1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan? Please Look at my Hijack this log

Discussion in 'Windows XP' started by orbital, Jan 25, 2007.

Thread Status:
Not open for further replies.
  1. orbital

    orbital Thread Starter

    Jun 13, 2004
    Last night, I noticed that a new .exe was running in my Process list in my Task Manager.
    I then looked up ctfmon.exe on ProcessLibrary.com . Well, it came up with two different
    results one being a microsoft process and the other being a trojan.

    Process File: ctfmon.exe
    Process Name: Alternative User Input Services

    ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar.

    the other is

    Process File: ctfmon.exe
    Process Name: Trojan.W32.Satiloler

    ctfmon.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

    Well, I then ran SysInternal AutoRuns.exe and the process has this info attached to it.

    Description: CTF Loader
    Publisher: Microsoft Corporation
    Path: C:\windows\system32\ctfmon.exe

    Size: 15K
    Time: 8/4/2004
    Version: 5.01.2600.2180

    I have just recently updated to Internet Explorer 7
    that's when I noticed this process running, It wasn't running before.
    I do have office 2003 Basic installed but it doesn't start with the PC,
    Only when I open it. I try to minimize the startup process so my Computer
    runs faster. I'm very picky about what runs.

    I have also just upgraded OpenOffice to 2.1 so I'm not sure if
    that could have made it run.

    Below, I have pasted my HiJack This Log
    I did noticed a bunch of stuff was added after the Internet Explorer 7
    Update. I use FireFox but updated cause I'm assumming that it updates
    other windows components but I could be wrong..

    I did end the ctfmon.exe process so you won't see it in the
    Running Proccess. I would be more than happy if you could also
    state which IE7 process can be disabled. I prefer firefox.

    (* Update *) I have noticed that after disabling the process
    everything works fine and it will even stay disabled after a
    reboot. Well, when I open a Word document it restarts.
    It never did this before. Do you think it could be some
    type of update or even the IE7 that made this happen.
    It makes my system unstable.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:44 AM, on 1/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    D:\Program Files\GBpvr\GBPVRRecordingService.exe
    D:\Program Files\Norton Ghost 2003\GhostStartService.exe
    D:\Program Files\NOD32\nod32krn.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\Program Files\ZoneAlarm\zlclient.exe
    D:\Program Files\NOD32\nod32kui.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    D:\Program Files\Windows Defender\MSASCui.exe
    D:\Admin's Documents\Tclock Light\tclock.exe
    D:\Program Files\iPod\bin\iPodService.exe
    D:\Program Files\HiJack This\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: Tclock.lnk = D:\Admin's Documents\Tclock Light\tclock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer =,
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: GB-PVR Recording Service - devnz.com - D:\Program Files\GBpvr\GBPVRRecordingService.exe
    O23 - Service: GhostStartService - Symantec Corporation - D:\Program Files\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\NOD32\nod32krn.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  2. redoak

    redoak Gone but never forgotten

    Jun 24, 2004
    Download "TrojanHunter" as a free trial. Use a search engine to locate the download site.

  3. orbital

    orbital Thread Starter

    Jun 13, 2004
    Thanks for the reply but I prefer not to download anything that's Trialware.
    I'm Running NOD32 ( Anti-Virus ) and using 3 different Anti-Spyware programs,
    which are Adaware, Spybot, and Defender. I have also ran RootKit Revealer.
    All of these programs turn up nothing so I am leaning in the direction that this
    is a Windows process that was added when I did the ie7 update. This is
    annoying. I did more research and it appears that this is a process that is
    for Office XP. Well, I don't have Office XP I have Office 2003. Yes, they in
    a sense are one of the same but each have a few different process that run.
    As my research continued I found this......


    Man, they really make it an issue to remove this. I'm a little worried that
    since I have Office 2003 all these options won't be there. I wouldn't worry
    about this that much but this process makes my system slow to a crawl.
    and will even lock it up. Any other comment on this would be great such
    as if anyone has had this happen to them and know a better way in solving
    it besides this uninstall that MS has posted. Everytime I do one of there little
    suggestions it ends up in reinstalling my Ghost Image. thanks guys

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Similar Threads - Trojan Please Hijack
  1. ZawMyoLatt
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538155

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice