cftmon.exe ...the undead (Resolved)

[jholland1964]

spaileen, I wouldn't look on this as fixed, because it obviously isn't.
It certainly doesn't call for a system reinstall either.
Don't give up, because "something" is re-directing those searches, and it obviously shouldn't be there.
I have asked somebody else to take a look here and see what he thinks. There most definitely is something lurking on the computer and I, for one, am not comfortable saying all is well. Don't give up on us, we sure won't give up on you either.
Judy

[spaileen]

Thank you for your encouragement...I certainly not be giving up on you.
Gerry

[TurcoLoco]

Thank you for your encouragement...I certainly not be giving up on you.
Gerry

Try downloading my own experimental passive scanner AnalyzerXP 3.6 onto your system and then close all browser and other programs before running it. Then once done, attach its log which should appear on desktop to your next post, ok?

~TL

[spaileen]

Thanks. I've run Analyzer and the text file is below. (There seems to be a lot of hard disk activity a few minutes after running?)



[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]


17/06/2007
14:11

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS\Tasks

07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,496,695,808 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 02:02:00, 18/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never



=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS



W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 2,518,779 09-24-2006 c:\windows\system32\erdmpg-enc.dll
W32i - - - - 30,693 09-24-2006 c:\windows\system32\erdmpg-int.dll
W32i - - - - 268,242 09-24-2006 c:\windows\system32\erdmpg-parse.dll
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
DOS - - - - 5,765 09-23-2002 c:\windows\system32\memman.vxd
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax

18/10/2006 21:47 2,450,944 SET249.tmp
18/10/2006 21:47 937,984 SET242.tmp
18/10/2006 21:47 222,208 SET23D.tmp
18/10/2006 21:47 37,376 SET254.tmp
18/10/2006 21:47 33,792 SET253.tmp
18/10/2006 21:47 757,248 SET23B.tmp
18/10/2006 21:47 321,536 SET252.tmp
18/10/2006 21:47 175,616 SET257.tmp

05/09/2006 23:01 2,455,488 ieapfltr.dat

22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx


=====] Looking for suspicious file types in Current User profile:



W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll




=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

04/12/2005 01:16 735 892.cin
03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
31/10/2005 16:56 700,416 StubInstaller.exe
22 File(s) 12,997,971 bytes
0 Dir(s) 63,496,257,536 bytes free



=====] Directory Analysis - PROGRAM FILES:

01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft
17/01/2006 23:55 <DIR> McAfee

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):




=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS

05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
157 Dir(s) 63,496,392,704 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1748 N/A
alg.exe 1396 ALG
lxbkbmgr.exe 1492 N/A
tfswctrl.exe 1528 N/A
igfxpers.exe 1384 N/A
realsched.exe 2052 N/A
MSASCui.exe 2076 N/A
avgcc.exe 2084 N/A
qttask.exe 2100 N/A
lxbkbmon.exe 2108 N/A
GoogleToolbarNotifier.exe 2124 N/A
msmsgs.exe 2168 N/A
avgw.exe 3148 N/A
iexplore.exe 2844 N/A


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1180 Console 0 18,556 K
ctfmon.exe 1748 Console 0 4,028 K
LEXBCES.EXE 1892 Console 0 3,436 K
LEXPPS.EXE 1928 Console 0 3,296 K
guard.exe 160 Console 0 1,416 K
avgamsvr.exe 176 Console 0 416 K
avgupsvc.exe 188 Console 0 1,004 K
avgemc.exe 204 Console 0 1,728 K
alg.exe 1396 Console 0 3,500 K
lxbkbmgr.exe 1492 Console 0 3,672 K
tfswctrl.exe 1528 Console 0 4,500 K
igfxpers.exe 1384 Console 0 3,840 K
realsched.exe 2052 Console 0 156 K
MSASCui.exe 2076 Console 0 7,560 K
avgcc.exe 2084 Console 0 448 K
qttask.exe 2100 Console 0 4,696 K
lxbkbmon.exe 2108 Console 0 3,444 K
GoogleToolbarNotifier.exe 2124 Console 0 280 K
msmsgs.exe 2168 Console 0 5,292 K
avgw.exe 3148 Console 0 34,036 K
iexplore.exe 2844 Console 0 3,460 K



=====] System Variables:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS


[====================] End of Log [====================]

[TurcoLoco]

Holly Cow, AnalyzerXP did spot a bunch of baddies!!

I will list only the identified baddies and a few highliy suspicious ones but for now, concentrate on deleting the identified baddies, ok?

Before rebooting in Safe Mode, download CleanupXP+ (a script that I put together for this type of job). Read the post to familiarize yourself with how it works or you could also copy/paste the post to a text file you can save on your desktop which could be wise as well.

After booting in safe mode, run the executable that I am assuming you downloaded to your desktop. After the standard cleanup process, use option 1 (delete a file) and one at a time, enter each file listed below, then continue and when prompted again enter the other file on the list. Do this till all files are removed.

Then reboot your machine in normal mode and run another AnalyzerXP scan then attach your log please. Remember to close all programs, etc before running the scan!!

*** Files to delete:
erdmpg-enc.dll
erdmpg-int.dll
erdmpg-parse.dll
memman.vxd


*** Suspicious files to research further:
W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl

~ If you are using Trend Scanmail then ignore this:
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe

~ If you are using Lexmark printer then ignore these:
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll

That should get things moving in the positive direction!

Also, I noticed both McAfee and Grisoft AVG antivirus scanners installed, if that is really the case, you should get rid of one and use only one on the same system!



~TL

[spaileen]

I did as you said and I removed the files you listed as you can see below...and hey...my google seems to be working fine now I'm super impressed and thank you! If there is anything else please let me know but I will post tomorrow to let know how I am getting on.


[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]


17/06/2007
20:40

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS\Tasks

07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,765,659,648 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 02:12:00, 18/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never



=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS



W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax

05/09/2006 23:01 2,455,488 ieapfltr.dat

22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx


=====] Looking for suspicious file types in Current User profile:



W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll




=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

04/12/2005 01:16 735 892.cin
03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
31/10/2005 16:56 700,416 StubInstaller.exe
21 File(s) 12,997,217 bytes
0 Dir(s) 63,765,250,048 bytes free



=====] Directory Analysis - PROGRAM FILES:

01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft
17/01/2006 23:55 <DIR> McAfee

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):




=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS

05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
157 Dir(s) 63,765,270,528 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1872 N/A
lxbkbmgr.exe 1564 N/A
tfswctrl.exe 1820 N/A
lxbkbmon.exe 1828 N/A
igfxpers.exe 204 N/A
realsched.exe 236 N/A
MSASCui.exe 380 N/A
avgcc.exe 468 N/A
qttask.exe 340 N/A
GoogleToolbarNotifier.exe 604 N/A
msmsgs.exe 712 N/A
alg.exe 3188 ALG


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1224 Console 0 18,536 K
LEXBCES.EXE 1864 Console 0 3,444 K
ctfmon.exe 1872 Console 0 4,032 K
LEXPPS.EXE 1904 Console 0 3,304 K
guard.exe 416 Console 0 1,404 K
avgamsvr.exe 500 Console 0 748 K
avgupsvc.exe 640 Console 0 664 K
avgemc.exe 676 Console 0 1,872 K
lxbkbmgr.exe 1564 Console 0 3,672 K
tfswctrl.exe 1820 Console 0 4,484 K
lxbkbmon.exe 1828 Console 0 3,428 K
igfxpers.exe 204 Console 0 3,832 K
realsched.exe 236 Console 0 180 K
MSASCui.exe 380 Console 0 7,472 K
avgcc.exe 468 Console 0 860 K
qttask.exe 340 Console 0 4,696 K
GoogleToolbarNotifier.exe 604 Console 0 2,112 K
msmsgs.exe 712 Console 0 6,644 K
alg.exe 3188 Console 0 3,472 K



=====] System Variables:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS


[====================] End of Log [====================]

[spaileen]

Unfortunately I was wrong. My google searches are still being hi-jacked. Also I do not have McAfee installed. I checked in add/remove programs and not there. If you have any other ideas on this I would welcome.