could anybody help me to find the ad-ware- -

[aaa839]

my friends computer get thereat he get so many AD in his computer

i try to use anti-virus and iobit security to find and delete the thereate

but it can't - -

could help me to find it?

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 19:5:58, on 2009-12-2

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PPStream\ppsap.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll

O3 - Toolbar: GotoYa上網精靈 - {43869BB3-22FD-4F15-9B46-238106BA2F4E} - C:\Program Files\Super Rabbit\IeProt\haokanbar.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [soundMan] SOUNDMAN.EXE

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\five that.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} -

O9 - Extra button: 網頁流量防護狀態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}SwCtl.SwCtl.11 - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}YInstHelper.YInstStarter.1 -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_17 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}Java Plug-in 1.6.0_17 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_17 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Automatic LiveUpdate Scheduler (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate (LiveUpdate) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: Macromedia Licensing Service (Macromedia Licensing Service) - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Nakido (Nakido) - Unknown - C:\Program Files\Nakido\nakido.exe

O23 - Service: Nero BackItUp Scheduler 3 (Nero BackItUp Scheduler 3) - Unknown - .dll

O23 - Service: NMIndexingService (NMIndexingService) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - INCA Internet Co., Ltd. - C:\WINDOWS\system32\GameMon.des

O23 - Service: PLFlash DeviceIoControl Service (PLFlash DeviceIoControl Service) - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: VNC Server (winvnc) - Unknown - c:\winsock\winvnc\winvnc.exe

[jelrikj]

Reply Log

 

These two Remove The Toolbar:

 

 

O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll

 

O3 - Toolbar: GotoYa上網精靈 - {43869BB3-22FD-4F15-9B46-238106BA2F4E} - C:\Program Files\Super Rabbit\IeProt\haokanbar.dll

 

And Do A Scan With Hitman Pro

[jelrikj]

Reply

 

By The Way! It Seems like You Having More Then One Antivirus on Your Computer? Only One Is Enough.

[Melvin_Deal]

This looks like a nasty!

 

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Ru n\: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXECtfmon.exe

(("CoolWebSearch Ctfmon32 parasite variant")) Should be removed!

 

Drastically reduce start up programs, or close out of system tray.

 

Eliminate/uninstall all the toobars!

 

I see evidence of Norton, Avira, and Kaspersky anti-virus. They are probably fighting with each other!

 

Download revo uninstaller and remove two of these. Choose your A/V

 

Then run Advanced System Care to fix registry. Ccleaner may also be of use here.

 

This will be a good start.

[blacksea]

Hi Melvin_deal

 

When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs.

Ctfmon.exe monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translation, and other alternate user input forms.

Note: The ctfmon.exe file is located in the folder C:\Windows\System32. In other cases, ctfmon.exe is a virus, spyware, trojan or worm!

[Melvin_Deal]

Aye Blacksea... thanks!!

 

I see now! You are absolutely correct!

 

It was a hasty post and I must learn to slow down! I saw that there was little attention to this post and didn't want to ignore user aaa839; as I was running out the door.

 

It is better not to post at all than post hastily.

 

Thank you!!

[blacksea]

I see now! You are absolutely correct!

 

It was a hasty post and I must learn to slow down! I saw that there was little attention to this post and didn't want to ignore user aaa839; as I was running out the door.

 

It is better not to post at all than post hastily.

 

Thank you!!

 

Your welcome melvin !

Ofcourse it's good of you that you wanted to help him and didn't want to ignore aa839. But if you say something, and you hesitate, then you should include it in your comment/reply. But nvm, I always put the names of the services in google and there I get my most information down.

 

Blacksea.

 

Ps. And also that reply I gave was not my words. It was based on this description given in this link http://www.neuber.com/taskmanager/process/ctfmon.exe.html. But I did know it was something that had to do with Microsoft word. :lol:

[Melvin_Deal]

I checked it out.

 

You were correct. Matters not how you got there.. You are honest and that is what matters here!!

[solbjerg]

Hi Melvin

If you use ASC and the option Tools and the tab Admin and find StartUp manager, you will see that file there usually - mark it and choose the option Internet search in the left window and it will show you a description of the file and warning about it if it is placed anywhere else than in system32.

(Is this information missing in Usage of IObit Products??)

Cheers

solbjerg

 

 

You were correct. Matters not how you got there.. You are honest and that is what matters here!!

[wozofoz]

It's there

 

(Is this information missing in Usage of IObit Products??)

Cheers

solbjerg

It's there

If you are not sure, you can select an entry, then click “online search” to go to sysinfo.org for clues about that entry.

 

By the way, I have ctfmon unticked in startup

 

All the best, woz of oz

[danburrito]

By the way, I have ctfmon unticked in startup

 

I deleted it completely.

[solbjerg]

hi dan

My preference would be to untick it - but I usually don't.

Cheers

solbjerg

p.s. thanks for the info wozofoz :-)

 

I deleted it completely.

[samr]

Hi wozofoz,

cftmon will usually re-appear in startups after a period if it is un-checked. You can remove it by un-installing Alternative User Input with your Office disc (but you may want it if you are using keyboard language switching):

 

http://support.microsoft.com/kb/282599

 

I have done this in the past on some pc's but I usually let it run now.

 

Also found this little tool-cftmon remover, but I haven't tried it.It says you can disable or restore cftmon with it:

 

http://www.technixupdate.com/remove-ctfmonexe-in-windows-with-ctfmon-remover/

 

samr.

[wozofoz]

3 months so far

 

Hi wozofoz,

cftmon will usually re-appear in startups after a period if it is un-checked. You can remove it by un-installing Alternative User Input with your Office disc (but you may want it if you are using keyboard language switching):

 

http://support.microsoft.com/kb/282599

 

I have done this in the past on some pc's but I usually let it run now.

 

Also found this little tool-cftmon remover, but I haven't tried it.It says you can disable or restore cftmon with it:

 

http://www.technixupdate.com/remove-ctfmonexe-in-windows-with-ctfmon-remover/

 

samr.

 

Thanks for the link to the uninstall tool, I will get it just in case

I have no Windows Office or any brand Office software installed

ctfmon has been missing from TaskManager for over 3 months now

But then, it really is no trouble so it's not something I mention to people unless they are looking to really strip down their PC

 

From sysinfo.org

ctfmon (User decides)

Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or, for example, if speech is selected as an alternative input for MS Office or Notepad. Required to support advanced text services (such as right to left text) for East Asian users.

Can be disabled via:

Start > Control Panel > Regional and Language Options > Languages > Details > Advanced > System Configuration > Turn Off advanced text services (which also turns off the language bar).

See also HERE and HERE

Can also cause problems with some other programs if left enabled - see HERE for such an example

 

Can be disabled via:

Start > Control Panel > Regional and Language Options > Languages > Details > Advanced > System Configuration > Turn Off advanced text services (which also turns off the language bar).

That is what I did first :smile:

 

By the way, when I was researching ctfmon I was stunned by how many discussions there are about it. Very popular, or maybe that should read, unpopular :wink:

 

Edit: If anyone is interested in the Startup Manager changes I made and Services I changed I have laid it out for some friends in the thread Woz buys a NetBook !

 

All the best, woz of oz

[garybear]

Hi friends

 

You guys are so smart ; you make me sick. I'm just proud to be here.----garybear

[Melvin_Deal]

My tail is already tucked!

 

Aye! I was hasty and trying to walk out the door to drive my neighbor to an appointment. I will not repeat this mistake...

 

Thank you all for being here on this forum!

[solbjerg]

Hi wozofoz

Have you noticed if the text to speech function in Adobe Reader works if the ctfmon is missing or unchecked?

(it works in the reader even if ctfmon is unticked)

Or if Adobe has its own ctfmon?

I have it usually checked for language reasons.

Cheers

solbjerg

 

 

Thanks for the link to the uninstall tool, I will get it just in case

I have no Windows Office or any brand Office software installed

ctfmon has been missing from TaskManager for over 3 months now

But then, it really is no trouble so it's not something I mention to people unless they are looking to really strip down their PC

 

From sysinfo.org

 

 

Can be disabled via:

Start > Control Panel > Regional and Language Options > Languages > Details > Advanced > System Configuration > Turn Off advanced text services (which also turns off the language bar).

That is what I did first :smile:

 

By the way, when I was researching ctfmon I was stunned by how many discussions there are about it. Very popular, or maybe that should read, unpopular :wink:

 

Edit: If anyone is interested in the Startup Manager changes I made and Services I changed I have laid it out for some friends in the thread Woz buys a NetBook !

 

All the best, woz of oz

[wozofoz]

No Adobe

 

I un-installed Adobe Reader and now have FoxIt but in truth I only use that when a website makes me, so I don't know about that.

 

ctfmon is definitely something that most people should leave alone, it asks so little and can be necessary and/or handy to many.

I just don't need it and can re-enable it if I do need it in the future.

 

But then, I have un-installed Fax, shut down PrintSpool and disabled WorkStation which would seem crazy to most people but, again, I just don't need them :wink:

 

All the best, woz of oz

[solbjerg]

Ok wozofoz

Can you read .pdf with foxit then? Small program?

I will check myself if unticking it makes a difference in the text to speech function in Adobe Reader then :-)

(checked; works fine without being checked)

Cheers

solbjerg

p.s. I have now checked it out, it is almost 20 times as light-weight as Adobe Reader, so I have downloaded it too. Thank you!

 

I un-installed Adobe Reader and now have FoxIt but in truth I only use that when a website makes me, so I don't know about that.

 

ctfmon is definitely something that most people should leave alone, it asks so little and can be necessary and/or handy to many.

I just don't need it and can re-enable it if I do need it in the future.

 

But then, I have un-installed Fax, shut down PrintSpool and disabled WorkStation which would seem crazy to most people but, again, I just don't need them :wink:

 

All the best, woz of oz

[wozofoz]

FoxIt for the home

 

For the 'home user' FoxIt PDF Reader (Free) does all that is needed. Read but not edit, save and Plug-ins for FireFox, Opera and IE (I guess)

A tiny 7.2 MB installed.

FoxIt does have a shareware upgrade with more features.

 

My friends who use a PDF Reader for business and research etc need all the features and they say Adobe is still the best :wink:

 

All the best, woz of oz

[danburrito]

My personal favorite pdf reader is PDF XChange Viewer.

[aaa839]

thnaks all help

i try to uninstall theese toolbar for him also he have messenger plus I also uninstall it it no any ad anymore thanks all

cheers