PDA

View Full Version : Mouse Jumps-Infected but not detected?


pmheart6
2005-12-31, 20:03
Hi, I have run Spybot, Adaware, AVG, and CA web scanner so far none has found anything. I had Norton installed, but it seems to have been disabled, and I can't get it reinstalled or reactivated yet.

Basicly this problem seems to be getting worse. It is most notable (first noticed) in MS products especially IE.

The mouse does things you do not want it to do. Goes here and there. Won't click what you want. It goes back web pages (especially when you use the scroll wheel). I have swapped the mouse keyboard, and put the Hard Drive in a different pc with no luck. They worked for over a year with no problem.
I have dialed in remotely via vnc and have no problems doing anything.

I am guessing it may be related to
ctfmon.exe
crypt32.dll
cryptnet.dll
cscdll.dll

I had them and a few others disabled. ctfmon.exe added itself back to the startup routine, and I added the other 3. Without them it seemed to work fine for 20 minutes or so even when connected to the net (then I added them back in and rebooted). Microsoft says they are required items. I don't know how to find a clean version if they are infected.

I found 3 links to symantec. the files appear to be normal to me, and like I said no scanner has found a problem

Any Ideas
Thanks
Patrick
tashi
2006-01-01, 01:56
Hello.
Open SpyBot, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report please.
pmheart6
2006-01-01, 15:56
--- Search result list ---
Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-30 Includes\Cookies.sbi (*)
2005-12-30 Includes\Dialer.sbi (*)
2005-12-30 Includes\Hijackers.sbi (*)
2005-12-30 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-30 Includes\Malware.sbi (*)
2005-12-30 Includes\PUPS.sbi (*)
2005-12-30 Includes\Revision.sbi (*)
2005-12-30 Includes\Security.sbi (*)
2005-12-30 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-30 Includes\Trojans.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DirectX / DX8 / SP1: DirectX 8 Hotfix - KB839643
/ DirectX: DirectX Update 819696
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB834707
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB867282
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB889293
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB890923
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB896688
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB896727
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905495
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905915
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB897715
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB820888
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB822831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824141
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824146
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB825119
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828028
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828741
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB829558
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB835732
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB837001
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB839645
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB840315
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB840987
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841356
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841533
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841872
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841873
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842526
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB871250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873333
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873339
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885835
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885836
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB888113
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890046
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890047
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890175
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890859
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB891711
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB891781
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893066
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893086
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893756
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB894320
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896358
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896423
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896424
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899587
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899588
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899589
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB900725
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901017
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901214
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB902400
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908523
/ Windows 2000 / SP5: Windows 2000 Hotfix (SP5) Q818043
/ Windows 2000 / SP5: Update Rollup 1 for Windows 2000 SP4
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 9 / SP0: Windows Media Player 9 Hotfix [See KB885492 for more information]


--- Startup entries list ---
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 356352
MD5: 6492815fc67068a11420740637946b0e

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061

Located: HK_LM:Run, WinVNC
command: "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
file: C:\Program Files\TightVNC\WinVNC.exe
size: 474624
MD5: f58f2f89a111b08a26ead3a8fd56b65c

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (common), QuickBooks Update Agent.lnk
command: C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
file: C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
size: 724992
MD5: 7e4784b83d19b547f5576cc1f91fcb2b

Located: Startup (user), MDR Backup StartUp.lnk
command: C:\Program Files\MDR Backup\MDR Backup.exe
file: C:\Program Files\MDR Backup\MDR Backup.exe
size: 61440
MD5: 31af45d1f77e5d375f6b461394152ce4

Located: Startup (user), MDR Capture Startup.lnk
command: C:\Program Files\MDR Capture\MDR Capture.exe
file: C:\Program Files\MDR Capture\MDR Capture.exe
size: 339968
MD5: 5f11e388e22537fc55bf5885ef668ccc

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll

Located: System.ini, NavLogon (DISABLED)
command: C:\WINNT\system32\NavLogon.dll
file: C:\WINNT\system32\NavLogon.dll
size: 45056
MD5: 4f08576da1c93a5ec62eb2ad6ec3d084

Located: System.ini, PCANotify (DISABLED)
command: PCANotify.dll
file: PCANotify.dll



--- Browser helper object list ---
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
BHO name:
CLSID name: Yahoo! Companion BHO
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: ycomp5_5_7_0.dll
Short name: YCOMP5~1.DLL
Date (created): 9/3/2005 2:45:34 AM
Date (last access): 1/1/2006 8:28:48 AM
Date (last write): 9/29/2004 10:02:16 AM
Filesize: 292947
Attributes: archive
MD5: 15003F375140FFB2D2E0C5508857A2F1
CRC32: B0173BA1
Version: 2004.9.28.1

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 12:56:50 AM
Date (last access): 1/1/2006 8:04:16 AM
Date (last write): 9/23/2005 10:12:08 PM
Filesize: 63136
Attributes: archive
MD5: B61D5D651ECC6055C29BF826CA7B1141
CRC32: FEF15799
Version: 7.0.5.172

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/17/2005 4:25:04 PM
Date (last access): 1/1/2006 8:27:52 AM
Date (last write): 5/31/2005 12:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINNT\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 6/9/2004 9:31:30 AM
Date (last access): 1/1/2006 8:27:26 AM
Date (last write): 6/9/2004 9:31:30 AM
Filesize: 327736
Attributes: archive
MD5: CE3D865CCF4267C85934D9B7CA8521F2
CRC32: F9306ACA
Version: 6.4.0.29

{2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy)
DPF name:
CLSID name: ChainCast VMR Client Proxy
Installer:
Codebase:
description:
classification: Open for discussion
known filename: ccpm_0237.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: ccpm_0237.dll
Short name: CCPM_0~1.DLL
Date (created): 12/19/2002 6:09:44 PM
Date (last access): 1/1/2006 8:33:22 AM
Date (last write): 12/19/2002 6:09:44 PM
Filesize: 1488120
Attributes: archive
MD5: 2E2942127C097A132ED6FA3451BAEA06
CRC32: 9CCC07CD
Version: 3.0.0.237

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINNT\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 4:10:30 AM
Date (last access): 1/1/2006 8:29:02 AM
Date (last write): 8/27/2003 4:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 11.0.5626.0
pmheart6
2006-01-01, 15:57
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} ()
DPF name:
CLSID name:
Installer:
Codebase:
description: Netster
classification: Confirmed as malware
known filename:
info link:
info source:

{62475759-9E84-458E-A1AB-5D2C442ADFDE} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124579233435
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: wuweb.dll
Short name:
Date (created): 5/26/2005 3:19:32 AM
Date (last access): 12/31/2005 12:08:38 PM
Date (last write): 5/26/2005 3:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135966116227
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 12/31/2005 12:08:38 PM
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 178408
Attributes: archive
MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
CRC32: F5494B06
Version: 5.8.0.2469

{6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive)
DPF name:
CLSID name: Microsoft Office XP Professional Step by Step Interactive
Installer: C:\WINNT\Downloaded Program Files\CONFLICT.1\mit.inf
Codebase: file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
Path: C:\WINNT\Downloaded Program Files\CONFLICT.1\
Long name: mitm0026.dll
Short name:
Date (created): 1/22/2001 7:19:40 AM
Date (last access): 1/1/2006 8:33:24 AM
Date (last write): 1/22/2001 7:19:40 AM
Filesize: 36864
Attributes: archive
MD5: 3E062AEFFC5F513C3FE628926BDB805C
CRC32: 879F03D0
Version: 1.0.0.33

{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINNT\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
description:
classification: Open for discussion
known filename: webscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 3/25/2004 10:10:20 AM
Date (last access): 1/1/2006 8:33:24 AM
Date (last write): 3/25/2004 10:10:20 AM
Filesize: 180282
Attributes: archive
MD5: 83272041A03A9D4381FAAB718AB1BEF7
CRC32: F57B6C69
Version: 1.1.0.1045

{7BE54C8A-50BA-43E4-BF99-6A4EC2E8DFAA} (AmBridgeLink.Conference)
DPF name:
CLSID name: AmBridgeLink.Conference
Installer: C:\WINNT\Downloaded Program Files\AmBridgeLink.INF
Codebase: http://www.econferencelink.com/naeo/AmBridgeLink.CAB
Path: C:\WINNT\Downloaded Program Files\
Long name: AmBridgeLink.ocx
Short name: AMBRID~1.OCX
Date (created): 12/8/2003 11:00:00 AM
Date (last access): 1/1/2006 8:33:20 AM
Date (last write): 12/8/2003 11:00:00 AM
Filesize: 45056
Attributes: archive
MD5: BFD9EA91B89C8011AB93E5585652BA66
CRC32: 6EE89380
Version: 1.0.0.7

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.6668055556
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 6/9/2004 2:59:26 PM
Date (last access): 12/31/2005 1:00:02 PM
Date (last write): 6/9/2004 2:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 7.0.19.0

{DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control)
DPF name:
CLSID name: Microsoft Office Tools on the Web Control
Installer: C:\WINNT\Downloaded Program Files\outc.inf
Codebase: http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
description: Microsoft Office Tools on the Web
classification: Legitimate
known filename: outc.cab
info link:
info source: JavaCool
Path: C:\WINNT\Downloaded Program Files\
Long name: OUTC.DLL
Short name:
Date (created): 3/13/2003 11:04:06 AM
Date (last access): 1/1/2006 8:33:24 AM
Date (last write): 3/13/2003 11:04:06 AM
Filesize: 45720
Attributes: archive
MD5: 45DE1052FE8AA3D8507FD5A6343420E0
CRC32: 41AA4F0C
Version: 1.3.1.15

{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
DPF name:
CLSID name: GpcContainer Class
Installer:
Codebase:
description:
classification: Open for discussion
known filename: ieatgpc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: ieatgpc.dll
Short name:
Date (created): 7/9/2003 4:36:54 PM
Date (last access): 1/1/2006 8:33:22 AM
Date (last write): 7/9/2003 4:36:54 PM
Filesize: 62464
Attributes: archive
MD5: AC0952DE18DF659E1A9EE0D43F383AC6
CRC32: D1CC0D8B
Version: 1.0.0.10

{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
DPF name:
CLSID name: McFreeScan Class
Installer: C:\WINNT\Downloaded Program Files\mcfscan.inf
Codebase: http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4650/mcfscan.cab
description:
classification: Legitimate
known filename: mcfscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\McAfee.com\FreeScan\
Long name: mcfscan.dll
Short name:
Date (created): 12/14/2005 9:58:12 AM
Date (last access): 1/1/2006 8:37:42 AM
Date (last write): 12/14/2005 9:58:12 AM
Filesize: 116288
Attributes: archive
MD5: 2D6455D7D3E7E190C5CC521D512B74A3
CRC32: 45F89FE1
Version: 2.1.0.4650



--- Process list ---
PID: 0 ( 0) [System]
PID: 144 ( 8) \SystemRoot\System32\smss.exe
PID: 172 ( 144) \??\C:\WINNT\system32\csrss.exe
PID: 168 ( 144) \??\C:\WINNT\system32\winlogon.exe
PID: 220 ( 168) C:\WINNT\system32\services.exe
size: 92944
MD5: B861B4E6E9637EB76A40C10C552E0229
PID: 232 ( 168) C:\WINNT\system32\lsass.exe
size: 33552
MD5: F19D0A319AB4BF5496F08807CB9B8651
PID: 408 ( 220) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 440 ( 220) C:\WINNT\system32\spoolsv.exe
size: 47376
MD5: FACFB75ECC070103619FA044E0B210D3
PID: 508 ( 220) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
size: 336896
MD5: 9BF46D959F713D64C8FF3DE2B2437863
PID: 540 ( 220) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
size: 84480
MD5: 66093610FA61142F6BCFD83AFB7E8A29
PID: 340 ( 220) C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
size: 32768
MD5: F8146A2B29866884A6C785FF40EB38A9
PID: 576 ( 220) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 636 ( 220) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 760 ( 220) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 784 ( 220) C:\WINNT\system32\MSTask.exe
size: 122128
MD5: B00529EAE5D0CE97010B69CC677128C8
PID: 856 ( 220) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 860 ( 220) C:\Program Files\TightVNC\WinVNC.exe
size: 474624
MD5: F58F2F89A111B08A26EAD3A8FD56B65C
PID: 876 ( 220) C:\WINNT\System32\mspmspsv.exe
size: 53520
MD5: 5B6DA8F4F5047D6DF51E1C38FC57D4D9
PID: 896 ( 220) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 1044 ( 752) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 356352
MD5: 6492815FC67068A11420740637946B0E
PID: 1056 ( 752) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 500 ( 752) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
size: 724992
MD5: 7E4784B83D19B547F5576CC1F91FCB2B
PID: 1080 ( 752) C:\Program Files\MDR Backup\MDR Backup.exe
size: 61440
MD5: 31AF45D1F77E5D375F6B461394152CE4
PID: 1332 ( 952) C:\WINNT\system32\ctfmon.exe
size: 8192
MD5: D36A33C21EEED5A6C1DAECB7C80A1909
PID: 1184 ( 752) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/1/2006 8:51:11 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70E2A91A-AD6E-424B-AB12-C8F8A6361278}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70E2A91A-AD6E-424B-AB12-C8F8A6361278}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07283AF1-FEE8-4D33-A836-886F5DE1B571}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07283AF1-FEE8-4D33-A836-886F5DE1B571}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AD2E0509-3900-46BC-BD23-99F5CAE92706}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AD2E0509-3900-46BC-BD23-99F5CAE92706}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
LonnyRJones
2006-01-01, 19:04
Hi Patrick

Do you have speech recognition on ?
http://ask-leo.com/why_does_my_computer_go_nuts_sometimes.html

Why are these disabled ?
Located: System.ini, NavLogon (DISABLED)
command: C:\WINNT\system32\NavLogon.dll
file: C:\WINNT\system32\NavLogon.dll
size: 45056
MD5: 4f08576da1c93a5ec62eb2ad6ec3d084
Located: System.ini, PCANotify (DISABLED)
command: PCANotify.dll
file: PCANotify.dll

I would delete that norton entry (and uninstall it)and stick with AVGfree or the paid for version.
pmheart6
2006-01-02, 01:46
Ok The mouse is not jumping around all the time.

I deleted the entry for ctfmon.exe and a few other things realsched.exe etc...

When it boots it seems they were not completely removed. tea timer asks permission to delete the entry.

And then when I run a microsoft program it trys to add ctfmon.exe back in.

I may just be remembering wrong but I once told it to remember to leave it deleted, but it added it back in without asking. So its not remembering to allow the deletion but allow anything with that item.

So
1: how do I delete the items so it does not have to delete them everytime I boot
2: I can I make windows not try to add ctfmon.exe again
3: We need to work on how tea timer remembers changes
LonnyRJones
2006-01-02, 05:31
Hi pmheart6
More information about ctfmon
Frequently asked questions about Ctfmon.exe: http://support.microsoft.com/kb/q282599/

Turn off Tea Timer (right-click its icon in the tray area near the windows close and choose exit) and close SpyBot if open.
Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page.