Help Removing Peerbot

Wow this thing is nasty, I keep running SpySweeper and it comes back over and over. SS quarantines it and has a location as HKU\S-1-5-21-1390067357-1935655697-19579...\|| ctfmon.exe I'm preety sure the ctfmon is an office XP file but I'm running Office 2003 now (upgrade) so XP is still installed. I have 3 HD and most programs residing on G with Windows 2000 on the C drive. Everything works well after SS quarantines the peerbot but when Outlook is open for a few minutes you can here the file installing itself again. How do I get rid of this thing? HELP!!!!

 

HJT file

Logfile of HijackThis v1.99.1
Scan saved at 12:00:49 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Logitech\iTouch\iTouch.exe
G:\WINDOWS\Logi_MwX.Exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\WINDOWS\MXOALDR.EXE
G:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\PROGRA~1\SYMANT~2\VPTray.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
G:\oa\oaLaunch.exe
G:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
G:\Program Files\Webroot\Spy Sweeper\SSU.EXE
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
G:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - G:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [zBrowser Launcher] G:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RCHotKey] "G:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe "
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MXO Auto Loader] G:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] G:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: OALaunch.lnk = G:\oa\oaLaunch.exe
O4 - Global Startup: RingCentral Call Controller.lnk = G:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
O9 - Extra button: High Impact eMail - {670F87A1-88B0-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - g:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - g:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra 'Tools' menuitem: High Impact eMail - {C4A67F75-88B2-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - G:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124312463532
O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_settings/includes/vzTCPConfig.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - G:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - G:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - G:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Unknown owner - G:\Program Files\pcANYWHERE\awhost32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - G:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hello and welcome to WindowsBBS Forums.

Is the only thing being found that reg entry? If so, I'd say it's likely to be a false\positive. Without knowing the entire key (it's cut off in your post) I can't be 100% positive tho.

I have a question about an entry which I cannot find any conclusive info about:
G:\oa\oaLaunch.exe<<<<Do you know what this is? Let me know please.

The rest of your logfile appears ok, with a few minor, non-malware related entries we can fix using HJT.

Access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
PartyGaming


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157



O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - g:\program files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - g:\program files\PartyGaming\PartyPoker\RunApp.exe


:arrow: Search for, and delete, if found, the following files/folders:
g:\program files\PartyGaming<<<<---this folder

 

New Log

Before reading your post I did an Activescan as suggested somewhere else here's that log with the HJT log to follow...this Peerbot still comes up in SS and I see where you said it may be a false positive but when I get it Quarantined I have great performance then when it installs itself the system hangs bad so I think its a bug...any way here is the logs and the oa think is some updater for AMS Setwrite rating software (insurance stuff) thanks for any help...Activescan found a bunch of stuff in deleted items


Incident Status Location

Virus:Trj/Alanchum.OA Disinfected Quadinfo\Deleted Items\Returned mail: see transcript for details\Chinese missile shot down Russian aircraft\Read More.exe
Virus:Trj/Alanchum.OD Disinfected Quadinfo\Deleted Items\Undelivered Mail Returned to Sender\Sadam Hussein safe and sound!\Read More.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Deleted Items\Undelivered Mail Returned to Sender\The Love Bugs\Flash Postcard.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Deleted Items\Returned mail: see transcript for details\We Have Walked\Flash Postcard.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Deleted Items\Undelivered Mail Returned to Sender\For Better of For Worse\Flash Postcard.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Deleted Items\Returned mail: see transcript for details\Love Remains\Greeting Card.exe
Virus:Trj/Alanchum.OD Disinfected Quadinfo\Deleted Items\Delivery Status Notification (Failure)\Puppy Love\Flash Postcard.exe
Virus:Trj/Alanchum.OM Disinfected Quadinfo\Deleted Items\Delivery Status Notification (Failure)\Our Love Will Last\Greeting Card.exe
Virus:Trj/Alanchum.OD Disinfected Quadinfo\Junk E-mail\Delivery Status Notification (Failure)\The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!\Video.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Junk E-mail\failure notice\For Better of For Worse\Flash Postcard.exe
Virus:Trj/Alanchum.OJ Disinfected Quadinfo\Junk E-mail\Delivery Status Notification (Failure)\Russian missle shot down USA satellite\Full News.exe
Virus:Trj/Alanchum.NX!CME-711 Disinfected Quadinfo\Junk E-mail\Delivery Status Notification (Failure)\You and I Forever\postcard.exe
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Deleted Items\Mail Delivery (failure neilson@quadinfo.com)

HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:53:14 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\svchost.exe
G:\PROGRA~1\Logitech\iTouch\iTouch.exe
G:\WINDOWS\Logi_MwX.Exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\WINDOWS\MXOALDR.EXE
G:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~2\VPTray.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\oa\oaLaunch.exe
G:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
G:\Program Files\Webroot\Spy Sweeper\SSU.EXE
G:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - G:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O4 - HKLM\..\Run: [zBrowser Launcher] G:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RCHotKey] "G:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe "
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MXO Auto Loader] G:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] G:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: OALaunch.lnk = G:\oa\oaLaunch.exe
O4 - Global Startup: RingCentral Call Controller.lnk = G:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\WINDOWS\System32\msjava.dll
O9 - Extra button: High Impact eMail - {670F87A1-88B0-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra 'Tools' menuitem: High Impact eMail - {C4A67F75-88B2-11d4-9030-000021D9C559} - G:\Program Files\KMT Software\High Impact eMail\HIemail.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - G:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124312463532
O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_settings/includes/vzTCPConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - G:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - G:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - G:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcANYWHERE Host Service (awhost32) - Unknown owner - G:\Program Files\pcANYWHERE\awhost32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - G:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

The entire key

Is this what you mean?

HKU\S-1-5-21-1390067357-1935655697-195799488-1033\Software\Microsoft\Windows\CurrentVersion\Run\ || ctfmon.exe

 

OK, the log is clean and that is a false\positive. ctfmon does not have to be running and you can turn it off by following the instructions on MS page to disable it. Just be sure you read all the info.

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom