Trojan? Please Look at my Hijack this log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

orbital

Thread Starter
Joined
Jun 13, 2004
Messages
5
Last night, I noticed that a new .exe was running in my Process list in my Task Manager.
I then looked up ctfmon.exe on ProcessLibrary.com . Well, it came up with two different
results one being a microsoft process and the other being a trojan.

Process File: ctfmon.exe
Process Name: Alternative User Input Services

ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar.

the other is

Process File: ctfmon.exe
Process Name: Trojan.W32.Satiloler

ctfmon.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Well, I then ran SysInternal AutoRuns.exe and the process has this info attached to it.

Description: CTF Loader
Publisher: Microsoft Corporation
Path: C:\windows\system32\ctfmon.exe

Size: 15K
Time: 8/4/2004
Version: 5.01.2600.2180

I have just recently updated to Internet Explorer 7
that's when I noticed this process running, It wasn't running before.
I do have office 2003 Basic installed but it doesn't start with the PC,
Only when I open it. I try to minimize the startup process so my Computer
runs faster. I'm very picky about what runs.

I have also just upgraded OpenOffice to 2.1 so I'm not sure if
that could have made it run.

Below, I have pasted my HiJack This Log
I did noticed a bunch of stuff was added after the Internet Explorer 7
Update. I use FireFox but updated cause I'm assumming that it updates
other windows components but I could be wrong..

I did end the ctfmon.exe process so you won't see it in the
Running Proccess. I would be more than happy if you could also
state which IE7 process can be disabled. I prefer firefox.

(* Update *) I have noticed that after disabling the process
everything works fine and it will even stay disabled after a
reboot. Well, when I open a Word document it restarts.
It never did this before. Do you think it could be some
type of update or even the IE7 that made this happen.
It makes my system unstable.


Logfile of HijackThis v1.99.1
Scan saved at 12:54:44 AM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\GBpvr\GBPVRRecordingService.exe
D:\Program Files\Norton Ghost 2003\GhostStartService.exe
D:\Program Files\NOD32\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\ZoneAlarm\zlclient.exe
D:\Program Files\NOD32\nod32kui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Admin's Documents\Tclock Light\tclock.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Startup: Tclock.lnk = D:\Admin's Documents\Tclock Light\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer = 24.93.68.64,24.93.68.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer = 24.93.68.64,24.93.68.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E60BCD3-48EF-44C6-848E-6DD613A50C6E}: NameServer = 24.93.68.64,24.93.68.65
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GB-PVR Recording Service - devnz.com - D:\Program Files\GBpvr\GBPVRRecordingService.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Program Files\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\NOD32\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

redoak

Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Download "TrojanHunter" as a free trial. Use a search engine to locate the download site.

{redoak}
 

orbital

Thread Starter
Joined
Jun 13, 2004
Messages
5
Thanks for the reply but I prefer not to download anything that's Trialware.
I'm Running NOD32 ( Anti-Virus ) and using 3 different Anti-Spyware programs,
which are Adaware, Spybot, and Defender. I have also ran RootKit Revealer.
All of these programs turn up nothing so I am leaning in the direction that this
is a Windows process that was added when I did the ie7 update. This is
annoying. I did more research and it appears that this is a process that is
for Office XP. Well, I don't have Office XP I have Office 2003. Yes, they in
a sense are one of the same but each have a few different process that run.
As my research continued I found this......

http://support.microsoft.com/kb/282599

Man, they really make it an issue to remove this. I'm a little worried that
since I have Office 2003 all these options won't be there. I wouldn't worry
about this that much but this process makes my system slow to a crawl.
and will even lock it up. Any other comment on this would be great such
as if anyone has had this happen to them and know a better way in solving
it besides this uninstall that MS has posted. Everytime I do one of there little
suggestions it ends up in reinstalling my Ghost Image. thanks guys

Orbital
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top