ok did a search against what is in my task manager and what norton website says about them and this is what ive come back with: W23.Spybot.ANDM W32.Lovgate.X@mm W32.Sixem.C@mm W32.Kueight W32.Sality.X W32.Autosky W32.Neveg.B@mm W32.Dalbug.Worm W32.IRCBot.BPP BAT.mumu.A.Worm Trojan.Lodav.A Trojan.Satiloler.D Backdoor.Ranky.X Backdoor.Ormerta there i think i got them all lol ok i need help to get rid of these, format is kind of outa the question as ive got so much stuff on my hdd it would be next to impossible to back it up, esp since i dopnt have a dvd burner yet, and there are heaps of full length movies on it so they wont fit on a normal cd any help? ill attatch a HJT log in the next post if that helps btw ive deleted the naughty files from the startup sequence using CCleaner so they shoulnt start automatically on windows satrt *fingers crossed*
my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 1:22:44 AM, on 5/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\HJT\HijackThis.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.229.50.18:3124 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;localhost R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://www.defencejobs.gov.au O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {33564944-0000-0010-8000-00AA00389B71} - https://autoinstall.bigpond.com/index.html O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab O18 - Protocol: bw+0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: offline-8876480 - {6F14AFF3-3BA9-4C65-B5BC-C44A33919B75} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Metric Conversion Calculator Installer - Unknown owner - C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi aussiejoe, Thanks for stopping by. You can run this online scan and see if it helps: AVG - OnLine scan: http://www.ewido.net/en/onlinescan/ EDIT---------- My post crossed with your log. I see you have AVG products, they didn't give you any help with the issues? END EDIT ------------------ 2ND EDIT:-------------------- I chose the AVG scan because it does some fixing in addition to providing a log. The Kaspersky scan will not fix anything, it just scans and shows infections. Since you have apparently already tried the AVG route, run the Kaspersky scan and post its log. We'll see if we can get some ideas from that. Please do an online scan with Kaspersky Online Scanner: http://www.kaspersky.com/virusscanner 1. Click on Kaspersky Online Scanner. 2. You will be prompted to install an ActiveX component from Kaspersky, click Yes. 3. The program will launch and then begin downloading the latest definition files. 4. Once the files have been downloaded click on Next. 5. Now click on Scan Settings. 6. In the scan settings make sure that the following are selected: o Scan using the following Anti-Virus database: Extended o Scan Options: Scan Archives Scan Mail Bases 7. Click OK. 8. Now under select a target to scan: o Select My Computer. 9. This program will start and scan your system. 10. The scan will take a while so be patient and let it run. 11. Once the scan is complete it will display if your system has been infected. o Now click on the Save Report As button. o In the File name: field, type kavscan. o In the Save as type: field, select Text file (*.txt). 12. Save the file to your desktop. 13. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. END 2ND EDIT------------------ Regards. bc
yeah avg didnt find anything it sayas my system is clean as a whistle, also i reguarly run the avg/ewido anti spy prog and that usual brings back about 40-50 trackers about 2-3 times a week ill do that online thing and see what it says
hmmm well so far that kaspersky search thing didnt find anything any other ideas? ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, May 30, 2007 7:40:25 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 30/05/2007 Kaspersky Anti-Virus database records: 313274 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 51142 Number of viruses found: 0 Number of infected objects: 0 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:35:40 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\joe\Cookies\index.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\joe\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Temp\Perflib_Perfdata_438.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Temp\~DFF83D.tmp Object is locked skipped C:\Documents and Settings\joe\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\joe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\joe\ntuser.dat Object is locked skipped C:\Documents and Settings\joe\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\billing_joe.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\client_joe.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\network_joe.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{646E346B-5FB1-494C-893F-8ED05EA5FD58}\RP355\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{95A6C1F0-9BE7-45C1-B68B-774458E34BFE}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\sam Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\security Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.
I forgot to talk about showing hidden files and folders. Do that and try the Kaspersky scan again. I'll edit this post in a little bit with a link for instructions. bc EDIT--------------------------- Ok, (After today, I am going to be limited on when I can get on for the rest of the week, so I gave you some other comments to let you try to continue researching stuff.) Showing hidden files and folders: http://www.bleepingcomputer.com/tutorials/tutorial62.html (Scroll down for XP instructions.) After your system is cleaned up, you can change these settings back. Kaspersky is supposed to be really good about picking things up. After changing those settings, run another Kaspersky scan and see if it picks up any of the infected stuff. Another thing, There is one malware problem that partially hides itself from HijackThis. I don’t remember specifically which one that is. To be sure the HijackThis log is displaying everything, you can rename HijackThis.exe to aussiejoe.exe or some other name of your choice. You can then run another HijackThis log and see if lines referencing any of the problems show up. Deleting files is something to be careful about. If you find a file you think is questionable, here is a site where you can check it: http://virusscan.jotti.org/ The file is run against several virus scanners. It is very busy, so sometimes you have to wait a bit. There is another site like this, I can’t remember what it is at the moment. If I come up with a link for it today, I’ll add it to this thread for you. I don’t have any jobs in my task scheduler, so I can’t see how much information you can get from my next suggestion, but: HijackThis has a Misc Tools section. When you open HijackThis to the newusers quickstart screen, the 4th button down will take you to the Misc Tools section. You can choose “generate startup list log”. This will create a report. You can look through it to the task scheduler section and see if the information will show you where the files are located on your system. Once you find bad files, if right clicking to rename or delete does not work, killbox is a first tool to try. Tutorial here: http://forum.malwareremoval.com/viewtopic.php?t=320 Try the delete on reboot option first, then the replace on reboot. Another thing to check would be rootkits. You can try this program for that. • Download the Beta Version of AVG Antirootkit and save it to your desktop. • Install the program. All applications mut be closed. You will have to restart your system. • Start antiRootkit.exe in its own folder. • Click onto the button "Search for Rootkits". • When the scan is finished, click the button "Save result to file", rename this log to log1. • Click the button "Perform in-depth search". You may not do anything on your machine while the scan is running. • When the scan is finished, click onto the button "Save result to file", rename this log to log2. • Locate avgark.log in the Grisoft folder, copy its content and post it. See if any of this identifies problems for you. Regards. bc ENDEDIT--------------------------
ok here is the generated startup og thing, ive put a * at the beginning of each line that i tested and came back as a trojan or backdoor thing, i think i got em all but there maybe some more ikn there StartupList report, 5/31/2007, 7:30:06 PM StartupList version: 1.52.2 Started from : C:\HJT\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.6000.16441) * Using default options ================================================== Running processes: *C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe *C:\WINDOWS\system32\services.exe *C:\WINDOWS\system32\lsass.exe *C:\WINDOWS\system32\svchost.exe *C:\WINDOWS\System32\svchost.exe *C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe *C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe *C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe *C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe *C:\WINDOWS\system32\nvsvc32.exe *C:\WINDOWS\system32\svchost.exe *C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\LVCOMSX.EXE *C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe *C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\HJT\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=NVDESK32.DLL -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell= SCRNSAVE.EXE=C:\WINDOWS\system32\MAGICW~1.SCR drivers= Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045} (no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6} -------------------------------------------------- Enumerating Download Program Files: [CKAVWebScan Object] InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll CODEBASE = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab [Web P2P Installer] InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll [YInstStarter Class] InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll [{33564944-0000-0010-8000-00AA00389B71}] CODEBASE = https://autoinstall.bigpond.com/index.html [CDownloadCtrl Object] InProcServer32 = C:\Program Files\IGN\Download Manager\DLMControl.dll CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab [{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}] CODEBASE = http://www.bitdefender.com/scan8/oscan8.cab [{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD}] CODEBASE = http://download.abacast.com/download/files/abasetup162.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll -------------------------------------------------- End of report, 6,684 bytes Report generated in 0.890 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
ok did the virus scan thing again with all the show hidden etc done, and still nothing i guess all my things are somehow still hidden
Hi, Please do NOT delete any of those files at this time. I am concerned now that you may be basing your comments on information like this: http://www.liutilities.com/news/articles/article9/ I will check for proper locations on each file when I have time, but based on quick glance, your files all appear to be running from legitimate locations. EDIT1---------------------- I have started a list with some references for you. Each of the files listed below is running from the correct location, and if your scans are not picking up anything, I would not have a reason to believe they are bad. I will finish that list for you on the rest of your marked files when I have time, but that may not be today. Running processes: ------------------------------------------------------------ *C:\WINDOWS\System32\smss.exe http://www.liutilities.com/products/wintaskspro/processlibrary/smss ------------------------------------------------------------ *C:\WINDOWS\system32\services.exe http://www.liutilities.com/products/wintaskspro/processlibrary/services/ http://windowsxp.mvps.org/services.exe.htm ------------------------------------------------------------ *C:\WINDOWS\system32\lsass.exe http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ http://www.computerhope.com/issues/ch000913.htm ------------------------------------------------------------- *C:\WINDOWS\system32\svchost.exe http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/ http://windowsxp.mvps.org/svchost.htm ------------------------------------------------------------- ENDEDIT1-------------------- bc
yeah all those files i was concerned about i checked them against norton anti virus encyclopedia adn it told me name of the infection adn all the aliases it had and all the files it affects and creates
Based on their locations, I think all those files are legitimate files. The fact that none of the scanning programs is flagging them as infected also leads me to believe they are valid system files. I have posted a link (or links) with each of the file names below. Further checking of your system for problems goes beyond any knowledge that I have. Regards. bc Running processes: ------------------------------------------------------------ *C:\WINDOWS\System32\smss.exe http://www.liutilities.com/products/wintaskspro/processlibrary/smss ------------------------------------------------------------ *C:\WINDOWS\system32\services.exe http://www.liutilities.com/products/wintaskspro/processlibrary/services/ http://windowsxp.mvps.org/services.exe.htm ------------------------------------------------------------ *C:\WINDOWS\system32\lsass.exe http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ http://www.computerhope.com/issues/ch000913.htm ------------------------------------------------------------- *C:\WINDOWS\system32\svchost.exe http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/ http://windowsxp.mvps.org/svchost.htm ------------------------------------------------------------- *C:\WINDOWS\System32\svchost.exe ------------------------------------------------------------- *C:\WINDOWS\system32\spoolsv.exe http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/ http://www.computerhope.com/issues/ch000914.htm (notice section on clearing spooled print jobs.) ------------------------------------------------------------- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe http://www.liutilities.com/products/wintaskspro/processlibrary/avgamsvr/ ------------------------------------------------------------- *C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe http://www.liutilities.com/products/wintaskspro/processlibrary/avgupsvc/ http://www.bleepingcomputer.com/startups/avgupsvc.exe-10623.html ------------------------------------------------------------- *C:\PROGRA~1\Grisoft\AVG7\avgemc.exe http://www.liutilities.com/products/wintaskspro/processlibrary/avgemc/ ------------------------------------------------------------- *C:\WINDOWS\system32\nvsvc32.exe http://www.liutilities.com/products/wintaskspro/processlibrary/nvsvc32/ http://www.bleepingcomputer.com/startups/nvsvc32.exe-11911.html ------------------------------------------------------------- *C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------- *C:\WINDOWS\Explorer.EXE http://www.liutilities.com/products/wintaskspro/processlibrary/explorer/ http://www.neuber.com/taskmanager/process/explorer.exe.html ------------------------------------------------------------- *C:\Program Files\Java\jre1.6.0\bin\jusched.exe http://www.liutilities.com/products/wintaskspro/processlibrary/jusched/ ------------------------------------------------------------- *C:\WINDOWS\system32\ctfmon.exe http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/ http://www.bleepingcomputer.com/startups/ctfmon.exe-1121.html -------------------------------------------------------------