Explorer and Cffmon threat found.

Viruses and worms
1

Every Scan after opening windows finds the following

Tracking Cookie - ratbag@atdmt.com/
Worm.Autorun - C:\explorer
Backdoor.trojan - C:\Windows\system32\cffmon.exe

My Automatic updates are turned off and my system restore is off.

avast, even as boot scan cannot find where this is origin of these unsafe files.

The other error that occurs is that on shut down I get 2 cmd.exe errors. After this I have to select shut down a second time to shut down.

ANY HELP OUT THERE?

2

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

3

Hi,
Sorry for taking forever… Having a mare. I have managed to damage my registry following online guides! This has prevent me from installing superantispyware.

I have also to mention that Windows defender fails to work, it will not start. even after a uninstall - re-install. Additionally the prime child culprit’s account is no longer visible on the start up screen. I can log on using Ctl-alt-del though.

I ran the malware, the file log is as follows:
Malwarebytes’ Anti-Malware 1.44
Database version: 3826
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/03/2010 19:19:56
mbam-log-2010-03-05 (19-19-56).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 263010
Time elapsed: 23 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\explorer.exe (Worm.AutoRun) → Quarantined and deleted successfully.
C:\WINDOWS\system32\cffmon.exe (Backdoor.Bot) → Quarantined and deleted successfully.

I also ran IObit Security 360, the log is as follows.

OS:Windows XP
Version:1.4.0.11
Define Version:1333
Time Elapsed:00:01:43
Objects Scanned:47054
Threats Found:3

|Name|Type|Description|ID|
Tracking Cookies, Cookies, Cookie:ratbag@atdmt.com/, 7-1543
Worm.AutoRun, File, C:\Explorer.exe, 4-3041
Backdoor.Trojan, File, C:\WINDOWS\system32\cffmon.exe, 4-5575

These are the same files everytime, i cannot locate the originator of these files.

thanks for being patient

4
I also ran IObit Security 360, the log is as follows.

IObit info
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

There is also a tool for removal of IObit software. Bitremover 1.3
you will fiend it on the right side of the page
http://uninstallers.blogspot.com/

5

Follow this guide from Essexboy and post the OTL log HERE
http://forum.avast.com/index.php?topic=53253.0

6

maybe the ctfmon.exe is got infected…