Ok, hello all (first post here) but, i hate to think this, but i may have a worm. I have lurked on here for a while before joining up here, and installed many of the recommended anti-spyware apps (all worked great!) but i noticed Spybot-S&D was asking about weird changes to the registry though.

A little background on why i think i have a worm though before i go there. I was torrenting something from TPB the other day (Some old movie i have on VHS, really wanted to watch it again, but i dont have a VCR anymore!) and since then, nothing but horrible lag. It takes about 50-70 sec to open Firefox, which used to be practically instant.

So, i ran virus and spyware scans. I always have a bit of spyware here and t here, so i got rid of it. And had no viruses. I always try to be as secure as possible, i have Peer Guardian running 24/7 and have Spybot-S&D running 24/7 as well.

Well, back to where i was going, i notices wierd blank requests to change the registry, Spybot-S&D said it may be a worm, virus, or spyware, so i denied it. But i used CCleaner, and noticed that there were alot of registry errors already, as well as new, kind of oddly named entries to the start up list. I removed them (forgot to remember their names XD) but nothing has worked.

So yeah, my comp is just running horribly slow, and i dont know why! If you need me to run tests or post logs with something, ill do so. I appreciate all the help you can provide, cause i really hate this and want to fix it! I just think its a worm by what ive looked up about them, and their behavior, is pretty much what im experiencing. No idea what type it is though.

(also, further security tips are appreciated to!)

THANKS!!!

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:32 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache

Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0

\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-

2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32

\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32

\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7

\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program

Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program

Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program

Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-

9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender

Online Scanner v8 - {85d1f590-48f4-11d9-9669-

0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy

Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}

- C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}

(CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_

unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.

cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Cont

rols/en/x86/client/wuweb_site.cab?1204526163296
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098}

(HPSDDX Class) - http://www.hp.com/cpso-support-

new/SDD/hpsddObjSigned.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) -

Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems -

C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. -

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o.

- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6881 bytes

F2 - REG:system.ini: Shell=explorer.exe

Seems like a trace of something left, I don't really see anything else out of the ordinary though.

I agree w/ YoS, likely to be from Aurora sw (nail.exe)- hijacker/malware.

Remove- F2 - REG:system.ini: Shell=explorer.exe

post if it comes back after reboot

Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

Rebooted, and it didnt come back, anything else i should do?

Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

Rebooted, and it didnt come back, anything else i should do?

So how is your rig running, does it seem better?

ctfmon.exe is part of MSOffice, once you start an Office app it keeps running. You can prevent it from running, see MSKB (http://support.microsoft.com/kb/282599)

as to whether or not yours is a virus/malware, where was the file located? It should be in windows/system32... if it's in a sub folder it's a virus. more info here (http://www.file.net/process/ctfmon.exe.html)

I suggest you defrag your hdd too

Well, it was in the system32 folder, but i dont have MSOffice installed, and never have. My comp is still running like crap though. Its better, but still slow! Ive been running spyware and virus checks all night (while i sleep) and nothing is showing up. Windows Defender isnt picking anything up either.

And the defragmenter says i dont need to defragment it (But ill run it anyway). Should i actually buy some secuirity software? Since im relying on freeware as of now, and just dont think its properly protecting me.

Also, i just got an error about DrWatson Postmortem Debugger, what is this?!

Which scanners have you used so far?

For viruses
Avg's free one
and kaspersky online virus scanner

For spyware
Spybot S&D
Avg's free one
Ad-Aware
and SpywareBlaster

Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.

try the online scan of webroot spysweeper (http://www.webroot.com/En_US/consumer-downloads.html).

Imho, the best commercial anti-spyware. if you can afford to buy the app- I say buy it. I've used it on removal jobs and a few times it's caught trojans that got past av (norton and mcaffee).

I've never tried the online scan since I have the app. A tip: there are settings to scan for rootkits... you have to set it for that, it is not enabled by default.

I'd also run rootkit revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)

if you're gonna move away from freeware av, then I recommend Nod32 (http://www.eset.com/landing_pages/landing_page1.php?CMP=KNC-g-ag&HBX_PK=nod32&HBX_OU=50&utm_source=google&utm_medium=cpc&utm_term=nod32&gclid=CKCJyYGZ9JICFQIgPAodIAz10A).

I was a die hard norton man until a couple years ago when Stonecat converted me to Nod. I love Nod, works great. it's easy on your sys resources too.

also run CrapCleaner (http://www.ccleaner.com/update/)

fyi, I run Nod32, spyware blaster, spybot. I never have a problem. I have Webroot spysweeper installed and keep it updated, but I don't use the real time protection, I only run manual scans. You might wanna use the real time since you like P2P, torrents.

If you get Nod32, uninstall any other anti-virus.

Imho, I don't like avg. Lots of folks I respect here do use it tho.

Idk, this stuff is pretty pricey. I HATE!!! (like really hate) Norton and McAfee, ive had both on previous comps, and the problems... And yeah, AVG is good if you pay for it (From what i hear) Im thinking of trying that since it has everything for 60 bucks. (Anti Spyware, rootkit, virus etc) Yes i am that cheap, lol, but Nod looks nice. Does it cover everything aswell?

Ty for the heads up though, i do need to invest in this stuff since im using my computer a lot more lately. And yeah, CCleaner is awesome, i use it daily. :D

WOW!! I just updated to the free AVG 8, thing found hundreds of Adware, Trojan, Spyware, Trackers, downloaders, and hacker infections! Idk how the other programs missed this stuff... (Most of it are IE infections/regestry infections, aswell as a few others)

yeah, norton is too much bloatware for the past few years already, and I've seen waaaay too many problems on rigs running that McAfee garbage.

Comcast is giving trials of McACrappy and people think it's good just cuz Comcast recommends it and bundles it w/ their service. That should be warning enough if Comcast gives it out!

I gave up on McAfee years ago, largely for the same reason listed above. Years ago I had to spend time testing the antivirus on offline systems, that it was not worth it. Personaly I don't think it could find a booger on a white hankerchief.

I love to quote that post! :rotfl:

As to Nod, they have another product, Smart Security (http://www.eset.com/smartsecurity/), that has all the features. Nod32 av is an just that, an av. That's why I use the other appz I listed.

I haven't tried Smart Security myself, but maybe Stonecat or someone else can tell you more.

No av catches everything, but I've never had a problem w/ Nod on my rigs.

Imho, if I was going to spend the $, I'd prefer trying Nod's Smart Security over AVG.

For viruses
Avg's free one
and kaspersky online virus scanner

For spyware
Spybot S&D
Avg's free one
Ad-Aware
and SpywareBlaster

Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.


Avira AntiVir is really the best freebie right now for virus scanners.

Spybot, windows defender, and super antispyware are good adware/spyware scanners.

Spyware blaster and the immunize feature of spybot are great deterrents.

And Ccleaner and adaware are good to run first to clean up temp files and little junk so the others do scan unneeded files.

If you dont have a router with the NAT feature on you should also get a firewall, but other than that you should be fine with those apps.

I keep a few people's PCs clean with free apps only.

I agree with the above quote.