I think i got a worm!

[goemon4]

Ok, hello all (first post here) but, i hate to think this, but i may have a worm. I have lurked on here for a while before joining up here, and installed many of the recommended anti-spyware apps (all worked great!) but i noticed Spybot-S&D was asking about weird changes to the registry though.

A little background on why i think i have a worm though before i go there. I was torrenting something from TPB the other day (Some old movie i have on VHS, really wanted to watch it again, but i dont have a VCR anymore!) and since then, nothing but horrible lag. It takes about 50-70 sec to open Firefox, which used to be practically instant.

So, i ran virus and spyware scans. I always have a bit of spyware here and t here, so i got rid of it. And had no viruses. I always try to be as secure as possible, i have Peer Guardian running 24/7 and have Spybot-S&D running 24/7 as well.

Well, back to where i was going, i notices wierd blank requests to change the registry, Spybot-S&D said it may be a worm, virus, or spyware, so i denied it. But i used CCleaner, and noticed that there were alot of registry errors already, as well as new, kind of oddly named entries to the start up list. I removed them (forgot to remember their names XD) but nothing has worked.

So yeah, my comp is just running horribly slow, and i dont know why! If you need me to run tests or post logs with something, ill do so. I appreciate all the help you can provide, cause i really hate this and want to fix it! I just think its a worm by what ive looked up about them, and their behavior, is pretty much what im experiencing. No idea what type it is though.

(also, further security tips are appreciated to!)

THANKS!!!

HijackThis log

Code: Select all

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:32 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache 

Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0

\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device 

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet 

Explorer\Main,Default_Page_URL = 

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet 

Explorer\Main,Default_Search_URL = 

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet 

Explorer\Main,Search Page = 

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet 

Explorer\Main,Start Page = 

http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=explorer.exe 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common 

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-

2D53-2644-206D7942484F} - C:\Program Files\Spybot - 

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32

\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32

\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7

\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program 

Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" 

/minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program 

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program 

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program 

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program 

Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0

\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program 

Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program 

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program 

Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program 

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK 

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-

9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender 

Online Scanner v8 - {85d1f590-48f4-11d9-9669-

0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & 

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy 

Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} 

- C:\Program Files\Spybot - Search & 

Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network 

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - 

{e2e2dd38-d088-4134-82b7-f2ba38496583} - 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program 

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 

Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} 

(CKAVWebScan Object) - 

http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_

unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} 

(BDSCANONLINE Control) - 

http://download.bitdefender.com/resources/scan8/oscan8.

cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} 

(WUWebControl Class) - 

http://www.update.microsoft.com/windowsupdate/v6/V5Cont

rols/en/x86/client/wuweb_site.cab?1204526163296
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} 

(HPSDDX Class) - http://www.hp.com/cpso-support-

new/SDD/hpsddObjSigned.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - 

Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - 

C:\Program Files\Common Files\Adobe Systems 

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - 

C:\Program Files\Common Files\Apple\Mobile Device 

Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. 

- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - 

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - 

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, 

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program 

Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - 

C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6881 bytes

[YARDofSTUF]

F2 - REG:system.ini: Shell=explorer.exe

Seems like a trace of something left, I don't really see anything else out of the ordinary though.

[ghettoside]

I agree w/ YoS, likely to be from Aurora sw (nail.exe)- hijacker/malware.

Remove- F2 - REG:system.ini: Shell=explorer.exe

post if it comes back after reboot

[goemon4]

Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

Rebooted, and it didnt come back, anything else i should do?

[ghettoside]

Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

Rebooted, and it didnt come back, anything else i should do?

So how is your rig running, does it seem better?

ctfmon.exe is part of MSOffice, once you start an Office app it keeps running. You can prevent it from running, see MSKB

as to whether or not yours is a virus/malware, where was the file located? It should be in windows/system32... if it's in a sub folder it's a virus. more info here

I suggest you defrag your hdd too

[goemon4]

Well, it was in the system32 folder, but i dont have MSOffice installed, and never have. My comp is still running like crap though. Its better, but still slow! Ive been running spyware and virus checks all night (while i sleep) and nothing is showing up. Windows Defender isnt picking anything up either.

And the defragmenter says i dont need to defragment it (But ill run it anyway). Should i actually buy some secuirity software? Since im relying on freeware as of now, and just dont think its properly protecting me.

Also, i just got an error about DrWatson Postmortem Debugger, what is this?!

[YARDofSTUF]

Which scanners have you used so far?

[goemon4]

For viruses
Avg's free one
and kaspersky online virus scanner

For spyware
Spybot S&D
Avg's free one
Ad-Aware
and SpywareBlaster

Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.

[ghettoside]

try the online scan of webroot spysweeper.

Imho, the best commercial anti-spyware. if you can afford to buy the app- I say buy it. I've used it on removal jobs and a few times it's caught trojans that got past av (norton and mcaffee).

I've never tried the online scan since I have the app. A tip: there are settings to scan for rootkits... you have to set it for that, it is not enabled by default.

I'd also run rootkit revealer

if you're gonna move away from freeware av, then I recommend Nod32.

I was a die hard norton man until a couple years ago when Stonecat converted me to Nod. I love Nod, works great. it's easy on your sys resources too.

also run CrapCleaner

fyi, I run Nod32, spyware blaster, spybot. I never have a problem. I have Webroot spysweeper installed and keep it updated, but I don't use the real time protection, I only run manual scans. You might wanna use the real time since you like P2P, torrents.

If you get Nod32, uninstall any other anti-virus.

Imho, I don't like avg. Lots of folks I respect here do use it tho.

[goemon4]

Idk, this stuff is pretty pricey. I HATE!!! (like really hate) Norton and McAfee, ive had both on previous comps, and the problems... And yeah, AVG is good if you pay for it (From what i hear) Im thinking of trying that since it has everything for 60 bucks. (Anti Spyware, rootkit, virus etc) Yes i am that cheap, lol, but Nod looks nice. Does it cover everything aswell?

Ty for the heads up though, i do need to invest in this stuff since im using my computer a lot more lately. And yeah, CCleaner is awesome, i use it daily.

WOW!! I just updated to the free AVG 8, thing found hundreds of Adware, Trojan, Spyware, Trackers, downloaders, and hacker infections! Idk how the other programs missed this stuff... (Most of it are IE infections/regestry infections, aswell as a few others)

[ghettoside]

yeah, norton is too much bloatware for the past few years already, and I've seen waaaay too many problems on rigs running that McAfee garbage.

Comcast is giving trials of McACrappy and people think it's good just cuz Comcast recommends it and bundles it w/ their service. That should be warning enough if Comcast gives it out!

I gave up on McAfee years ago, largely for the same reason listed above. Years ago I had to spend time testing the antivirus on offline systems, that it was not worth it. Personaly I don't think it could find a booger on a white hankerchief.

I love to quote that post!

As to Nod, they have another product, Smart Security, that has all the features. Nod32 av is an just that, an av. That's why I use the other appz I listed.

I haven't tried Smart Security myself, but maybe Stonecat or someone else can tell you more.

No av catches everything, but I've never had a problem w/ Nod on my rigs.

Imho, if I was going to spend the $, I'd prefer trying Nod's Smart Security over AVG.

[YARDofSTUF]

For viruses
Avg's free one
and kaspersky online virus scanner

For spyware
Spybot S&D
Avg's free one
Ad-Aware
and SpywareBlaster

Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.

Avira AntiVir is really the best freebie right now for virus scanners.

Spybot, windows defender, and super antispyware are good adware/spyware scanners.

Spyware blaster and the immunize feature of spybot are great deterrents.

And Ccleaner and adaware are good to run first to clean up temp files and little junk so the others do scan unneeded files.

If you dont have a router with the NAT feature on you should also get a firewall, but other than that you should be fine with those apps.

I keep a few people's PCs clean with free apps only.

[Samuel4u]

I agree with the above quote.

[twister]

After going through your post I also think that you have got worm in your pc. But you need not to be worried about it at all.The problem you are facing now is quite common and a number of people have to go through the same problem.I know some of them who were greatly benefitted by http://www.supportonclick.com.The staffs out there are quite an expert and helpful to respond and solve your problem.I think you should opt for their support once you will be benefitted.

[CableDude]

After going through your post I also think that you have got worm in your pc. But you need not to be worried about it at all.The problem you are facing now is quite common and a number of people have to go through the same problem.I know some of them who were greatly benefitted by http://www.supportonclick.com.The staffs out there are quite an expert and helpful to respond and solve your problem.I think you should opt for their support once you will be benefitted.

Welcome to last year.

[jantrina]

dont use avg...that's bad use NOD32...