HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctemon.exe

[schuster24]

First problem started with IE opening for a split second then closing.. never resolved, now using safari.

Now Malwarebytes scan keeps finding infected file-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctemon.exe

(Trojan.Agent) -> Delete on reboot.

However the reboot does not remove it and it is found again in the next scan.

Not sure how to resolve, would appreciate any assistance!!

[miekiemoes]

Hi,

* Download Trend Micro Hijack This

[schuster24]

Hi,

* Download Trend Micro Hijack This

[miekiemoes]

Hi,

I'm wondering if your Comodo is interfering with the deletion of that key here, because according to the log, the file attached is already deleted, because otherwise Malwarebytes would relist it as well.

Comodo has a registry monitor, so it may block the changes here.

Anyway, we can easily deal with this registry leftover with HijackThis as well though.

First of all, disable your Comodo, so it doesn't interfere...

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {74B42F25-4107-404D-A892-F9A31C106D06} - (no file)

O4 - HKLM\..\Run: [logonUiInit] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\rgtndz.dll" DllInit

O4 - HKLM\..\Run: [systemguard] C:\Program Files\System Guard 2009\systemguard.exe

O4 - HKLM\..\Run: [CTEMON.EXE] "C:\Documents and Settings\All Users\Application Data\winlogon.exe" /h

O21 - SSODL: ooRoInPzaAM - {D9465290-509D-49C5-BB98-A87C1C89276B} - djsrcjkdrr.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then rescan again with HijackThis and post the new log in your next reply.

[schuster24]

Thanks again for your help... here is the new log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:43:09 AM, on 11/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Safari\Safari.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials/.../search/ie.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe (file missing)

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe (file missing)

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 10458 bytes

Hi,

I'm wondering if your Comodo is interfering with the deletion of that key here, because according to the log, the file attached is already deleted, because otherwise Malwarebytes would relist it as well.

Comodo has a registry monitor, so it may block the changes here.

Anyway, we can easily deal with this registry leftover with HijackThis as well though.

First of all, disable your Comodo, so it doesn't interfere...

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {74B42F25-4107-404D-A892-F9A31C106D06} - (no file)

O4 - HKLM\..\Run: [logonUiInit] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\rgtndz.dll" DllInit

O4 - HKLM\..\Run: [systemguard] C:\Program Files\System Guard 2009\systemguard.exe

O4 - HKLM\..\Run: [CTEMON.EXE] "C:\Documents and Settings\All Users\Application Data\winlogon.exe" /h

O21 - SSODL: ooRoInPzaAM - {D9465290-509D-49C5-BB98-A87C1C89276B} - djsrcjkdrr.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then rescan again with HijackThis and post the new log in your next reply.

[miekiemoes]

Hi,

Your log looks clean again.

Normally mbam shouldn't find it anymore now, let me know. (Looks like it was Comodo after all interfering here)

[schuster24]

Thank you so much!

So, should I run malewarebytes again? Should I enable comodo again? Should it also have resolved the IE problem?

Thanks!!

Hi,

Your log looks clean again.

Normally mbam shouldn't find it anymore now, let me know. (Looks like it was Comodo after all interfering here)

[miekiemoes]

Can you open IE when Comodo is disabled?

What do you exactly get then? (in case it doesn't open?). Does it give an error etc?

Yes, run Malwarebytes once again to verify. Then enable Comodo again.

[schuster24]

Maleware scan was clean!! Thanks!! IE still will not open, tried both with Comodo off and on. No error message, never gets that far. Opens for a second then disappears.

Can you open IE when Comodo is disabled?

What do you exactly get then? (in case it doesn't open?). Does it give an error etc?

Yes, run Malwarebytes once again to verify. Then enable Comodo again.

[miekiemoes]

Ok,

Let's try the following...

Please try to run Internet Explorer without add-ons.

See here how to do this: http://www.nirmaltv.com/2009/04/28/how-to-...ithout-add-ons/

Let me know if it opens without the add-ons.

Did this problem start after you have updated to Internet Explorer 8?

[schuster24]

Nope still doesnt work,, just flashes up for a sec like it wants to open but disappears.

Ok,

Let's try the following...

Please try to run Internet Explorer without add-ons.

See here how to do this: http://www.nirmaltv.com/2009/04/28/how-to-...ithout-add-ons/

Let me know if it opens without the add-ons.

Did this problem start after you have updated to Internet Explorer 8?

[miekiemoes]

I still have the feeling it's your Comodo interfering here somewhere though.

I remember I helped someone before with exactly the same issue and it was the firewall that blocked iexplore.exe.

That was after an update to Internet Explorer 8. The firewall saw a modification of the file iexplore.exe, gave an alert and blocked it then.

Can you do me a favour and temporary uninstall Comodo? Then reboot.

Leave Comodo uninstalled till we have this issue resolved, because in case we have to reinstall IE8 again, I want to make sure nothing interferes with the reinstall etc... and that can only be done if potential causes (like comodo) that can interfere are gone.

Reboot after uninstalling Comodo.

After reboot, test your IE again and let me know if you're still having the same issue.

[schuster24]

It worked, I'm in IE after uninstalling Comodo. Should I do anything else? Can I re-install Comodo now or do you have another firewall recommendation?

Thank you sooo much for all your help!!!!!!

I still have the feeling it's your Comodo interfering here somewhere though.

I remember I helped someone before with exactly the same issue and it was the firewall that blocked iexplore.exe.

That was after an update to Internet Explorer 8. The firewall saw a modification of the file iexplore.exe, gave an alert and blocked it then.

Can you do me a favour and temporary uninstall Comodo? Then reboot.

Leave Comodo uninstalled till we have this issue resolved, because in case we have to reinstall IE8 again, I want to make sure nothing interferes with the reinstall etc... and that can only be done if potential causes (like comodo) that can interfere are gone.

Reboot after uninstalling Comodo.

After reboot, test your IE again and let me know if you're still having the same issue.

[miekiemoes]

Hi,

I knew it was Comodo. Yes, reinstall Comodo again, but read what it says. Because Comodo gives alerts for every program change, so if you install a program or update a program, allow the changes in Comodo. Because I guess you previously blocked the IE8 changes in Comodo.

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.