An invisible virus

[mehndeke]

The one I was trying to upload was a txt file. I just put it into Word to see what it was supposed to look like. But given the size of it, I don't think you want me to try to upload the word one.

[jholland1964]

Maybe it was too large to begin with, can you zip it and try it? We really would like to see it.

[mehndeke]

There we go.

[jholland1964]

Lordy! Don't think I have ever seen so many tracking cookies in one AVG log!!! Or 18 PAGES of cookies on ANY computer! Have you EVER emptied your cookies before any of these scans? Heavens, how much space are you alloting to cookies? Too much, that is for sure!
All of these cookies were in Firefox, don't you have any cookies blocked in Firefox? Virtually every one of the ones shown in the AVG log are on my Blocked Cookie list in Firefox. Which version of Firefox are you using?
In Firefox, cookie permissions are controlled in "Tools -> Options -> Privacy -> Cookies". You may choose to accept all cookies that websites wish to set or, in Firefox 1.5 and earlier, you may choose to accept cookies "for the originating site only", which will block third-party cookies that are often set by other companies who advertise on those sites.
If you are using Firefox 2 then Firefox 2 users who wish to limit allowed cookies to those set by the originating website can use about:config to modify the preference network.cookie.cookieBehavior to "1".
DEFINITELY block all cookies except for the originating site. Follow the above directions depending on which version you are using.

Now while we await PP's look at the FindAWF log (I have not used this program yet so I cannot advise on that log and we will wait for PP to weigh in on his take of it) I would STRONGLY suggest that you go to his sticky
and follow ALL of his instructions for the preliminary cleanup of your machine, because obviously this has not been done.
Follow his instructions for the use of • ATF-Cleaner.exe by Atribune which is available from his sticky.
and since you have all ready used the AVG I would also like you to use Spybot and another free one I like and that is AdAwareSE.
Download and install all three of the above programs. Update them but do not run them yet.
Reboot to Safe Mode and run ATF first.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT
Next run Spybot. Have it fix all items noted in RED
Exit the program.
Next run AdAwareSE using these instructions;
* Click "Scanning".
* Select:
- "Scan within archives"
- "Scan my IE Favorites for banned URLs"
- "Scan my hosts file"
* Click "Tweaks".
* Click "Cleaning Engine".
* Select "Automatically try to unregister objects prior to deletion".
* Click "Proceed".
* Click "Start".
* Select "Use custom scanning options".
* Click "Next" and wait for the scanning process to complete.
* Select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
Following all these instructions then reboot the computer into NORMAL mode.
Run a new HJT scan and post the NEW log here.

[mehndeke]

At least I'm unique =P. This may take a while and it's getting late here, so I probably won't post for a while yet, but thank you so far and I'll be back for sure tomorrow, hopefully with a cleaner machine.

[jholland1964]

At least I'm unique =P. This may take a while and it's getting late here, so I probably won't post for a while yet, but thank you so far and I'll be back for sure tomorrow, hopefully with a cleaner machine.

Unique is an understatement! Thank heavens you are using a safer browser using Firefox, but still...I am totally flabbergasted, have never seen anything like it!
DO run all the cleanup and then post back. I just can't get over it! You have made my day, that's for sure.

[mehndeke]

OK, so I was laying in bed and couldn't sleep. Ran all the stuff and here's the new HJT.

[PhilliePhan]

LOL! A fellow insomniac!

Ahhh - I do my best writing in the dead of night....


Your logs look OK.
I'll wager it was a false positive or some erroneous heuristic detection.

-- Are you sure you found ctfmon32.exe and not just ctfmon.exe? If it were a CWS hijack, you wouldn't need any scan to tell you.....
-- Your other issues may not necessarily be malware-related. Did you recently download/install any new software?
-- Tracking cookies are harmless and I can't for the life of me figure out why excellent products like AVG Anti-spy continue to flag them....

-- Judy, the Find AWF log was clean. My hunch was wrong.

Best
PP

[jholland1964]

LOL! A fellow insomniac!

Ahhh - I do my best writing in the dead of night....


Your logs look OK.
I'll wager it was a false positive or some erroneous heuristic detection.

-- Are you sure you found ctfmon32.exe and not just ctfmon.exe? If it were a CWS hijack, you wouldn't need any scan to tell you.....
-- Your other issues may not necessarily be malware-related. Did you recently download/install any new software?
-- Tracking cookies are harmless and I can't for the life of me figure out why excellent products like AVG Anti-spy continue to flag them....

-- Judy, the Find AWF log was clean. My hunch was wrong.

Best
PP

I thought it possibly a false positive too. Thanks PP on the AWF log. Had not seen that program before.
Agree on the tracking cookies being harmless, but why in the world would you keep so many? 18 pages, come on!
How about PP's question on new software?

[mehndeke]

As to new software, I haven't downloaded anything for a long time, aside from the spyware, etc. While I'm evidently not too concerned about cookies (what can I say, I like them), I am picky about what I download. As to the ctfmon, the HJT parser on this website says I have a ctfmon.exe which is a variant of the ctfmon32.exe. Are these actually two separate and distinct things? Or should I go into safe mode and delete the ctfmon.exe anyway? Or would that cause problems that I don't want?