cftmon.exe ...the undead (Resolved)

[spaileen]

Thank you for your encouragement...I certainly not be giving up on you.
Gerry

[TurcoLoco]

Thank you for your encouragement...I certainly not be giving up on you.
Gerry

Try downloading my own experimental passive scanner AnalyzerXP 3.6 onto your system and then close all browser and other programs before running it. Then once done, attach its log which should appear on desktop to your next post, ok?

~TL

[spaileen]

Thanks. I've run Analyzer and the text file is below. (There seems to be a lot of hard disk activity a few minutes after running?)



[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]


17/06/2007
14:11

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS\Tasks

07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,496,695,808 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 02:02:00, 18/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never



=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS



W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 2,518,779 09-24-2006 c:\windows\system32\erdmpg-enc.dll
W32i - - - - 30,693 09-24-2006 c:\windows\system32\erdmpg-int.dll
W32i - - - - 268,242 09-24-2006 c:\windows\system32\erdmpg-parse.dll
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
DOS - - - - 5,765 09-23-2002 c:\windows\system32\memman.vxd
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax

18/10/2006 21:47 2,450,944 SET249.tmp
18/10/2006 21:47 937,984 SET242.tmp
18/10/2006 21:47 222,208 SET23D.tmp
18/10/2006 21:47 37,376 SET254.tmp
18/10/2006 21:47 33,792 SET253.tmp
18/10/2006 21:47 757,248 SET23B.tmp
18/10/2006 21:47 321,536 SET252.tmp
18/10/2006 21:47 175,616 SET257.tmp

05/09/2006 23:01 2,455,488 ieapfltr.dat

22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx


=====] Looking for suspicious file types in Current User profile:



W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll




=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

04/12/2005 01:16 735 892.cin
03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
31/10/2005 16:56 700,416 StubInstaller.exe
22 File(s) 12,997,971 bytes
0 Dir(s) 63,496,257,536 bytes free



=====] Directory Analysis - PROGRAM FILES:

01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft
17/01/2006 23:55 <DIR> McAfee

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):




=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS

05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
157 Dir(s) 63,496,392,704 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1748 N/A
alg.exe 1396 ALG
lxbkbmgr.exe 1492 N/A
tfswctrl.exe 1528 N/A
igfxpers.exe 1384 N/A
realsched.exe 2052 N/A
MSASCui.exe 2076 N/A
avgcc.exe 2084 N/A
qttask.exe 2100 N/A
lxbkbmon.exe 2108 N/A
GoogleToolbarNotifier.exe 2124 N/A
msmsgs.exe 2168 N/A
avgw.exe 3148 N/A
iexplore.exe 2844 N/A


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1180 Console 0 18,556 K
ctfmon.exe 1748 Console 0 4,028 K
LEXBCES.EXE 1892 Console 0 3,436 K
LEXPPS.EXE 1928 Console 0 3,296 K
guard.exe 160 Console 0 1,416 K
avgamsvr.exe 176 Console 0 416 K
avgupsvc.exe 188 Console 0 1,004 K
avgemc.exe 204 Console 0 1,728 K
alg.exe 1396 Console 0 3,500 K
lxbkbmgr.exe 1492 Console 0 3,672 K
tfswctrl.exe 1528 Console 0 4,500 K
igfxpers.exe 1384 Console 0 3,840 K
realsched.exe 2052 Console 0 156 K
MSASCui.exe 2076 Console 0 7,560 K
avgcc.exe 2084 Console 0 448 K
qttask.exe 2100 Console 0 4,696 K
lxbkbmon.exe 2108 Console 0 3,444 K
GoogleToolbarNotifier.exe 2124 Console 0 280 K
msmsgs.exe 2168 Console 0 5,292 K
avgw.exe 3148 Console 0 34,036 K
iexplore.exe 2844 Console 0 3,460 K



=====] System Variables:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS


[====================] End of Log [====================]

[TurcoLoco]

Holly Cow, AnalyzerXP did spot a bunch of baddies!!

I will list only the identified baddies and a few highliy suspicious ones but for now, concentrate on deleting the identified baddies, ok?

Before rebooting in Safe Mode, download CleanupXP+ (a script that I put together for this type of job). Read the post to familiarize yourself with how it works or you could also copy/paste the post to a text file you can save on your desktop which could be wise as well.

After booting in safe mode, run the executable that I am assuming you downloaded to your desktop. After the standard cleanup process, use option 1 (delete a file) and one at a time, enter each file listed below, then continue and when prompted again enter the other file on the list. Do this till all files are removed.

Then reboot your machine in normal mode and run another AnalyzerXP scan then attach your log please. Remember to close all programs, etc before running the scan!!

*** Files to delete:
erdmpg-enc.dll
erdmpg-int.dll
erdmpg-parse.dll
memman.vxd


*** Suspicious files to research further:
W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl

~ If you are using Trend Scanmail then ignore this:
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe

~ If you are using Lexmark printer then ignore these:
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll

That should get things moving in the positive direction!

Also, I noticed both McAfee and Grisoft AVG antivirus scanners installed, if that is really the case, you should get rid of one and use only one on the same system!



~TL

[spaileen]

I did as you said and I removed the files you listed as you can see below...and hey...my google seems to be working fine now I'm super impressed and thank you! If there is anything else please let me know but I will post tomorrow to let know how I am getting on.


[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]


17/06/2007
20:40

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS\Tasks

07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,765,659,648 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 02:12:00, 18/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never



=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS



W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax

05/09/2006 23:01 2,455,488 ieapfltr.dat

22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx


=====] Looking for suspicious file types in Current User profile:



W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll




=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

04/12/2005 01:16 735 892.cin
03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
31/10/2005 16:56 700,416 StubInstaller.exe
21 File(s) 12,997,217 bytes
0 Dir(s) 63,765,250,048 bytes free



=====] Directory Analysis - PROGRAM FILES:

01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft
17/01/2006 23:55 <DIR> McAfee

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):




=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS

05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
157 Dir(s) 63,765,270,528 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1872 N/A
lxbkbmgr.exe 1564 N/A
tfswctrl.exe 1820 N/A
lxbkbmon.exe 1828 N/A
igfxpers.exe 204 N/A
realsched.exe 236 N/A
MSASCui.exe 380 N/A
avgcc.exe 468 N/A
qttask.exe 340 N/A
GoogleToolbarNotifier.exe 604 N/A
msmsgs.exe 712 N/A
alg.exe 3188 ALG


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1224 Console 0 18,536 K
LEXBCES.EXE 1864 Console 0 3,444 K
ctfmon.exe 1872 Console 0 4,032 K
LEXPPS.EXE 1904 Console 0 3,304 K
guard.exe 416 Console 0 1,404 K
avgamsvr.exe 500 Console 0 748 K
avgupsvc.exe 640 Console 0 664 K
avgemc.exe 676 Console 0 1,872 K
lxbkbmgr.exe 1564 Console 0 3,672 K
tfswctrl.exe 1820 Console 0 4,484 K
lxbkbmon.exe 1828 Console 0 3,428 K
igfxpers.exe 204 Console 0 3,832 K
realsched.exe 236 Console 0 180 K
MSASCui.exe 380 Console 0 7,472 K
avgcc.exe 468 Console 0 860 K
qttask.exe 340 Console 0 4,696 K
GoogleToolbarNotifier.exe 604 Console 0 2,112 K
msmsgs.exe 712 Console 0 6,644 K
alg.exe 3188 Console 0 3,472 K



=====] System Variables:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS


[====================] End of Log [====================]

[spaileen]

Unfortunately I was wrong. My google searches are still being hi-jacked. Also I do not have McAfee installed. I checked in add/remove programs and not there. If you have any other ideas on this I would welcome.

[TurcoLoco]

Unfortunately I was wrong. My google searches are still being hi-jacked. Also I do not have McAfee installed. I checked in add/remove programs and not there. If you have any other ideas on this I would welcome.

Yes, I actually did overlook a few entries two malware related entries on your initial log which appears on the second log as well so again using CleanupXP+, enter the full file name as you did before to remove them permanently:

=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

892.cin
StubInstaller.exe

You should also use the remove folder option (#2) to remove the following folder or u could manually delete it since it is no longer valid:

=====] Directory Analysis - PROGRAM FILES:
17/01/2006 23:55 <DIR> McAfee

Before doing any of the above, make sure you download StartupControlPanel (Standalone EXE version) and UNCHECK all entries listed under each one of the 5 tabs with the exception of the entries referring to AVG anti-virus scanner.

Remember each and every box other than AVG related ones should be unchecked (clear)! Then reboot in Normal mode to delete the above listed files and folder, then without rebooting, do the following:

Run a new AnalyzerXP scan as well as HijackThis scan and attach their logs to your next post.

Important: Remember you should NOT have any programs running in the background when the scans are running!!

If the issue still continues then we will dig deeper...let me know but do not re-enable any of the startup entries just yet, ok?

~TL

[spaileen]

I have followed your instructions.
Unfortunately however the goole hi-jacking is still taking place.


[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]


19/06/2007
17:45

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS\Tasks

07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,762,571,264 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 01:56:00, 20/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never



=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS



W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax

05/09/2006 23:01 2,455,488 ieapfltr.dat

22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx


=====] Looking for suspicious file types in Current User profile:



W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll




=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA

Directory of C:\

03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
19 File(s) 12,296,066 bytes
0 Dir(s) 63,762,300,928 bytes free



=====] Directory Analysis - PROGRAM FILES:

01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):




=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 1CEC-78DA

Directory of C:\WINDOWS

18/06/2007 16:38 <DIR> Downloaded Installations
05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
158 Dir(s) 63,762,321,408 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1700 N/A
avgcc.exe 1604 N/A
alg.exe 2352 ALG


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1212 Console 0 18,300 K
ctfmon.exe 1700 Console 0 4,028 K
LEXBCES.EXE 1864 Console 0 3,432 K
LEXPPS.EXE 1912 Console 0 3,316 K
guard.exe 200 Console 0 1,412 K
avgamsvr.exe 556 Console 0 324 K
avgupsvc.exe 732 Console 0 664 K
avgemc.exe 1104 Console 0 1,812 K
avgcc.exe 1604 Console 0 836 K
alg.exe 2352 Console 0 3,480 K



=====] System Variables:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS


[====================] End of Log [====================]

Logfile of HijackThis v1.99.1
Scan saved at 17:41:52, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AnalyzeThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/...veXClient1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[TurcoLoco]

Please download AVG Spyware and Rootkit scanners from this link. Then update both utilities. Afterwards reboot in SAFE mode and run first the Spyware scanner then the Rootkit scanner. Attach both logs to your next post please.

I will be going thru the HJT/AnalyzerXP logs later on today.

~TL

[spaileen]

I am unable to run Both AVG ANti Spy and Rootkit in Safe Mode. AVG Anti Spy gives error.."Connection service failed, please re-install" . I did this and it still did not run. Rootkit gives the error .."Reboot computer before running". I did this to no effect. I can run both in normal Mode?