads at start up, which this shows that it does, then the cftmon.exe will load also.
If you are getting a pop-up bar then this shows the pop-up blocker is doing it's work, it is blocking pop-ups.
There is another copy of HiJackThis on the machine which is the beta version and it is running from it's own folder as shown in your original scan but this one IS running from here;
C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
Go in there and remove the beta version. Then move this one.
To re-enable Windows Firewall you just do the same instructions you followed to turn it off, only do them in reverse, put the dot it turn it on.

Obviously there is "something" on the machine because if you are still getting these re-directs then all has not been removed.

Go in and rename HiJackThis to analyze.exe. and physically MOVE this file from the Temp folder it is in to it's own folder.
You need to go back to the beginning of PP's sticky and do the steps again. He does NOT say turn off Windows Firewall. He explains that AFTER the computer is clean then you turn off System Restore, that is NOT the Firewall.
I need you to follow his steps exactly. Especially the enabling of hidden files and folder.
When you have completed those steps, EXACTLY, then post back here with the AVG LOG, the HJT log and the Kaspersky log.

[spaileen]

I am unable to run Both AVG ANti Spy and Rootkit in Safe Mode. AVG Anti Spy gives error.."Connection service failed, please re-install" . I did this and it still did not run. Rootkit gives the error .."Reboot computer before running". I did this to no effect. I can run both in normal Mode?

[TurcoLoco]

I am unable to run Both AVG ANti Spy and Rootkit in Safe Mode. AVG Anti Spy gives error.."Connection service failed, please re-install" . I did this and it still did not run. Rootkit gives the error .."Reboot computer before running". I did this to no effect. I can run both in normal Mode?

Ok, then please try updating both of them and then running them in Normal mode but do not try to run them at the same time, ok?

Also, download Autoruns, after downloading, run it (Windows running in NORMAL MODE), when the program starts and you agree to the EULA, press ESC to cancel the initial scan. Click OPTIONS, then check the box next to 'Hide Microsoft Entries' then run the scan. Once it is done, click file and save the log file on desktop so you can easily locate and attach it to your next post please.

[jholland1964]

Not sure what you mean about Kaspersky not installing with AVG on the machine. This really shouldn't be a problem. The Kaspersky is the ONLINE scanner, not the full program. Which AVG are you talking about? The AVG anti-spy program shouldn't be running anyway while you are doing the Kaspersky online scanner. It should only be used for the manual scan. If you are talking about your AVG anti-virus then just disable it while running the Kaspersky online scan.

[spaileen]

I have put HJT into a permanent folder and renamed it AnalyzeThis.exe. The firewall is (and was enabled) The HJT and AVG logs are below. I was unable to run Kaspersky on-line scanner. A pop up appears asking me to enable an add in. When I click on it it takes me back to the first splash screen and nothing further happens. This happened before and I was forced to download the full version which did not work with AVG installed as I explained previously.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:16:34 13/06/2007

+ Scan result:



:mozilla.114:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.260:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.354:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.372:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.375:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.408:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.505:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.528:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.705:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.709:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.712:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.718:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.554:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.608:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.612:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.473:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.479:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.484:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.653:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.110:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Gerry B\Cookies\gerry_b@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Gerry B\Cookies\gerry_b@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.660:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.669:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.666:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Connextra : No action taken.
:mozilla.489:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Dealtime : No action taken.
:mozilla.511:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Enhance : No action taken.
:mozilla.475:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.568:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.571:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.498:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.643:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.248:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.283:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.539:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.580:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.594:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.600:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.676:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.393:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Info : No action taken.
:mozilla.275:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Information : No action taken.
:mozilla.278:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.691:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.693:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.703:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.342:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Gerry B\Cookies\gerry_b@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.
:mozilla.421:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.361:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Paycounter : No action taken.
:mozilla.550:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.563:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.271:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.285:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Real : No action taken.
:mozilla.40:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Real : No action taken.
:mozilla.51:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Real : No action taken.
:mozilla.651:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Real : No action taken.
:mozilla.466:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.456:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.268:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.637:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.680:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.256:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.655:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.444:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.307:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.160:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.171:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.146:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Targetnet : No action taken.
:mozilla.198:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.100:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.136:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.168:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Web-stat : No action taken.
:mozilla.460:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Web-stat : No action taken.
:mozilla.339:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.69:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Xxxcounter : No action taken.
:mozilla.71:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Xxxcounter : No action taken.
:mozilla.76:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Xxxcounter : No action taken.
:mozilla.59:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Yadro : No action taken.
:mozilla.592:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.34:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.37:C:\Documents and Settings\Gerry B\Application Data\Mozilla\Firefox\Profiles\6bmkkame.default\coo kies.txt -> TrackingCookie.Zedo : No action taken.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 21:20:04, on 13/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AnalyzeThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/...veXClient1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe