49 replies to this topic

[hyebba]

First - THANK YOU GUYS FOR DOING WHAT YOU DO!!!!

Beginning a few days ago, my computer started running slower and it has steadily progressed to where the internet is at a crawl. (servers reset in Firefox, pages won't load, pretty well worthless) I pretty much cannot use my computer.

Brand new hard drive installed a month ago.
Running XP, no MS Office products at all (but the ctfmon. exe service is running)
Adobe forced an update a few days ago.
Installed Microsoft Security Essentials last week (problems began shortly after)
Have free version of AVG anti virus (installed with new hard drive, ran problem free
CPU has been all over the place. Was staying high (over 80%), then changed to staying at 0% regardless of activity being attempted) with little spikes every now and then.
Automatic updater shows that it is on in control panel, but no icon anymore in tray and it hasn't been updating.

Here are my files:
MBAM Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/2/2009 9:54:27 PM
mbam-log-2009-11-02 (21-54-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146157
Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\heather\My Documents\Downloads\SmileyCentralSetup2.3.50.53.ZSfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:34 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PDFtypewriterPrinterMonitor] "C:\Program Files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9771 bytes

[IndiGenus]

Hello hyebba and welcome to the forums here at MalwareBytes.

The problem is likely due to having 2 AntiVirus programs running. You should never have more than one AV or Firewall running at a time as it can cause conflicts, errors, false positives, and (your problem) system slowdown.

I would suggest you uninstall one of the AntiVirus products and see if that gets you back to running better.

Let me know how you make out.

[hyebba]

IndiGenus, on Nov 3 2009, 01:47 PM, said:

Hello hyebba and welcome to the forums here at MalwareBytes.

The problem is likely due to having 2 AntiVirus programs running. You should never have more than one AV or Firewall running at a time as it can cause conflicts, errors, false positives, and (your problem) system slowdown.

I would suggest you uninstall one of the AntiVirus products and see if that gets you back to running better.

Let me know how you make out.

I typically don't have two running, but was trying either or to find the virus. I have since uninstalled MS Essentials and the problems are still very bad. I use Firefox and I can't get to sites hardly at all now....took over 5 minutes to get back here. So I still need the same help and I'm worried my computer will completely crash soon (it's getting worse by the minute)

[hyebba]

hyebba, on Nov 3 2009, 01:53 PM, said:

I typically don't have two running, but was trying either or to find the virus. I have since uninstalled MS Essentials and the problems are still very bad. I use Firefox and I can't get to sites hardly at all now....took over 5 minutes to get back here. So I still need the same help and I'm worried my computer will completely crash soon (it's getting worse by the minute)

IndiGenus:

Hello!

did a bit more digging around and found a couple of things.

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

I don't know if any of that will help us steer in the right direction, just wanted to make sure I told you everything that's catching my eye.

thanks for helping me with this....I really appreciate it.

Heather

[IndiGenus]

Hi Heather,

Let's get a closer look at things.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[hyebba]

IndiGenus, on Nov 4 2009, 03:55 PM, said:

Hi Heather,

Let's get a closer look at things.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Thanks Indi!

DDS.txt

DDS (Ver_09-06-26.01) - NTFSx86
Run by heather at 11:04:03.15 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.240 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\heather\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PDFtypewriterPrinterMonitor] "c:\program files\pdftypewriter\printer\PDFtypewriterMonitorStart.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-14 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-6 54752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\heather\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]

=============== Created Last 30 ================

2009-11-02 21:59 <DIR> --d----- c:\program files\Trend Micro
2009-11-02 21:03 <DIR> --d----- c:\docume~1\heather\applic~1\Malwarebytes
2009-11-02 21:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-02 21:03 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-02 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-11-02 14:00 <DIR> --d----- c:\docume~1\heather\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 13:32 90,920 a------- c:\windows\system32\custmon32.dll
2009-11-02 13:32 <DIR> --d----- c:\windows\SigPlus
2009-11-02 13:31 <DIR> --d----- c:\program files\PDFtypewriter
2009-11-02 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CTdeveloping
2009-11-02 13:31 <DIR> --d----- c:\docume~1\heather\applic~1\CTdeveloping
2009-11-02 02:03 <DIR> --d----- C:\b2725bb553b499d6447c88
2009-11-01 02:09 <DIR> --d----- C:\5126b90f2e82c1cd141e
2009-10-31 10:35 <DIR> --d----- C:\296e633a8c10b8dcb748
2009-10-30 01:09 <DIR> --d----- C:\1b00fa8af810194faf851e21
2009-10-29 10:20 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-10-29 10:20 <DIR> --d----- c:\windows\Cache
2009-10-29 10:20 <DIR> --d----- c:\program files\Coupons
2009-10-29 00:43 <DIR> --d----- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 07:55 <DIR> --d----- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 13:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-10-27 13:12 <DIR> --d----- c:\windows\system32\LogFiles
2009-10-23 07:50 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-20 09:11 1,151 a------- c:\windows\wpo.ini
2009-10-20 09:08 <DIR> --d----- c:\program files\PinderSoft
2009-10-20 08:43 132,880 a------- c:\windows\system32\MSINET.OCX
2009-10-09 13:16 <DIR> --d----- c:\program files\Kelly Martens
2009-10-07 18:14 <DIR> --d----- c:\docume~1\heather\applic~1\Uniblue
2009-10-07 11:08 2,947,368 a------- c:\windows\system32\CT_imagelibrary.ocx
2009-10-07 11:08 41,768 a------- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 11:08 1,825,064 a------- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 11:08 45,864 a------- c:\windows\system32\CT_xmlparser.dll
2009-10-07 11:08 2,063,656 a------- c:\windows\system32\CT_docengine.ocx
2009-10-07 11:08 299,816 a------- c:\windows\system32\CT_twain.dll
2009-10-07 02:09 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-07 02:04 117,760 -------- c:\windows\system32\prntvpt.dll
2009-10-07 02:04 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 02:04 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 02:04 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 02:04 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 02:04 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-07 02:04 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-07 02:04 <DIR> --d----- C:\6c2f0c95b67eb92ecf7f13e056

==================== Find3M ====================

2009-09-15 23:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-14 20:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-14 20:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 20:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 14:03 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-14 13:16 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 11:04:13.21 ===============

ATTCH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2009 2:20:59 PM
System Uptime: 11/4/2009 4:52:35 AM (31 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 282.531 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/14/2009 2:29:08 PM - System Checkpoint
RP2: 9/14/2009 2:57:46 PM - Installed Windows XP Service Pack 3.
RP3: 9/14/2009 3:14:31 PM - Installed ATI Parental Control
RP4: 9/14/2009 3:16:23 PM - Installed SigmaTel Audio
RP5: 9/14/2009 8:54:05 PM - Software Distribution Service 3.0
RP6: 9/14/2009 9:00:07 PM - Software Distribution Service 3.0
RP7: 9/14/2009 9:13:52 PM - Installed Windows XP WgaNotify.
RP8: 9/14/2009 9:21:34 PM - Installed AVG Free 8.5
RP9: 9/15/2009 8:14:27 AM - Avg8 Update
RP10: 9/16/2009 12:50:15 AM - Installed Java™ 6 Update 15
RP11: 9/16/2009 12:59:11 AM - Removed Java™ 6 Update 15
RP12: 9/16/2009 12:59:30 AM - Installed Java™ 6 Update 16
RP13: 9/16/2009 12:59:51 AM - Installed OpenOffice.org 3.1
RP14: 9/16/2009 3:00:13 AM - Software Distribution Service 3.0
RP15: 9/17/2009 3:10:11 AM - System Checkpoint
RP16: 9/18/2009 4:10:11 AM - System Checkpoint
RP17: 9/18/2009 5:13:09 PM - Installed Adobe Reader 9.1.
RP18: 9/20/2009 1:45:36 AM - System Checkpoint
RP19: 9/21/2009 3:01:00 PM - System Checkpoint
RP20: 9/22/2009 9:01:59 AM - Installed DirectX
RP21: 9/23/2009 3:00:15 AM - Software Distribution Service 3.0
RP22: 9/23/2009 11:10:19 AM - Installed Windows Media Player 11
RP23: 9/23/2009 9:13:58 PM - Software Distribution Service 3.0
RP24: 9/24/2009 9:03:15 AM - Installed NetWaiting
RP25: 9/24/2009 9:21:19 AM - Installed Windows KB954550-v5.
RP26: 9/24/2009 9:21:28 AM - Printer Driver Microsoft XPS Document Writer Installed
RP27: 9/24/2009 9:21:36 AM - Printer Driver Microsoft XPS Document Writer Installed
RP28: 9/24/2009 9:26:25 AM - Software Distribution Service 3.0
RP29: 9/24/2009 11:13:52 AM - Restore Operation
RP30: 9/24/2009 11:19:59 AM - Software Distribution Service 3.0
RP31: 9/25/2009 12:39:50 PM - System Checkpoint
RP32: 9/26/2009 4:06:03 PM - System Checkpoint
RP33: 9/27/2009 4:20:13 PM - System Checkpoint
RP34: 9/28/2009 8:47:43 PM - System Checkpoint
RP35: 9/30/2009 8:35:57 AM - System Checkpoint
RP36: 10/1/2009 4:01:14 PM - System Checkpoint
RP37: 10/2/2009 7:09:56 PM - System Checkpoint
RP38: 10/4/2009 1:27:15 AM - System Checkpoint
RP39: 10/5/2009 6:23:20 AM - System Checkpoint
RP40: 10/5/2009 8:14:13 AM - Avg8 Update
RP41: 10/5/2009 8:14:53 AM - Avg8 Update
RP42: 10/6/2009 8:25:02 AM - System Checkpoint
RP43: 10/6/2009 8:47:22 AM - Installed Windows XP KB954708.
RP44: 10/6/2009 8:47:45 AM - Installed DirectX
RP45: 10/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP46: 10/7/2009 9:05:10 AM - Avg8 Update
RP47: 10/7/2009 7:19:18 PM - Software Distribution Service 3.0
RP48: 10/9/2009 1:56:22 AM - System Checkpoint
RP49: 10/9/2009 2:11:49 PM - Installed Polaroid Picture v1.7
RP50: 10/9/2009 2:12:11 PM - Installed Windows Live Writer Blog This for Mozilla Firefox
RP51: 10/9/2009 2:16:10 PM - Installed TagCreator for Windows Live Writer
RP52: 10/10/2009 3:33:42 PM - System Checkpoint
RP53: 10/12/2009 1:06:33 AM - System Checkpoint
RP54: 10/13/2009 1:15:36 AM - System Checkpoint
RP55: 10/14/2009 6:31:05 AM - System Checkpoint
RP56: 10/15/2009 3:00:15 AM - Software Distribution Service 3.0
RP57: 10/16/2009 3:16:03 PM - System Checkpoint
RP58: 10/17/2009 9:40:16 AM - Avg8 Update
RP59: 10/18/2009 10:50:09 PM - System Checkpoint
RP60: 10/20/2009 12:52:15 AM - System Checkpoint
RP61: 10/20/2009 10:08:28 AM - Installed Writers Project Organizer
RP62: 10/21/2009 9:40:15 AM - Avg8 Update
RP63: 10/22/2009 10:32:49 AM - System Checkpoint
RP64: 10/23/2009 8:50:03 AM - Software Distribution Service 3.0
RP65: 10/23/2009 11:34:37 AM - Microsoft Antimalware Checkpoint
RP66: 10/24/2009 2:29:39 AM - Software Distribution Service 3.0
RP67: 10/25/2009 4:26:02 PM - System Checkpoint
RP68: 10/26/2009 8:54:32 AM - Software Distribution Service 3.0
RP69: 10/27/2009 2:10:02 PM - Installed Windows Media Player 11
RP70: 10/27/2009 2:10:58 PM - Software Distribution Service 3.0
RP71: 10/28/2009 3:00:22 AM - Software Distribution Service 3.0
RP72: 10/28/2009 8:55:22 AM - Software Distribution Service 3.0
RP73: 10/29/2009 1:43:21 AM - Software Distribution Service 3.0
RP74: 10/29/2009 3:51:19 AM - Microsoft Antimalware Checkpoint
RP75: 10/29/2009 10:55:16 AM - Software Distribution Service 3.0
RP76: 10/30/2009 2:09:03 AM - Software Distribution Service 3.0
RP77: 10/30/2009 11:34:27 AM - Software Distribution Service 3.0
RP78: 10/31/2009 11:35:13 AM - Software Distribution Service 3.0
RP79: 11/1/2009 3:09:04 AM - Software Distribution Service 3.0
RP80: 11/2/2009 3:03:22 AM - Software Distribution Service 3.0
RP81: 11/2/2009 2:31:50 PM - Installed PDFtypewriter with PDF Printer Driver
RP82: 11/2/2009 2:32:23 PM - Printer Driver CUSTPDF Writer Installed
RP83: 11/3/2009 9:25:36 AM - Avg8 Update
RP84: 11/4/2009 4:00:14 AM - Software Distribution Service 3.0
RP85: 11/5/2009 4:56:55 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ATI - Software Uninstall Utility
ATI Parental Control
AVG Free 8.5
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Photo AIO Printer 944
DirectXInstallService
ERUNT 1.1j
FileZilla Client 3.2.8.1
GIMP 2.6.7
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java™ 6 Update 16
Java™ SE Runtime Environment 6 Update 1
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.4)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nvu 1.0PR
OpenOffice.org 3.1
PDFtypewriter Printer Driver
PDFtypewriter with PDF Printer Driver
Polaroid Picture v1.7
Powerbullet Presenter 1.44
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SigmaTel Audio
Sonar2
Spelling Dictionaries Support For Adobe Reader 9
TagCreator for Windows Live Writer
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Essentials
Windows Live Family Safety
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Live Writer Blog This for Mozilla Firefox
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Writers Project Organizer
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/3/2009 9:12:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
11/1/2009 10:53:41 PM, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
10/31/2009 2:09:19 AM, error: Microsoft Antimalware [2001] -
10/31/2009 12:43:18 PM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).
10/29/2009 11:28:34 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================


Thank you for your help!

[IndiGenus]

So, now that you have uninstalled the MS security essentials program how's it running?

[hyebba]

IndiGenus, on Nov 5 2009, 06:15 PM, said:

So, now that you have uninstalled the MS security essentials program how's it running?

Hi Indi,

It is definitely a virus. There was no change after removing MS Essentials. The problems continued to get worse (with firefox always being redirected, etc) so I disabled the ctfmon.exe service that was running and now I can search the internet just fine. But I know I have to get that off of the computer because when I reboot the service restarts and the problems start again.

Below is my earlier post:

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

[IndiGenus]

Let's get a rootkit scan here.

• Download RootRepeal from the following location and save it to your desktop.
  
  • Zip Mirrors (Recommended)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
• Extract RootRepeal.exe from the archive.
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[hyebba]

IndiGenus, on Nov 6 2009, 12:58 PM, said:

Let's get a rootkit scan here.

• Download RootRepeal from the following location and save it to your desktop.
  
  • Zip Mirrors (Recommended)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
• Extract RootRepeal.exe from the archive.
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi IndiGenus!! thank you again for assisting with this! below is the root repeal report, as requested.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/06 19:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAB72000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B10000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA99CB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\4c072de7-a74f-4e5c-bee6-71fa531a3f93
Status: Locked to the Windows API!

==EOF==

[IndiGenus]

Nothing there.....I see where the bad ctfmon process is getting loaded, but I still think we may have a rootkit hiding here.

Let's get out the big gun.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated DDS log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[hyebba]

IndiGenus, on Nov 6 2009, 09:42 PM, said:

Nothing there.....I see where the bad ctfmon process is getting loaded, but I still think we may have a rootkit hiding here.

Let's get out the big gun.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated DDS log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hiya IndiGenus!! As requested...here is the combofix log.
THANK YOU!!! (and thanks for not being too afraid to pull out the big guns for us! ha ha)

ComboFix 09-11-06.03 - heather 11/07/2009 1:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.306 [GMT -5:00]
Running from: c:\documents and settings\heather\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 02:18 . 2009-11-04 02:18 -------- d-----w- c:\program files\ERUNT
2009-11-03 02:59 . 2009-11-03 02:59 -------- d-----w- c:\program files\Trend Micro
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\heather\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-11-03 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:01 . 2009-11-03 02:56 -------- d-----w- c:\windows\system32\NtmsData
2009-11-02 19:00 . 2009-11-02 19:00 -------- d-----w- c:\documents and settings\heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 18:32 . 2009-10-07 16:08 90920 ----a-w- c:\windows\system32\custmon32.dll
2009-11-02 18:32 . 2009-11-02 18:32 -------- d-----w- c:\windows\SigPlus
2009-11-02 18:31 . 2009-11-02 18:32 -------- d-----w- c:\program files\PDFtypewriter
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CTdeveloping
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\heather\Application Data\CTdeveloping
2009-11-02 07:03 . 2009-11-02 07:03 -------- d-----w- C:\b2725bb553b499d6447c88
2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- C:\5126b90f2e82c1cd141e
2009-10-31 16:56 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-31 15:35 . 2009-10-31 15:36 -------- d-----w- C:\296e633a8c10b8dcb748
2009-10-30 06:09 . 2009-10-30 06:09 -------- d-----w- C:\1b00fa8af810194faf851e21
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\windows\Cache
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\program files\Coupons
2009-10-29 05:43 . 2009-10-29 05:43 -------- d-----w- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 12:55 . 2009-10-28 12:55 -------- d-----w- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 18:16 . 2009-10-27 18:16 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-27 18:12 . 2009-10-27 18:14 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-27 18:12 . 2009-10-27 18:12 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 12:50 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 14:08 . 2009-10-20 14:08 -------- d-----w- c:\program files\PinderSoft
2009-10-17 13:40 . 2009-10-17 13:40 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-16 17:14 . 2009-10-16 17:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-13 12:28 . 2009-11-05 20:19 -------- d-----w- c:\documents and settings\heather\Application Data\FileZilla
2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\Kelly Martens

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 19:47 . 2009-09-16 05:02 1 ----a-w- c:\documents and settings\heather\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-05 17:35 . 2009-09-28 21:09 -------- d-----w- c:\documents and settings\heather\Application Data\gtk-2.0
2009-11-04 21:16 . 2009-10-04 14:43 -------- d-----w- c:\program files\Dl_cats
2009-11-04 02:16 . 2009-09-15 17:44 -------- d-----w- c:\documents and settings\heather\Application Data\MP3Rocket
2009-10-28 14:48 . 2009-09-24 13:30 34256 ----a-w- c:\documents and settings\heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-28 06:52 . 2009-09-18 21:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 13:40 . 2009-11-06 13:50 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-07 23:14 . 2009-10-07 23:14 -------- d-----w- c:\documents and settings\heather\Application Data\Uniblue
2009-10-07 16:08 . 2009-10-07 16:08 41768 ----a-w- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 16:08 . 2009-10-07 16:08 1825064 ----a-w- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 16:08 . 2009-10-07 16:08 45864 ----a-w- c:\windows\system32\CT_xmlparser.dll
2009-10-07 16:08 . 2009-10-07 16:08 299816 ----a-w- c:\windows\system32\CT_twain.dll
2009-10-07 07:15 . 2009-10-06 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 14:28 . 2009-10-06 14:25 -------- d-----w- c:\documents and settings\heather\Application Data\Windows Live Writer
2009-10-06 13:03 . 2009-10-04 14:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2009-10-06 12:52 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live
2009-10-06 12:48 . 2009-10-06 12:48 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-06 12:47 . 2009-10-06 12:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-06 12:46 . 2009-10-06 12:46 -------- d-----w- c:\program files\Microsoft
2009-10-06 12:45 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-06 12:41 . 2009-10-06 12:41 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-04 15:06 . 2009-10-04 15:06 25214 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
2009-10-04 15:05 . 2009-10-04 15:05 -------- d-----w- c:\documents and settings\heather\Application Data\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:04 -------- d-----w- c:\program files\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:05 4710 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe
2009-10-04 15:04 . 2009-10-04 15:04 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-10-04 15:03 . 2009-10-04 15:03 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-09-28 22:52 . 2009-09-28 20:53 -------- d-----w- c:\documents and settings\heather\Application Data\Nvu
2009-09-28 20:53 . 2009-09-28 20:53 -------- d-----w- c:\program files\Nvu
2009-09-24 15:20 . 2009-09-24 15:20 -------- d-----w- c:\program files\MSXML 4.0
2009-09-24 15:15 . 2009-09-24 13:03 -------- d-----w- c:\program files\NetWaiting
2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\CONEXANT
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\MSBuild
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\Reference Assemblies
2009-09-24 13:03 . 2009-09-14 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 01:15 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\heather\Application Data\Roxio
2009-09-22 13:11 . 2009-09-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Roxio
2009-09-22 13:09 . 2009-09-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-22 13:07 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-22 13:05 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-22 13:03 . 2009-09-22 13:03 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-22 13:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-22 13:02 . 2009-09-14 19:14 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-22 13:01 . 2009-09-22 13:01 10134 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2009-09-20 14:38 . 2009-09-18 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\heather\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\program files\Yahoo!
2009-09-18 21:12 . 2009-09-18 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-18 21:11 . 2009-09-18 21:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-16 21:58 . 2009-09-16 21:58 -------- d-----w- c:\program files\Powerbullet
2009-09-16 05:21 . 2009-09-16 05:21 -------- d-----w- c:\program files\GIMP-2.0
2009-09-16 05:01 . 2009-09-16 05:01 -------- d-----w- c:\documents and settings\heather\Application Data\OpenOffice.org
2009-09-16 05:00 . 2009-09-16 05:00 -------- d-----w- c:\program files\JRE
2009-09-16 05:00 . 2009-09-16 04:59 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-16 04:59 . 2009-09-16 04:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 04:59 . 2009-09-15 17:45 -------- d-----w- c:\program files\Java
2009-09-16 04:49 . 2009-09-16 04:49 152576 ----a-w- c:\documents and settings\heather\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-15 17:45 . 2009-09-15 17:45 -------- d-----w- c:\program files\Common Files\Java
2009-09-15 01:30 . 2009-09-15 01:30 0 ----a-w- c:\windows\nsreg.dat
2009-09-15 01:26 . 2009-09-15 01:25 -------- d-----w- c:\program files\Google
2009-09-15 01:23 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-15 01:22 . 2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-15 01:22 . 2009-09-15 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-15 01:21 . 2009-09-15 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\program files\AVG
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 01:15 . 2009-09-15 01:15 -------- d-----w- c:\documents and settings\heather\Application Data\AVG8
2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\program files\SigmaTel
2009-09-14 19:14 . 2009-09-14 19:14 -------- d-----w- c:\program files\ATI Technologies
2009-09-14 19:03 . 2009-09-14 18:18 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-14 18:19 . 2009-09-14 18:19 -------- d-----w- c:\program files\microsoft frontpage
2009-09-14 18:16 . 2009-09-14 18:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"PDFtypewriterPrinterMonitor"="c:\program files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe" [2009-10-07 25384]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 8:21 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 8:22 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/14/2009 8:21 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 8:21 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/6/2009 7:52 AM 54752]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 9:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 9:32 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 9:31 AM 1120752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\heather\Application Data\Mozilla\Firefox\Profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 01:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-07 1:29
ComboFix-quarantined-files.txt 2009-11-07 06:28

Pre-Run: 303,147,810,816 bytes free
Post-Run: 303,454,617,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6F24C0618F03BDB06F6B90DD1F02F73D

[IndiGenus]

How's it running now? Are you still getting redirected when browsing? If so is that only with Firefox? Or with IE too?

You mentioned earlier something I wanted to address...

Quote

Running XP, no MS Office products at all (but the ctfmon. exe service is running)

ctfmon.exe is not part of MS Office. It's part of Windows. I believe with SP3 Windows has it start automatically (not 100% sure of that but I think so). I myself just turn it off. Sometimes it can be malicious but I think yours is legit. You can try turning it off. How to do that is covered in the link below.

http://www.microsoft.com/resources/documen...n.mspx?mfr=true

[hyebba]

IndiGenus, on Nov 7 2009, 11:34 AM, said:

How's it running now? Are you still getting redirected when browsing? If so is that only with Firefox? Or with IE too?

You mentioned earlier something I wanted to address...


ctfmon.exe is not part of MS Office. It's part of Windows. I believe with SP3 Windows has it start automatically (not 100% sure of that but I think so). I myself just turn it off. Sometimes it can be malicious but I think yours is legit. You can try turning it off. How to do that is covered in the link below.

http://www.microsoft.com/resources/documen...n.mspx?mfr=true

Hi Indi!

My bad, I thought the ctfmon service was just for MS Office products. thanks for the clarification.
I'm not sure if it ever redirected with IE as it's just a 'policy' of mine not to run IE. I started IE and it seems to be fine when I do google searches and click through. but again, that service is turned off so I wouldn't expect any hangups right now.
The computer runs fine with the ctfmon service disabled, but the concern comes in with restarting (it automatically starts and I'm worried at that time it will send whatever info it is gathering to whoever is doing the harvesting)
I followed the link you provided, but the instructions didn't match with my version of XP. I will research to find the right way for my system. thanks for the heads up on that.

I'm wondering: Since I've had the ctfmon service disabled while I ran all these diagnostics, could that be why we aren't seeing anything? should I restart that service and begin running the diagnostics again? Also, if it is a virus, will just turning off that service be adequate enough to keep me safe?

thanks for everything you're doing to help me out. I truly appreciate it!

[IndiGenus]

I can see where the process is being launched from.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I really don't think it's the issue, but we can have the file checked.

Please go to http://www.virustota.../en/indexf.html
click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

[hyebba]

IndiGenus, on Nov 8 2009, 01:57 AM, said:

I can see where the process is being launched from.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I really don't think it's the issue, but we can have the file checked.

Please go to http://www.virustota.../en/indexf.html
click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

Yep, you're right...no issue there it looks like. What do we do now? And if the file is clean, why would it mess me up so bad when it runs? (just trying to understand how that works ) thanks for helping!! Report is below.

MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
First received: 2009.02.11 22:51:11 UTC
Date: 2009.11.08 00:16:29 UTC [<1D]
Results: 0/40
Permalink: analisis/5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1-1257639389

[IndiGenus]

I've never heard of the ctfmon.exe (legitimate) process causing issues, with redirects or other. So you are saying that you still are getting redirected when this process is running?

[hyebba]

IndiGenus, on Nov 8 2009, 02:54 PM, said:

I've never heard of the ctfmon.exe (legitimate) process causing issues, with redirects or other. So you are saying that you still are getting redirected when this process is running?

Aw man, really???

Unfortunately, I've seen a lot (from techs) regarding ctfmon messing things up. Obviously, and just like you had said, the legit ones are fine (it seems) but this one's legit (pretty positive anyway) and it still seems completely connected to the problem somehow. Could a virus depend on this service running to be able to execute? (I don't even know if I asked that correctly) I was hoping you were going to be my knight in shining armor on that one!!

The problem has not changed.

The best that I can say is that once I had turned that service off, the problems stopped. Outside of that, I don't know.

Then, this morning there were two instances of ctfmon.exe showing in my processes (how they started and why there was two, with different mem. usage, I have no idea. I had not restarted the computer.). When I tried to upgrade my AVG to a new version today, the AVG program will not connect to the site through firefox or IE. On firefox I get teh server reset error and on IE it just hangs up on a blank page and does nothing. ) Also, when AVG runs its scan no 'warnings' pop up (I usually have at least 50 from cookies), so it seems that AVG looks like its running, but isn't really doing anything. Also, my computer started running really slow again. Whatever is in here, it's rebuilding itself somehow, or restarting itself???? Is that possible?

I'm stumped. And oh so worried. I literally just put in a new hard drive. Brand new, out of the box, and she was purring oh so well.

Thanks for fightin' the fight with me! Lead my way to cleanliness!!

[hyebba]

hyebba, on Nov 9 2009, 09:54 AM, said:

Aw man, really???

Unfortunately, I've seen a lot (from techs) regarding ctfmon messing things up. Obviously, and just like you had said, the legit ones are fine (it seems) but this one's legit (pretty positive anyway) and it still seems completely connected to the problem somehow. Could a virus depend on this service running to be able to execute? (I don't even know if I asked that correctly) I was hoping you were going to be my knight in shining armor on that one!!

The problem has not changed.

The best that I can say is that once I had turned that service off, the problems stopped. Outside of that, I don't know.

Then, this morning there were two instances of ctfmon.exe showing in my processes (how they started and why there was two, with different mem. usage, I have no idea. I had not restarted the computer.). When I tried to upgrade my AVG to a new version today, the AVG program will not connect to the site through firefox or IE. On firefox I get teh server reset error and on IE it just hangs up on a blank page and does nothing. ) Also, when AVG runs its scan no 'warnings' pop up (I usually have at least 50 from cookies), so it seems that AVG looks like its running, but isn't really doing anything. Also, my computer started running really slow again. Whatever is in here, it's rebuilding itself somehow, or restarting itself???? Is that possible?

I'm stumped. And oh so worried. I literally just put in a new hard drive. Brand new, out of the box, and she was purring oh so well.

Thanks for fightin' the fight with me! Lead my way to cleanliness!!

Oh, and I don't know if this means anything, but it's a change in behavior. I have to click everything twice now, or refresh pages to get them to load. It's getting worse???? It's to the point now that EVERY time, I have to click at least twice. aacckk!!!!

[IndiGenus]

Let's get another rootkit scan.

Download This file. Note its name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  
• Click on this link to see a list of programs that should be disabled.
  
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  
• Allow the driver to load if asked.
  
• You may be prompted to scan immediately if it detects rootkit activity.
  
• If you are prompted to scan your system click "Yes" to begin the scan.
  
• If not prompted, click the "Rootkit/Malware" tab.
  
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  
• Select all drives that are connected to your system to be scanned.
  
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
  
• When the scan is finished, click Save to save the scan results to your Desktop.
  
• Save the file as Results.log and copy/paste the contents in your next reply.
  
• Exit the program and re-enable all active protection when done.