First - THANK YOU GUYS FOR DOING WHAT YOU DO!!!!

Beginning a few days ago, my computer started running slower and it has steadily progressed to where the internet is at a crawl. (servers reset in Firefox, pages won't load, pretty well worthless) I pretty much cannot use my computer.

Brand new hard drive installed a month ago.
Running XP, no MS Office products at all (but the ctfmon. exe service is running)
Adobe forced an update a few days ago.
Installed Microsoft Security Essentials last week (problems began shortly after)
Have free version of AVG anti virus (installed with new hard drive, ran problem free
CPU has been all over the place. Was staying high (over 80%), then changed to staying at 0% regardless of activity being attempted) with little spikes every now and then.
Automatic updater shows that it is on in control panel, but no icon anymore in tray and it hasn't been updating.

Here are my files:
MBAM Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/2/2009 9:54:27 PM
mbam-log-2009-11-02 (21-54-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146157
Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\heather\My Documents\Downloads\SmileyCentralSetup2.3.50.53.ZSfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:34 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PDFtypewriterPrinterMonitor] "C:\Program Files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9771 bytes

Hello hyebba and welcome to the forums here at MalwareBytes.

The problem is likely due to having 2 AntiVirus programs running. You should never have more than one AV or Firewall running at a time as it can cause conflicts, errors, false positives, and (your problem) system slowdown.

I would suggest you uninstall one of the AntiVirus products and see if that gets you back to running better.

Let me know how you make out.

I typically don't have two running, but was trying either or to find the virus. I have since uninstalled MS Essentials and the problems are still very bad. I use Firefox and I can't get to sites hardly at all now....took over 5 minutes to get back here. So I still need the same help and I'm worried my computer will completely crash soon (it's getting worse by the minute)

IndiGenus:

Hello!

did a bit more digging around and found a couple of things.

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

I don't know if any of that will help us steer in the right direction, just wanted to make sure I told you everything that's catching my eye.

thanks for helping me with this....I really appreciate it.

Heather

Hi Heather,

Let's get a closer look at things.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

Save both reports to your desktop. Post them back to your topic.

Thanks Indi!

DDS.txt

DDS (Ver_09-06-26.01) - NTFSx86
Run by heather at 11:04:03.15 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.240 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\heather\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PDFtypewriterPrinterMonitor] "c:\program files\pdftypewriter\printer\PDFtypewriterMonitorStart.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-14 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-6 54752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\heather\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]

=============== Created Last 30 ================

2009-11-02 21:59 <DIR> --d----- c:\program files\Trend Micro
2009-11-02 21:03 <DIR> --d----- c:\docume~1\heather\applic~1\Malwarebytes
2009-11-02 21:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-02 21:03 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-02 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-11-02 14:00 <DIR> --d----- c:\docume~1\heather\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 13:32 90,920 a------- c:\windows\system32\custmon32.dll
2009-11-02 13:32 <DIR> --d----- c:\windows\SigPlus
2009-11-02 13:31 <DIR> --d----- c:\program files\PDFtypewriter
2009-11-02 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CTdeveloping
2009-11-02 13:31 <DIR> --d----- c:\docume~1\heather\applic~1\CTdeveloping
2009-11-02 02:03 <DIR> --d----- C:\b2725bb553b499d6447c88
2009-11-01 02:09 <DIR> --d----- C:\5126b90f2e82c1cd141e
2009-10-31 10:35 <DIR> --d----- C:\296e633a8c10b8dcb748
2009-10-30 01:09 <DIR> --d----- C:\1b00fa8af810194faf851e21
2009-10-29 10:20 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-10-29 10:20 <DIR> --d----- c:\windows\Cache
2009-10-29 10:20 <DIR> --d----- c:\program files\Coupons
2009-10-29 00:43 <DIR> --d----- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 07:55 <DIR> --d----- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 13:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-10-27 13:12 <DIR> --d----- c:\windows\system32\LogFiles
2009-10-23 07:50 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-20 09:11 1,151 a------- c:\windows\wpo.ini
2009-10-20 09:08 <DIR> --d----- c:\program files\PinderSoft
2009-10-20 08:43 132,880 a------- c:\windows\system32\MSINET.OCX
2009-10-09 13:16 <DIR> --d----- c:\program files\Kelly Martens
2009-10-07 18:14 <DIR> --d----- c:\docume~1\heather\applic~1\Uniblue
2009-10-07 11:08 2,947,368 a------- c:\windows\system32\CT_imagelibrary.ocx
2009-10-07 11:08 41,768 a------- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 11:08 1,825,064 a------- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 11:08 45,864 a------- c:\windows\system32\CT_xmlparser.dll
2009-10-07 11:08 2,063,656 a------- c:\windows\system32\CT_docengine.ocx
2009-10-07 11:08 299,816 a------- c:\windows\system32\CT_twain.dll
2009-10-07 02:09 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-07 02:04 117,760 -------- c:\windows\system32\prntvpt.dll
2009-10-07 02:04 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 02:04 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 02:04 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 02:04 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 02:04 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-07 02:04 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-07 02:04 <DIR> --d----- C:\6c2f0c95b67eb92ecf7f13e056

==================== Find3M ====================

2009-09-15 23:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-14 20:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-14 20:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 20:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 14:03 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-14 13:16 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 11:04:13.21 ===============

ATTCH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2009 2:20:59 PM
System Uptime: 11/4/2009 4:52:35 AM (31 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 282.531 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/14/2009 2:29:08 PM - System Checkpoint
RP2: 9/14/2009 2:57:46 PM - Installed Windows XP Service Pack 3.
RP3: 9/14/2009 3:14:31 PM - Installed ATI Parental Control
RP4: 9/14/2009 3:16:23 PM - Installed SigmaTel Audio
RP5: 9/14/2009 8:54:05 PM - Software Distribution Service 3.0
RP6: 9/14/2009 9:00:07 PM - Software Distribution Service 3.0
RP7: 9/14/2009 9:13:52 PM - Installed Windows XP WgaNotify.
RP8: 9/14/2009 9:21:34 PM - Installed AVG Free 8.5
RP9: 9/15/2009 8:14:27 AM - Avg8 Update
RP10: 9/16/2009 12:50:15 AM - Installed Java™ 6 Update 15
RP11: 9/16/2009 12:59:11 AM - Removed Java™ 6 Update 15
RP12: 9/16/2009 12:59:30 AM - Installed Java™ 6 Update 16
RP13: 9/16/2009 12:59:51 AM - Installed OpenOffice.org 3.1
RP14: 9/16/2009 3:00:13 AM - Software Distribution Service 3.0
RP15: 9/17/2009 3:10:11 AM - System Checkpoint
RP16: 9/18/2009 4:10:11 AM - System Checkpoint
RP17: 9/18/2009 5:13:09 PM - Installed Adobe Reader 9.1.
RP18: 9/20/2009 1:45:36 AM - System Checkpoint
RP19: 9/21/2009 3:01:00 PM - System Checkpoint
RP20: 9/22/2009 9:01:59 AM - Installed DirectX
RP21: 9/23/2009 3:00:15 AM - Software Distribution Service 3.0
RP22: 9/23/2009 11:10:19 AM - Installed Windows Media Player 11
RP23: 9/23/2009 9:13:58 PM - Software Distribution Service 3.0
RP24: 9/24/2009 9:03:15 AM - Installed NetWaiting
RP25: 9/24/2009 9:21:19 AM - Installed Windows KB954550-v5.
RP26: 9/24/2009 9:21:28 AM - Printer Driver Microsoft XPS Document Writer Installed
RP27: 9/24/2009 9:21:36 AM - Printer Driver Microsoft XPS Document Writer Installed
RP28: 9/24/2009 9:26:25 AM - Software Distribution Service 3.0
RP29: 9/24/2009 11:13:52 AM - Restore Operation
RP30: 9/24/2009 11:19:59 AM - Software Distribution Service 3.0
RP31: 9/25/2009 12:39:50 PM - System Checkpoint
RP32: 9/26/2009 4:06:03 PM - System Checkpoint
RP33: 9/27/2009 4:20:13 PM - System Checkpoint
RP34: 9/28/2009 8:47:43 PM - System Checkpoint
RP35: 9/30/2009 8:35:57 AM - System Checkpoint
RP36: 10/1/2009 4:01:14 PM - System Checkpoint
RP37: 10/2/2009 7:09:56 PM - System Checkpoint
RP38: 10/4/2009 1:27:15 AM - System Checkpoint
RP39: 10/5/2009 6:23:20 AM - System Checkpoint
RP40: 10/5/2009 8:14:13 AM - Avg8 Update
RP41: 10/5/2009 8:14:53 AM - Avg8 Update
RP42: 10/6/2009 8:25:02 AM - System Checkpoint
RP43: 10/6/2009 8:47:22 AM - Installed Windows XP KB954708.
RP44: 10/6/2009 8:47:45 AM - Installed DirectX
RP45: 10/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP46: 10/7/2009 9:05:10 AM - Avg8 Update
RP47: 10/7/2009 7:19:18 PM - Software Distribution Service 3.0
RP48: 10/9/2009 1:56:22 AM - System Checkpoint
RP49: 10/9/2009 2:11:49 PM - Installed Polaroid Picture v1.7
RP50: 10/9/2009 2:12:11 PM - Installed Windows Live Writer Blog This for Mozilla Firefox
RP51: 10/9/2009 2:16:10 PM - Installed TagCreator for Windows Live Writer
RP52: 10/10/2009 3:33:42 PM - System Checkpoint
RP53: 10/12/2009 1:06:33 AM - System Checkpoint
RP54: 10/13/2009 1:15:36 AM - System Checkpoint
RP55: 10/14/2009 6:31:05 AM - System Checkpoint
RP56: 10/15/2009 3:00:15 AM - Software Distribution Service 3.0
RP57: 10/16/2009 3:16:03 PM - System Checkpoint
RP58: 10/17/2009 9:40:16 AM - Avg8 Update
RP59: 10/18/2009 10:50:09 PM - System Checkpoint
RP60: 10/20/2009 12:52:15 AM - System Checkpoint
RP61: 10/20/2009 10:08:28 AM - Installed Writers Project Organizer
RP62: 10/21/2009 9:40:15 AM - Avg8 Update
RP63: 10/22/2009 10:32:49 AM - System Checkpoint
RP64: 10/23/2009 8:50:03 AM - Software Distribution Service 3.0
RP65: 10/23/2009 11:34:37 AM - Microsoft Antimalware Checkpoint
RP66: 10/24/2009 2:29:39 AM - Software Distribution Service 3.0
RP67: 10/25/2009 4:26:02 PM - System Checkpoint
RP68: 10/26/2009 8:54:32 AM - Software Distribution Service 3.0
RP69: 10/27/2009 2:10:02 PM - Installed Windows Media Player 11
RP70: 10/27/2009 2:10:58 PM - Software Distribution Service 3.0
RP71: 10/28/2009 3:00:22 AM - Software Distribution Service 3.0
RP72: 10/28/2009 8:55:22 AM - Software Distribution Service 3.0
RP73: 10/29/2009 1:43:21 AM - Software Distribution Service 3.0
RP74: 10/29/2009 3:51:19 AM - Microsoft Antimalware Checkpoint
RP75: 10/29/2009 10:55:16 AM - Software Distribution Service 3.0
RP76: 10/30/2009 2:09:03 AM - Software Distribution Service 3.0
RP77: 10/30/2009 11:34:27 AM - Software Distribution Service 3.0
RP78: 10/31/2009 11:35:13 AM - Software Distribution Service 3.0
RP79: 11/1/2009 3:09:04 AM - Software Distribution Service 3.0
RP80: 11/2/2009 3:03:22 AM - Software Distribution Service 3.0
RP81: 11/2/2009 2:31:50 PM - Installed PDFtypewriter with PDF Printer Driver
RP82: 11/2/2009 2:32:23 PM - Printer Driver CUSTPDF Writer Installed
RP83: 11/3/2009 9:25:36 AM - Avg8 Update
RP84: 11/4/2009 4:00:14 AM - Software Distribution Service 3.0
RP85: 11/5/2009 4:56:55 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ATI - Software Uninstall Utility
ATI Parental Control
AVG Free 8.5
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Photo AIO Printer 944
DirectXInstallService
ERUNT 1.1j
FileZilla Client 3.2.8.1
GIMP 2.6.7
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java™ 6 Update 16
Java™ SE Runtime Environment 6 Update 1
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.4)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nvu 1.0PR
OpenOffice.org 3.1
PDFtypewriter Printer Driver
PDFtypewriter with PDF Printer Driver
Polaroid Picture v1.7
Powerbullet Presenter 1.44
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SigmaTel Audio
Sonar2
Spelling Dictionaries Support For Adobe Reader 9
TagCreator for Windows Live Writer
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Essentials
Windows Live Family Safety
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Live Writer Blog This for Mozilla Firefox
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Writers Project Organizer
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/3/2009 9:12:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
11/1/2009 10:53:41 PM, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
10/31/2009 2:09:19 AM, error: Microsoft Antimalware [2001] -
10/31/2009 12:43:18 PM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).
10/29/2009 11:28:34 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================


Thank you for your help!

So, now that you have uninstalled the MS security essentials program how's it running?

Hi Indi,

It is definitely a virus. There was no change after removing MS Essentials. The problems continued to get worse (with firefox always being redirected, etc) so I disabled the ctfmon.exe service that was running and now I can search the internet just fine. But I know I have to get that off of the computer because when I reboot the service restarts and the problems start again.

Below is my earlier post:

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

Let's get a rootkit scan here.

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
     
     
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi IndiGenus!! thank you again for assisting with this! below is the root repeal report, as requested.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/06 19:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAB72000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B10000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA99CB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\4c072de7-a74f-4e5c-bee6-71fa531a3f93
Status: Locked to the Windows API!

==EOF==

Nothing there.....I see where the bad ctfmon process is getting loaded, but I still think we may have a rootkit hiding here.

Let's get out the big gun.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated DDS log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hiya IndiGenus!! As requested...here is the combofix log.
THANK YOU!!! (and thanks for not being too afraid to pull out the big guns for us! ha ha)

ComboFix 09-11-06.03 - heather 11/07/2009 1:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.306 [GMT -5:00]
Running from: c:\documents and settings\heather\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 02:18 . 2009-11-04 02:18 -------- d-----w- c:\program files\ERUNT
2009-11-03 02:59 . 2009-11-03 02:59 -------- d-----w- c:\program files\Trend Micro
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\heather\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-11-03 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:01 . 2009-11-03 02:56 -------- d-----w- c:\windows\system32\NtmsData
2009-11-02 19:00 . 2009-11-02 19:00 -------- d-----w- c:\documents and settings\heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 18:32 . 2009-10-07 16:08 90920 ----a-w- c:\windows\system32\custmon32.dll
2009-11-02 18:32 . 2009-11-02 18:32 -------- d-----w- c:\windows\SigPlus
2009-11-02 18:31 . 2009-11-02 18:32 -------- d-----w- c:\program files\PDFtypewriter
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CTdeveloping
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\heather\Application Data\CTdeveloping
2009-11-02 07:03 . 2009-11-02 07:03 -------- d-----w- C:\b2725bb553b499d6447c88
2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- C:\5126b90f2e82c1cd141e
2009-10-31 16:56 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-31 15:35 . 2009-10-31 15:36 -------- d-----w- C:\296e633a8c10b8dcb748
2009-10-30 06:09 . 2009-10-30 06:09 -------- d-----w- C:\1b00fa8af810194faf851e21
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\windows\Cache
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\program files\Coupons
2009-10-29 05:43 . 2009-10-29 05:43 -------- d-----w- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 12:55 . 2009-10-28 12:55 -------- d-----w- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 18:16 . 2009-10-27 18:16 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-27 18:12 . 2009-10-27 18:14 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-27 18:12 . 2009-10-27 18:12 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 12:50 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 14:08 . 2009-10-20 14:08 -------- d-----w- c:\program files\PinderSoft
2009-10-17 13:40 . 2009-10-17 13:40 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-16 17:14 . 2009-10-16 17:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-13 12:28 . 2009-11-05 20:19 -------- d-----w- c:\documents and settings\heather\Application Data\FileZilla
2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\Kelly Martens

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 19:47 . 2009-09-16 05:02 1 ----a-w- c:\documents and settings\heather\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-05 17:35 . 2009-09-28 21:09 -------- d-----w- c:\documents and settings\heather\Application Data\gtk-2.0
2009-11-04 21:16 . 2009-10-04 14:43 -------- d-----w- c:\program files\Dl_cats
2009-11-04 02:16 . 2009-09-15 17:44 -------- d-----w- c:\documents and settings\heather\Application Data\MP3Rocket
2009-10-28 14:48 . 2009-09-24 13:30 34256 ----a-w- c:\documents and settings\heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-28 06:52 . 2009-09-18 21:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 13:40 . 2009-11-06 13:50 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-07 23:14 . 2009-10-07 23:14 -------- d-----w- c:\documents and settings\heather\Application Data\Uniblue
2009-10-07 16:08 . 2009-10-07 16:08 41768 ----a-w- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 16:08 . 2009-10-07 16:08 1825064 ----a-w- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 16:08 . 2009-10-07 16:08 45864 ----a-w- c:\windows\system32\CT_xmlparser.dll
2009-10-07 16:08 . 2009-10-07 16:08 299816 ----a-w- c:\windows\system32\CT_twain.dll
2009-10-07 07:15 . 2009-10-06 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 14:28 . 2009-10-06 14:25 -------- d-----w- c:\documents and settings\heather\Application Data\Windows Live Writer
2009-10-06 13:03 . 2009-10-04 14:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2009-10-06 12:52 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live
2009-10-06 12:48 . 2009-10-06 12:48 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-06 12:47 . 2009-10-06 12:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-06 12:46 . 2009-10-06 12:46 -------- d-----w- c:\program files\Microsoft
2009-10-06 12:45 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-06 12:41 . 2009-10-06 12:41 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-04 15:06 . 2009-10-04 15:06 25214 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
2009-10-04 15:05 . 2009-10-04 15:05 -------- d-----w- c:\documents and settings\heather\Application Data\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:04 -------- d-----w- c:\program files\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:05 4710 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe
2009-10-04 15:04 . 2009-10-04 15:04 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-10-04 15:03 . 2009-10-04 15:03 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-09-28 22:52 . 2009-09-28 20:53 -------- d-----w- c:\documents and settings\heather\Application Data\Nvu
2009-09-28 20:53 . 2009-09-28 20:53 -------- d-----w- c:\program files\Nvu
2009-09-24 15:20 . 2009-09-24 15:20 -------- d-----w- c:\program files\MSXML 4.0
2009-09-24 15:15 . 2009-09-24 13:03 -------- d-----w- c:\program files\NetWaiting
2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\CONEXANT
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\MSBuild
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\Reference Assemblies
2009-09-24 13:03 . 2009-09-14 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 01:15 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\heather\Application Data\Roxio
2009-09-22 13:11 . 2009-09-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Roxio
2009-09-22 13:09 . 2009-09-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-22 13:07 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-22 13:05 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-22 13:03 . 2009-09-22 13:03 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-22 13:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-22 13:02 . 2009-09-14 19:14 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-22 13:01 . 2009-09-22 13:01 10134 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2009-09-20 14:38 . 2009-09-18 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\heather\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\program files\Yahoo!
2009-09-18 21:12 . 2009-09-18 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-18 21:11 . 2009-09-18 21:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-16 21:58 . 2009-09-16 21:58 -------- d-----w- c:\program files\Powerbullet
2009-09-16 05:21 . 2009-09-16 05:21 -------- d-----w- c:\program files\GIMP-2.0
2009-09-16 05:01 . 2009-09-16 05:01 -------- d-----w- c:\documents and settings\heather\Application Data\OpenOffice.org
2009-09-16 05:00 . 2009-09-16 05:00 -------- d-----w- c:\program files\JRE
2009-09-16 05:00 . 2009-09-16 04:59 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-16 04:59 . 2009-09-16 04:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 04:59 . 2009-09-15 17:45 -------- d-----w- c:\program files\Java
2009-09-16 04:49 . 2009-09-16 04:49 152576 ----a-w- c:\documents and settings\heather\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-15 17:45 . 2009-09-15 17:45 -------- d-----w- c:\program files\Common Files\Java
2009-09-15 01:30 . 2009-09-15 01:30 0 ----a-w- c:\windows\nsreg.dat
2009-09-15 01:26 . 2009-09-15 01:25 -------- d-----w- c:\program files\Google
2009-09-15 01:23 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-15 01:22 . 2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-15 01:22 . 2009-09-15 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-15 01:21 . 2009-09-15 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\program files\AVG
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 01:15 . 2009-09-15 01:15 -------- d-----w- c:\documents and settings\heather\Application Data\AVG8
2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\program files\SigmaTel
2009-09-14 19:14 . 2009-09-14 19:14 -------- d-----w- c:\program files\ATI Technologies
2009-09-14 19:03 . 2009-09-14 18:18 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-14 18:19 . 2009-09-14 18:19 -------- d-----w- c:\program files\microsoft frontpage
2009-09-14 18:16 . 2009-09-14 18:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"PDFtypewriterPrinterMonitor"="c:\program files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe" [2009-10-07 25384]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 8:21 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 8:22 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/14/2009 8:21 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 8:21 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/6/2009 7:52 AM 54752]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 9:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 9:32 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 9:31 AM 1120752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\heather\Application Data\Mozilla\Firefox\Profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 01:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-07 1:29
ComboFix-quarantined-files.txt 2009-11-07 06:28

Pre-Run: 303,147,810,816 bytes free
Post-Run: 303,454,617,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6F24C0618F03BDB06F6B90DD1F02F73D

How's it running now? Are you still getting redirected when browsing? If so is that only with Firefox? Or with IE too?

You mentioned earlier something I wanted to address...


ctfmon.exe is not part of MS Office. It's part of Windows. I believe with SP3 Windows has it start automatically (not 100% sure of that but I think so). I myself just turn it off. Sometimes it can be malicious but I think yours is legit. You can try turning it off. How to do that is covered in the link below.

http://www.microsoft.com/resources/documen...n.mspx?mfr=true

Hi Indi!

My bad, I thought the ctfmon service was just for MS Office products. thanks for the clarification.
I'm not sure if it ever redirected with IE as it's just a 'policy' of mine not to run IE. I started IE and it seems to be fine when I do google searches and click through. but again, that service is turned off so I wouldn't expect any hangups right now.
The computer runs fine with the ctfmon service disabled, but the concern comes in with restarting (it automatically starts and I'm worried at that time it will send whatever info it is gathering to whoever is doing the harvesting)
I followed the link you provided, but the instructions didn't match with my version of XP. I will research to find the right way for my system. thanks for the heads up on that.

I'm wondering: Since I've had the ctfmon service disabled while I ran all these diagnostics, could that be why we aren't seeing anything? should I restart that service and begin running the diagnostics again? Also, if it is a virus, will just turning off that service be adequate enough to keep me safe?

thanks for everything you're doing to help me out. I truly appreciate it!

I can see where the process is being launched from.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I really don't think it's the issue, but we can have the file checked.

Please go to http://www.virustotal.com/en/indexf.html
click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

Yep, you're right...no issue there it looks like. What do we do now? And if the file is clean, why would it mess me up so bad when it runs? (just trying to understand how that works ) thanks for helping!! Report is below.

MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
First received: 2009.02.11 22:51:11 UTC
Date: 2009.11.08 00:16:29 UTC [<1D]
Results: 0/40
Permalink: analisis/5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1-1257639389

I've never heard of the ctfmon.exe (legitimate) process causing issues, with redirects or other. So you are saying that you still are getting redirected when this process is running?

Aw man, really???

Unfortunately, I've seen a lot (from techs) regarding ctfmon messing things up. Obviously, and just like you had said, the legit ones are fine (it seems) but this one's legit (pretty positive anyway) and it still seems completely connected to the problem somehow. Could a virus depend on this service running to be able to execute? (I don't even know if I asked that correctly) I was hoping you were going to be my knight in shining armor on that one!!

The problem has not changed.

The best that I can say is that once I had turned that service off, the problems stopped. Outside of that, I don't know.

Then, this morning there were two instances of ctfmon.exe showing in my processes (how they started and why there was two, with different mem. usage, I have no idea. I had not restarted the computer.). When I tried to upgrade my AVG to a new version today, the AVG program will not connect to the site through firefox or IE. On firefox I get teh server reset error and on IE it just hangs up on a blank page and does nothing. ) Also, when AVG runs its scan no 'warnings' pop up (I usually have at least 50 from cookies), so it seems that AVG looks like its running, but isn't really doing anything. Also, my computer started running really slow again. Whatever is in here, it's rebuilding itself somehow, or restarting itself???? Is that possible?

I'm stumped. And oh so worried. I literally just put in a new hard drive. Brand new, out of the box, and she was purring oh so well.

Thanks for fightin' the fight with me! Lead my way to cleanliness!!

Oh, and I don't know if this means anything, but it's a change in behavior. I have to click everything twice now, or refresh pages to get them to load. It's getting worse???? It's to the point now that EVERY time, I have to click at least twice. aacckk!!!!

Let's get another rootkit scan.

Download This file. Note its name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "Yes" to begin the scan.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Ran the scan, logs are below.

I see the folders where the ctfmon is, however I cannot find it 'running' anywhere except the task manager so that I can turn it off.

I went to Control Panel > Administrative Tools > Services = It's not listed in the services anywhere.

I went to Start > Run > msconfig > start.ini > = It's not listed their either.

I can't find it to turn it off, so I am left with End Process in the task manager, and I hear that's not such a good thing to do.

The computer is beginning to get worse, literally by the minute. Last time, I just turned off the ctfmon, but now it just keeps reappearing and I can't locate it to turn it off.??

Here's the logs:

thanks again for everything!

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-09 14:18:36
Windows 5.1.2600 Service Pack 3
Running: malfix41gbwvqp.exe; Driver: C:\DOCUME~1\heather\LOCALS~1\Temp\fwncifob.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CAE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CAEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!socket 71AB4211 5 Bytes JMP 46CAE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 46CAE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!send 71AB4C27 5 Bytes JMP 46CAE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!recv 71AB676F 5 Bytes JMP 46CAF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

It should only be in your system32 folder. Where else do you see it?



It's not a service, it's a process, so you will not see it there.



The valid ctfmon is starting from a run key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]



Stopping this process (either the good or bad one) will not hurt anything.



Stay calm, we'll get it sorted out.

Not seeing anything in GMER.

Do me a favor. Delete the copy of combofix I had you download earlier and download a fresh copy. Then run as advised before and post the log.

Thank you for such a detailed response. It helped me understand things better. I'm a web publisher and am currently learning coding and scripts, and I know I need to have some kind of malware knowledge, so again, thank you.




ctfmon.exe C:\WINDOWS\$NtServicePackUninstall$

CTFMON.EXE-0E17969B.pf C:\WINDOWS\Prefetch

ctfmon.exe C:\WINDOWS\system32

ctfmon.exe C:WINDOWS\ERDNT\cache

ctfmon.exe C:\WINDOWS\ServicePackFiles\i386

They each seem to be from Microsoft.



Can I go into that folder and just delete the word 'run' to turn it off for good?

Here is the Combo Fix log. I had accidentally ran the rootrepeal tool first, so I included those too, just in case there was something in there.

COMBOFIX:

ComboFix 09-11-08.03 - heather 11/09/2009 17:01.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.336 [GMT -5:00]
Running from: c:\documents and settings\heather\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 18:19 . 2009-11-09 18:20 291328 ----a-w- C:\malfix41gbwvqp.exe
2009-11-06 13:50 . 2009-10-21 13:40 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-04 02:18 . 2009-11-04 02:18 -------- d-----w- c:\program files\ERUNT
2009-11-03 02:59 . 2009-11-03 02:59 -------- d-----w- c:\program files\Trend Micro
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\heather\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 02:03 . 2009-11-03 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:01 . 2009-11-03 02:56 -------- d-----w- c:\windows\system32\NtmsData
2009-11-02 19:00 . 2009-11-02 19:00 -------- d-----w- c:\documents and settings\heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 18:32 . 2009-10-07 16:08 90920 ----a-w- c:\windows\system32\custmon32.dll
2009-11-02 18:32 . 2009-11-02 18:32 -------- d-----w- c:\windows\SigPlus
2009-11-02 18:31 . 2009-11-02 18:32 -------- d-----w- c:\program files\PDFtypewriter
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CTdeveloping
2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\heather\Application Data\CTdeveloping
2009-11-02 07:03 . 2009-11-02 07:03 -------- d-----w- C:\b2725bb553b499d6447c88
2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- C:\5126b90f2e82c1cd141e
2009-10-31 16:56 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-31 15:35 . 2009-10-31 15:36 -------- d-----w- C:\296e633a8c10b8dcb748
2009-10-30 06:09 . 2009-10-30 06:09 -------- d-----w- C:\1b00fa8af810194faf851e21
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\windows\Cache
2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\program files\Coupons
2009-10-29 05:43 . 2009-10-29 05:43 -------- d-----w- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 12:55 . 2009-10-28 12:55 -------- d-----w- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 18:16 . 2009-10-27 18:16 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-27 18:12 . 2009-10-27 18:14 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-27 18:12 . 2009-10-27 18:12 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 12:50 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 14:08 . 2009-10-20 14:08 -------- d-----w- c:\program files\PinderSoft
2009-10-17 13:40 . 2009-10-17 13:40 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-16 17:14 . 2009-10-16 17:14 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-13 12:28 . 2009-11-09 18:10 -------- d-----w- c:\documents and settings\heather\Application Data\FileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 23:55 . 2009-10-04 14:43 -------- d-----w- c:\program files\Dl_cats
2009-11-07 20:12 . 2009-09-16 05:02 1 ----a-w- c:\documents and settings\heather\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-07 19:59 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-05 17:35 . 2009-09-28 21:09 -------- d-----w- c:\documents and settings\heather\Application Data\gtk-2.0
2009-11-04 02:16 . 2009-09-15 17:44 -------- d-----w- c:\documents and settings\heather\Application Data\MP3Rocket
2009-10-28 14:48 . 2009-09-24 13:30 34256 ----a-w- c:\documents and settings\heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-28 06:52 . 2009-09-18 21:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\Kelly Martens
2009-10-07 23:14 . 2009-10-07 23:14 -------- d-----w- c:\documents and settings\heather\Application Data\Uniblue
2009-10-07 16:08 . 2009-10-07 16:08 41768 ----a-w- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 16:08 . 2009-10-07 16:08 1825064 ----a-w- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 16:08 . 2009-10-07 16:08 45864 ----a-w- c:\windows\system32\CT_xmlparser.dll
2009-10-07 16:08 . 2009-10-07 16:08 299816 ----a-w- c:\windows\system32\CT_twain.dll
2009-10-07 07:15 . 2009-10-06 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 14:28 . 2009-10-06 14:25 -------- d-----w- c:\documents and settings\heather\Application Data\Windows Live Writer
2009-10-06 13:03 . 2009-10-04 14:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2009-10-06 12:52 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live
2009-10-06 12:48 . 2009-10-06 12:48 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-06 12:47 . 2009-10-06 12:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-06 12:46 . 2009-10-06 12:46 -------- d-----w- c:\program files\Microsoft
2009-10-06 12:45 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-06 12:41 . 2009-10-06 12:41 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-04 15:06 . 2009-10-04 15:06 25214 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe
2009-10-04 15:05 . 2009-10-04 15:05 -------- d-----w- c:\documents and settings\heather\Application Data\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:04 -------- d-----w- c:\program files\Jasc Software Inc
2009-10-04 15:05 . 2009-10-04 15:05 4710 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe
2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe
2009-10-04 15:04 . 2009-10-04 15:04 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-10-04 15:03 . 2009-10-04 15:03 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-09-28 22:52 . 2009-09-28 20:53 -------- d-----w- c:\documents and settings\heather\Application Data\Nvu
2009-09-28 20:53 . 2009-09-28 20:53 -------- d-----w- c:\program files\Nvu
2009-09-24 15:20 . 2009-09-24 15:20 -------- d-----w- c:\program files\MSXML 4.0
2009-09-24 15:15 . 2009-09-24 13:03 -------- d-----w- c:\program files\NetWaiting
2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\CONEXANT
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\MSBuild
2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\Reference Assemblies
2009-09-24 13:03 . 2009-09-14 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\heather\Application Data\Roxio
2009-09-22 13:11 . 2009-09-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Roxio
2009-09-22 13:09 . 2009-09-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-22 13:07 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-22 13:05 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-22 13:03 . 2009-09-22 13:03 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-22 13:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-22 13:02 . 2009-09-14 19:14 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-22 13:01 . 2009-09-22 13:01 10134 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2009-09-20 14:38 . 2009-09-18 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\heather\Application Data\Yahoo!
2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\program files\Yahoo!
2009-09-18 21:12 . 2009-09-18 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-18 21:11 . 2009-09-18 21:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-16 21:58 . 2009-09-16 21:58 -------- d-----w- c:\program files\Powerbullet
2009-09-16 05:21 . 2009-09-16 05:21 -------- d-----w- c:\program files\GIMP-2.0
2009-09-16 05:01 . 2009-09-16 05:01 -------- d-----w- c:\documents and settings\heather\Application Data\OpenOffice.org
2009-09-16 05:00 . 2009-09-16 05:00 -------- d-----w- c:\program files\JRE
2009-09-16 05:00 . 2009-09-16 04:59 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-16 04:59 . 2009-09-16 04:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 04:59 . 2009-09-15 17:45 -------- d-----w- c:\program files\Java
2009-09-16 04:49 . 2009-09-16 04:49 152576 ----a-w- c:\documents and settings\heather\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-15 17:45 . 2009-09-15 17:45 -------- d-----w- c:\program files\Common Files\Java
2009-09-15 01:30 . 2009-09-15 01:30 0 ----a-w- c:\windows\nsreg.dat
2009-09-15 01:26 . 2009-09-15 01:25 -------- d-----w- c:\program files\Google
2009-09-15 01:23 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-15 01:22 . 2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-15 01:22 . 2009-09-15 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-15 01:21 . 2009-09-15 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\program files\AVG
2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 01:15 . 2009-09-15 01:15 -------- d-----w- c:\documents and settings\heather\Application Data\AVG8
2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\program files\SigmaTel
2009-09-14 19:14 . 2009-09-14 19:14 -------- d-----w- c:\program files\ATI Technologies
2009-09-14 19:03 . 2009-09-14 18:18 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-14 18:19 . 2009-09-14 18:19 -------- d-----w- c:\program files\microsoft frontpage
2009-09-14 18:16 . 2009-09-14 18:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 13:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_06.27.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-14 18:56 . 2009-11-09 19:37 15360 c:\windows\$NtServicePackUninstall$\ctfmon.exe
- 2009-09-14 18:56 . 2004-08-12 13:18 15360 c:\windows\$NtServicePackUninstall$\ctfmon.exe
+ 2009-11-07 19:59 . 2009-11-07 19:59 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"PDFtypewriterPrinterMonitor"="c:\program files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe" [2009-10-07 25384]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 8:21 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 8:22 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/14/2009 8:21 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 8:21 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/6/2009 7:52 AM 54752]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 9:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 9:32 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 9:31 AM 1120752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FWNCIFOB
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*NewlyCreated* - RASAUTO
*Deregistered* - fwncifob
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\heather\Application Data\Mozilla\Firefox\Profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-09 17:08
ComboFix-quarantined-files.txt 2009-11-09 22:07
ComboFix2.txt 2009-11-07 06:29

Pre-Run: 303,449,387,008 bytes free
Post-Run: 303,419,002,880 bytes free

- - End Of File - - DEBB8EFEE49E68FEF454DDEEC16E78A4


ROOT REPEAL

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/09 16:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys
Address: 0xF7996000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAB72000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B10000 Size: 8192 File Visible: No Signed: -
Status: -

Name: fwncifob.sys
Image Path: C:\DOCUME~1\heather\LOCALS~1\Temp\fwncifob.sys
Address: 0xA93C0000 Size: 87040 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7B22000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9E10000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\4c072de7-a74f-4e5c-bee6-71fa531a3f93
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\82d3bd9a-a64e-4dc8-b1a6-a832535fdfa3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\a12414cc-3c8f-4276-becc-9d2da43743c2
Status: Locked to the Windows API!

==EOF==

Thank you Indi!

Before I respond to and look at the log I just wanted to address something ASAP.


NO, don't do that whatever you do.

Yes, those are likely also legit MS files. I should have noted to you that MS keeps backups of system files to protect itself.

Now, I'm still not seeing anything malicious. To get past this ctfmon running issue I found an article with pics that describes how to disable it safely, and for good unless you decide to turn it back on. So please try that, reboot and make sure it doesn't restart, then we'll go from there.

http://www.pchell.com/support/ctfmon.shtml

that's why I asked!!

I turned off the language bar and rebooted. That process isn't running. yayy!

I completely lose my internet connection pretty often now. Then I have to turn off the pc for a few minutes, unplug the modem for a while, cross my fingers, and hope resetting everything lets the connection happen. So whatever it is, it's messing hard with the connection itself.

does that make sense?

thanks for helping.

The internet connection issue may or may not be Malware related. Many other things can cause it. Could even be your modem/router. Do you have other PC's on the network? If so are they okay? We'll try to rule out Malware and make sure you're clean, then we can try to sort out the network.

I would like you to run the following scan: Eset Online Scanner
Run with Internet Explorer

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button, or click the notification bar at the top of the window and choose to install.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Aw man, thanks!!!! I truly appreciate you being willing to keep helping!

Here is the log, looks clean.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6e81bd5fafbf6e4b932f4602f4fd3820
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-10 02:22:12
# local_time=2009-11-10 09:22:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 3961809 3961809 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=50384
# found=0
# cleaned=0
# scan_time=1832


I will patiently wait for your direction!

I'm pretty sure at this point you're clean (never any guarantees).

Are the only issues network related? Are there other PC's on the network? What type of network do you have?

Just a home PC, no other computers. New hard drive (about two months new, problem free until last week and then there was a marked change)

Had modem checked by provider and it's fine. It's also relatively new, but old enough to where I know its habits.

I guess they are mainly on the network. But even opening my folders and such on the computer, it is still very slow to respond. With IE, it will just hang and not do anything. On Firefox, I get the Server Redirect screen. Have to refresh a lot to force loading of the page. But then it does get progressively worse until it just doesn't work any more and I have to turn everything down and reboot. Now that's not even working everytime.

The Local Area Connection always shows fine.

Thanks!

In reading back through the thread you mentioned somthing...


As I had stated, having 2 Antivirus programs running can, and is likely to, cause the exact issues you are having. I wonder if part of the MS product is still in there.

Do me a favor and run DDS again, posting the log.

I had poked around when I uninstalled it and didn't see anything, but I miss a lot!

Thanks Indi!!

Here are the logs:

DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by heather at 12:14:59.53 on Tue 11/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.418 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\heather\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PDFtypewriterPrinterMonitor] "c:\program files\pdftypewriter\printer\PDFtypewriterMonitorStart.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-14 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-6 54752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\heather\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]

=============== Created Last 30 ================

2009-11-10 08:48 <DIR> --d----- c:\program files\ESET
2009-11-09 17:00 <DIR> --d----- C:\ComboFix
2009-11-09 14:25 <DIR> --d----- c:\windows\pss
2009-11-09 13:19 291,328 a------- C:\malfix41gbwvqp.exe
2009-11-07 01:22 <DIR> a-dshr-- C:\cmdcons
2009-11-07 01:21 267,264 a------- c:\windows\PEV.exe
2009-11-07 01:21 161,792 a------- c:\windows\SWREG.exe
2009-11-07 01:21 98,816 a------- c:\windows\sed.exe
2009-11-07 01:21 77,312 a------- c:\windows\MBR.exe
2009-11-02 21:59 <DIR> --d----- c:\program files\Trend Micro
2009-11-02 21:03 <DIR> --d----- c:\docume~1\heather\applic~1\Malwarebytes
2009-11-02 21:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-02 21:03 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-02 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-11-02 14:00 <DIR> --d----- c:\docume~1\heather\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 13:32 90,920 a------- c:\windows\system32\custmon32.dll
2009-11-02 13:32 <DIR> --d----- c:\windows\SigPlus
2009-11-02 13:31 <DIR> --d----- c:\program files\PDFtypewriter
2009-11-02 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CTdeveloping
2009-11-02 13:31 <DIR> --d----- c:\docume~1\heather\applic~1\CTdeveloping
2009-11-02 02:03 <DIR> --d----- C:\b2725bb553b499d6447c88
2009-11-01 02:09 <DIR> --d----- C:\5126b90f2e82c1cd141e
2009-10-31 10:35 <DIR> --d----- C:\296e633a8c10b8dcb748
2009-10-30 01:09 <DIR> --d----- C:\1b00fa8af810194faf851e21
2009-10-29 10:20 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-10-29 10:20 <DIR> --d----- c:\windows\Cache
2009-10-29 10:20 <DIR> --d----- c:\program files\Coupons
2009-10-29 00:43 <DIR> --d----- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 07:55 <DIR> --d----- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 13:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-10-27 13:12 <DIR> --d----- c:\windows\system32\LogFiles
2009-10-23 07:50 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-20 09:11 1,151 a------- c:\windows\wpo.ini
2009-10-20 09:08 <DIR> --d----- c:\program files\PinderSoft
2009-10-20 08:43 132,880 a------- c:\windows\system32\MSINET.OCX

==================== Find3M ====================

2009-10-07 11:08 41,768 a------- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 11:08 1,825,064 a------- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 11:08 45,864 a------- c:\windows\system32\CT_xmlparser.dll
2009-10-07 11:08 299,816 a------- c:\windows\system32\CT_twain.dll
2009-09-15 23:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-14 20:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-14 20:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 20:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 14:03 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-14 13:16 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:08 916,480 -------- c:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 12:15:21.28 ===============


ATTACH


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2009 2:20:59 PM
System Uptime: 11/10/2009 12:55:10 AM (12 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 282.507 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/14/2009 2:29:08 PM - System Checkpoint
RP2: 9/14/2009 2:57:46 PM - Installed Windows XP Service Pack 3.
RP3: 9/14/2009 3:14:31 PM - Installed ATI Parental Control
RP4: 9/14/2009 3:16:23 PM - Installed SigmaTel Audio
RP5: 9/14/2009 8:54:05 PM - Software Distribution Service 3.0
RP6: 9/14/2009 9:00:07 PM - Software Distribution Service 3.0
RP7: 9/14/2009 9:13:52 PM - Installed Windows XP WgaNotify.
RP8: 9/14/2009 9:21:34 PM - Installed AVG Free 8.5
RP9: 9/15/2009 8:14:27 AM - Avg8 Update
RP10: 9/16/2009 12:50:15 AM - Installed Java™ 6 Update 15
RP11: 9/16/2009 12:59:11 AM - Removed Java™ 6 Update 15
RP12: 9/16/2009 12:59:30 AM - Installed Java™ 6 Update 16
RP13: 9/16/2009 12:59:51 AM - Installed OpenOffice.org 3.1
RP14: 9/16/2009 3:00:13 AM - Software Distribution Service 3.0
RP15: 9/17/2009 3:10:11 AM - System Checkpoint
RP16: 9/18/2009 4:10:11 AM - System Checkpoint
RP17: 9/18/2009 5:13:09 PM - Installed Adobe Reader 9.1.
RP18: 9/20/2009 1:45:36 AM - System Checkpoint
RP19: 9/21/2009 3:01:00 PM - System Checkpoint
RP20: 9/22/2009 9:01:59 AM - Installed DirectX
RP21: 9/23/2009 3:00:15 AM - Software Distribution Service 3.0
RP22: 9/23/2009 11:10:19 AM - Installed Windows Media Player 11
RP23: 9/23/2009 9:13:58 PM - Software Distribution Service 3.0
RP24: 9/24/2009 9:03:15 AM - Installed NetWaiting
RP25: 9/24/2009 9:21:19 AM - Installed Windows KB954550-v5.
RP26: 9/24/2009 9:21:28 AM - Printer Driver Microsoft XPS Document Writer Installed
RP27: 9/24/2009 9:21:36 AM - Printer Driver Microsoft XPS Document Writer Installed
RP28: 9/24/2009 9:26:25 AM - Software Distribution Service 3.0
RP29: 9/24/2009 11:13:52 AM - Restore Operation
RP30: 9/24/2009 11:19:59 AM - Software Distribution Service 3.0
RP31: 9/25/2009 12:39:50 PM - System Checkpoint
RP32: 9/26/2009 4:06:03 PM - System Checkpoint
RP33: 9/27/2009 4:20:13 PM - System Checkpoint
RP34: 9/28/2009 8:47:43 PM - System Checkpoint
RP35: 9/30/2009 8:35:57 AM - System Checkpoint
RP36: 10/1/2009 4:01:14 PM - System Checkpoint
RP37: 10/2/2009 7:09:56 PM - System Checkpoint
RP38: 10/4/2009 1:27:15 AM - System Checkpoint
RP39: 10/5/2009 6:23:20 AM - System Checkpoint
RP40: 10/5/2009 8:14:13 AM - Avg8 Update
RP41: 10/5/2009 8:14:53 AM - Avg8 Update
RP42: 10/6/2009 8:25:02 AM - System Checkpoint
RP43: 10/6/2009 8:47:22 AM - Installed Windows XP KB954708.
RP44: 10/6/2009 8:47:45 AM - Installed DirectX
RP45: 10/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP46: 10/7/2009 9:05:10 AM - Avg8 Update
RP47: 10/7/2009 7:19:18 PM - Software Distribution Service 3.0
RP48: 10/9/2009 1:56:22 AM - System Checkpoint
RP49: 10/9/2009 2:11:49 PM - Installed Polaroid Picture v1.7
RP50: 10/9/2009 2:12:11 PM - Installed Windows Live Writer Blog This for Mozilla Firefox
RP51: 10/9/2009 2:16:10 PM - Installed TagCreator for Windows Live Writer
RP52: 10/10/2009 3:33:42 PM - System Checkpoint
RP53: 10/12/2009 1:06:33 AM - System Checkpoint
RP54: 10/13/2009 1:15:36 AM - System Checkpoint
RP55: 10/14/2009 6:31:05 AM - System Checkpoint
RP56: 10/15/2009 3:00:15 AM - Software Distribution Service 3.0
RP57: 10/16/2009 3:16:03 PM - System Checkpoint
RP58: 10/17/2009 9:40:16 AM - Avg8 Update
RP59: 10/18/2009 10:50:09 PM - System Checkpoint
RP60: 10/20/2009 12:52:15 AM - System Checkpoint
RP61: 10/20/2009 10:08:28 AM - Installed Writers Project Organizer
RP62: 10/21/2009 9:40:15 AM - Avg8 Update
RP63: 10/22/2009 10:32:49 AM - System Checkpoint
RP64: 10/23/2009 8:50:03 AM - Software Distribution Service 3.0
RP65: 10/23/2009 11:34:37 AM - Microsoft Antimalware Checkpoint
RP66: 10/24/2009 2:29:39 AM - Software Distribution Service 3.0
RP67: 10/25/2009 4:26:02 PM - System Checkpoint
RP68: 10/26/2009 8:54:32 AM - Software Distribution Service 3.0
RP69: 10/27/2009 2:10:02 PM - Installed Windows Media Player 11
RP70: 10/27/2009 2:10:58 PM - Software Distribution Service 3.0
RP71: 10/28/2009 3:00:22 AM - Software Distribution Service 3.0
RP72: 10/28/2009 8:55:22 AM - Software Distribution Service 3.0
RP73: 10/29/2009 1:43:21 AM - Software Distribution Service 3.0
RP74: 10/29/2009 3:51:19 AM - Microsoft Antimalware Checkpoint
RP75: 10/29/2009 10:55:16 AM - Software Distribution Service 3.0
RP76: 10/30/2009 2:09:03 AM - Software Distribution Service 3.0
RP77: 10/30/2009 11:34:27 AM - Software Distribution Service 3.0
RP78: 10/31/2009 11:35:13 AM - Software Distribution Service 3.0
RP79: 11/1/2009 3:09:04 AM - Software Distribution Service 3.0
RP80: 11/2/2009 3:03:22 AM - Software Distribution Service 3.0
RP81: 11/2/2009 2:31:50 PM - Installed PDFtypewriter with PDF Printer Driver
RP82: 11/2/2009 2:32:23 PM - Printer Driver CUSTPDF Writer Installed
RP83: 11/3/2009 9:25:36 AM - Avg8 Update
RP84: 11/4/2009 4:00:14 AM - Software Distribution Service 3.0
RP85: 11/5/2009 4:56:55 AM - System Checkpoint
RP86: 11/6/2009 7:45:26 AM - System Checkpoint
RP87: 11/6/2009 9:50:34 AM - Avg8 Update
RP88: 11/7/2009 10:09:25 AM - System Checkpoint
RP89: 11/8/2009 9:10:01 AM - System Checkpoint
RP90: 11/9/2009 3:00:44 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ATI - Software Uninstall Utility
ATI Parental Control
AVG Free 8.5
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Photo AIO Printer 944
DirectXInstallService
ERUNT 1.1j
ESET Online Scanner v3
FileZilla Client 3.2.8.1
GIMP 2.6.7
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java™ 6 Update 16
Java™ SE Runtime Environment 6 Update 1
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nvu 1.0PR
OpenOffice.org 3.1
PDFtypewriter Printer Driver
PDFtypewriter with PDF Printer Driver
Polaroid Picture v1.7
Powerbullet Presenter 1.44
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SigmaTel Audio
Sonar2
Spelling Dictionaries Support For Adobe Reader 9
TagCreator for Windows Live Writer
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Essentials
Windows Live Family Safety
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Live Writer Blog This for Mozilla Firefox
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Writers Project Organizer
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/4/2009 4:53:26 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
11/4/2009 4:52:53 AM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).
11/3/2009 9:12:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}

==== End Of File ===========================

Okay a few things to note here, again, nothing malicious.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u17-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u17-windows-i586-p.exe and select "Run as an Administrator.")

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Do you use or did know knowingly install this program?

Coupon Printer for Windows

I know there are some ties to adware with this program. I would suggest you uninstall it if not needed or wanted.

Also, you have several add-on/toolbars going on there. Yahoo, Google, AVG, Windows Live, ect...

While none of these are malicious having so many running can cause issues/conflicts. Try running IE without any add-ons. The simplest way to do this is to do the following:

Navigate to start menu-> All Programs-> Accessories-> System Tools-> Internet Explorer (no Add-ons). This opens up IE without ActiveX controls and browser extensions.

Do some browsing around and see how it runs.

Ok. I updated the Java. And I also uninstalled AVG (it is a CPU hog, so I wanted to make sure it wasn't that)

I installed Avast to replace AVG.

I did not do anything to IE because I don't use IE. I did go into my firefox browser though and made sure it was cleaned up. Deleted the yahoo

ALSO - I went to my internet provider and got a new modem. Just to be safe. Who knows, could be it, right?

So far so good, no hangups, freezes, redirects or timeouts, but I haven't used it too much yet. I'm going to see how it does tonight and will let you know in the AM.

Thanks for everything!

Cool, thanks for the update. Hopefully you're good to go now.

Well, dang. I was really hoping we were out of the woods.

The internet is still fairly non-functional (I think dial-up would be faster at this point).

When enter a URL or click on a link in the browser, pretty much nothing happens. I wait for over 45 seconds for a page to load, IF it's going to load at all. Most of the time I just still get that 'Server has been reset" message. I spent over a half hour just trying to get on ONE site this morning (never could get to it).

when this happens and the browser gets hung - There is no activity in the status bar at bottom of page. The CPU is either at 100% (on firefox.exe) or stuck at 0% (this is more common). I will either get the firefox error message or just a blank browser screen (this happens a lot). It seems like the computer is not even 'trying' to connect to different pages.

I check the network connection while it's doing this and it says the connection is fine.

Changes I've made:

Uninstalled Windows Firewall
Installed COMODO firewall

Uninstalled AVG AntiVirus
Installed Avast

Added password to Admin Account
Created limited user accounts for web surfing and My Documents


Thanks Indi for helping. I know this is a difficult one and I appreciate you sticking it out. GOOD MORNING!!!!! Talk to you soon.

When you said you cleaned out Firefox, what did you mean? Temp files, ect...?

Have you tried running Firefox in Safe Mode? Not Windows Safe Mode, but like IE with no add-ons. To do that...

In Windows go to Start > Run
Type (or cut/paste) Firefox -safe-mode then click OK.

That should start Firefox. See how it runs then.

NOTE: Make sure any and all instances of Firefox are closed before starting it this way.

Yep, deleted the extra tooldbars I wasn't using. And I clear the cache pretty often anyway. Temp files also.

I'm in Firefox safe mode now, and even though it hasn't been long (maybe 20 minutes) there aren't any issues that i can see. I went to the pages I was having trouble with earlier and they load just fine.

????? Why would it start messing up all the sudden. As far as I know, I did not add any tool bar add-ons recently. (around the time the issues started). should I delete all the add ons?

Also, does running in safe mode add more protection? If so, can I run in safe mode all the time?

And lastly, do you know how dumb I feel that this is all due to a friggin add on??? I am so unbelievably sorry to have taken up so much of your time with this! I owe you bigtime!! (Lots of good energy coming your way!! )

hmmmm. Well, I've been in safe mode for a while now and ran problem free until just a bit ago. I am starting to get connectivity warnings and it has started hanging while surfing.

I've been very careful not to click through any ads, have not downloaded anything, etc. This is how it started in normal mode originally. A few sites would hang, an email wouldn't go through, etc. Then it would progress to 'nothingness'..... It looks like that is starting again.

What do we do now????

Thanks Indi!

I'm going to be away until tomorrow. One question....what happens if you restart Firefox? Do you run okay for a while then go bad? Or does it start up bad right away on restart.

Will check in tomorrow...
Dave

Well, once I restarted Firefox in normal mode, the issues began again pretty immediately. I disabled/uninstalled extensions and add-ons, but it didn't help any.

TYPICALLy - since the problems began, it's bad right away on restart, and then continues to get worse until it is no longer operable.

In safe mode, it was fine for quite some time, then it started degrading.

Also, since this began....Once the internet would start getting real bad, I would clear my history, cache, tmp files, etc. reboot computer and modem. It would run slightly better for a little bit, then start degrading again.

Just to be sure, I've used Firefox and IE both today to check and IE is just as bad, if not worse.

Enjoy your time away and thanks for the heads up. talk to you when you get back.

Thanks again for everything!
heather

Okay I'm back. We need to get an updated DDS log as you've made some changes. Moving to Avast and installing a FW.

Try to limit the changes you make on your end while we're troubleshooting as changing too many things at once can confuse the troubleshooting process. I understand as I know you're probably frustrated in trying to get things working better.

Hi Dave! Not a problem on me stopping with the changes.

question: I just had a new hard drive installed last month, so this wouldn't be a huge issue for me. would it be beneficial to reformat my hard drive? I'm thinking I could just load up my files to an offline server, wipe everything out and start fresh. My connectivity is horrible and I haven't been able to work hardly at all since this began (web publishing). Just a thought.

Okay, as you requested, here are the new DDS logs.

Attach File

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2009 2:20:59 PM
System Uptime: 11/13/2009 1:14:29 PM (0 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 281.814 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/14/2009 2:29:08 PM - System Checkpoint
RP2: 9/14/2009 2:57:46 PM - Installed Windows XP Service Pack 3.
RP3: 9/14/2009 3:14:31 PM - Installed ATI Parental Control
RP4: 9/14/2009 3:16:23 PM - Installed SigmaTel Audio
RP5: 9/14/2009 8:54:05 PM - Software Distribution Service 3.0
RP6: 9/14/2009 9:00:07 PM - Software Distribution Service 3.0
RP7: 9/14/2009 9:13:52 PM - Installed Windows XP WgaNotify.
RP8: 9/14/2009 9:21:34 PM - Installed AVG Free 8.5
RP9: 9/15/2009 8:14:27 AM - Avg8 Update
RP10: 9/16/2009 12:50:15 AM - Installed Java™ 6 Update 15
RP11: 9/16/2009 12:59:11 AM - Removed Java™ 6 Update 15
RP12: 9/16/2009 12:59:30 AM - Installed Java™ 6 Update 16
RP13: 9/16/2009 12:59:51 AM - Installed OpenOffice.org 3.1
RP14: 9/16/2009 3:00:13 AM - Software Distribution Service 3.0
RP15: 9/17/2009 3:10:11 AM - System Checkpoint
RP16: 9/18/2009 4:10:11 AM - System Checkpoint
RP17: 9/18/2009 5:13:09 PM - Installed Adobe Reader 9.1.
RP18: 9/20/2009 1:45:36 AM - System Checkpoint
RP19: 9/21/2009 3:01:00 PM - System Checkpoint
RP20: 9/22/2009 9:01:59 AM - Installed DirectX
RP21: 9/23/2009 3:00:15 AM - Software Distribution Service 3.0
RP22: 9/23/2009 11:10:19 AM - Installed Windows Media Player 11
RP23: 9/23/2009 9:13:58 PM - Software Distribution Service 3.0
RP24: 9/24/2009 9:03:15 AM - Installed NetWaiting
RP25: 9/24/2009 9:21:19 AM - Installed Windows KB954550-v5.
RP26: 9/24/2009 9:21:28 AM - Printer Driver Microsoft XPS Document Writer Installed
RP27: 9/24/2009 9:21:36 AM - Printer Driver Microsoft XPS Document Writer Installed
RP28: 9/24/2009 9:26:25 AM - Software Distribution Service 3.0
RP29: 9/24/2009 11:13:52 AM - Restore Operation
RP30: 9/24/2009 11:19:59 AM - Software Distribution Service 3.0
RP31: 9/25/2009 12:39:50 PM - System Checkpoint
RP32: 9/26/2009 4:06:03 PM - System Checkpoint
RP33: 9/27/2009 4:20:13 PM - System Checkpoint
RP34: 9/28/2009 8:47:43 PM - System Checkpoint
RP35: 9/30/2009 8:35:57 AM - System Checkpoint
RP36: 10/1/2009 4:01:14 PM - System Checkpoint
RP37: 10/2/2009 7:09:56 PM - System Checkpoint
RP38: 10/4/2009 1:27:15 AM - System Checkpoint
RP39: 10/5/2009 6:23:20 AM - System Checkpoint
RP40: 10/5/2009 8:14:13 AM - Avg8 Update
RP41: 10/5/2009 8:14:53 AM - Avg8 Update
RP42: 10/6/2009 8:25:02 AM - System Checkpoint
RP43: 10/6/2009 8:47:22 AM - Installed Windows XP KB954708.
RP44: 10/6/2009 8:47:45 AM - Installed DirectX
RP45: 10/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP46: 10/7/2009 9:05:10 AM - Avg8 Update
RP47: 10/7/2009 7:19:18 PM - Software Distribution Service 3.0
RP48: 10/9/2009 1:56:22 AM - System Checkpoint
RP49: 10/9/2009 2:11:49 PM - Installed Polaroid Picture v1.7
RP50: 10/9/2009 2:12:11 PM - Installed Windows Live Writer Blog This for Mozilla Firefox
RP51: 10/9/2009 2:16:10 PM - Installed TagCreator for Windows Live Writer
RP52: 10/10/2009 3:33:42 PM - System Checkpoint
RP53: 10/12/2009 1:06:33 AM - System Checkpoint
RP54: 10/13/2009 1:15:36 AM - System Checkpoint
RP55: 10/14/2009 6:31:05 AM - System Checkpoint
RP56: 10/15/2009 3:00:15 AM - Software Distribution Service 3.0
RP57: 10/16/2009 3:16:03 PM - System Checkpoint
RP58: 10/17/2009 9:40:16 AM - Avg8 Update
RP59: 10/18/2009 10:50:09 PM - System Checkpoint
RP60: 10/20/2009 12:52:15 AM - System Checkpoint
RP61: 10/20/2009 10:08:28 AM - Installed Writers Project Organizer
RP62: 10/21/2009 9:40:15 AM - Avg8 Update
RP63: 10/22/2009 10:32:49 AM - System Checkpoint
RP64: 10/23/2009 8:50:03 AM - Software Distribution Service 3.0
RP65: 10/23/2009 11:34:37 AM - Microsoft Antimalware Checkpoint
RP66: 10/24/2009 2:29:39 AM - Software Distribution Service 3.0
RP67: 10/25/2009 4:26:02 PM - System Checkpoint
RP68: 10/26/2009 8:54:32 AM - Software Distribution Service 3.0
RP69: 10/27/2009 2:10:02 PM - Installed Windows Media Player 11
RP70: 10/27/2009 2:10:58 PM - Software Distribution Service 3.0
RP71: 10/28/2009 3:00:22 AM - Software Distribution Service 3.0
RP72: 10/28/2009 8:55:22 AM - Software Distribution Service 3.0
RP73: 10/29/2009 1:43:21 AM - Software Distribution Service 3.0
RP74: 10/29/2009 3:51:19 AM - Microsoft Antimalware Checkpoint
RP75: 10/29/2009 10:55:16 AM - Software Distribution Service 3.0
RP76: 10/30/2009 2:09:03 AM - Software Distribution Service 3.0
RP77: 10/30/2009 11:34:27 AM - Software Distribution Service 3.0
RP78: 10/31/2009 11:35:13 AM - Software Distribution Service 3.0
RP79: 11/1/2009 3:09:04 AM - Software Distribution Service 3.0
RP80: 11/2/2009 3:03:22 AM - Software Distribution Service 3.0
RP81: 11/2/2009 2:31:50 PM - Installed PDFtypewriter with PDF Printer Driver
RP82: 11/2/2009 2:32:23 PM - Printer Driver CUSTPDF Writer Installed
RP83: 11/3/2009 9:25:36 AM - Avg8 Update
RP84: 11/4/2009 4:00:14 AM - Software Distribution Service 3.0
RP85: 11/5/2009 4:56:55 AM - System Checkpoint
RP86: 11/6/2009 7:45:26 AM - System Checkpoint
RP87: 11/6/2009 9:50:34 AM - Avg8 Update
RP88: 11/7/2009 10:09:25 AM - System Checkpoint
RP89: 11/8/2009 9:10:01 AM - System Checkpoint
RP90: 11/9/2009 3:00:44 PM - System Checkpoint
RP91: 11/10/2009 1:32:13 PM - Removed Java™ 6 Update 16
RP92: 11/10/2009 1:32:47 PM - Removed Java™ SE Runtime Environment 6 Update 1
RP93: 11/10/2009 1:36:55 PM - Installed Java™ 6 Update 17
RP94: 11/10/2009 1:47:17 PM - Removed AVG Free 8.5
RP95: 11/10/2009 1:48:27 PM - Installed AVG Free 8.5
RP96: 11/10/2009 6:15:15 PM - Software Distribution Service 3.0
RP97: 11/11/2009 6:32:36 PM - System Checkpoint
RP98: 11/13/2009 1:25:07 AM - System Checkpoint
RP99: 11/13/2009 12:58:28 PM - Restore Operation
RP100: 11/13/2009 1:06:47 PM - Restore Operation
RP101: 11/13/2009 1:11:14 PM - Restore Operation
RP102: 11/13/2009 1:12:31 PM - Restore Operation

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ATI - Software Uninstall Utility
ATI Parental Control
avast! Antivirus
COMODO Firewall Pro
Conexant D850 56K V.9x DFVc Modem
Dell Photo AIO Printer 944
DirectXInstallService
ERUNT 1.1j
ESET Online Scanner v3
FileZilla Client 3.2.8.1
GIMP 2.6.7
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java™ 6 Update 17
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nvu 1.0PR
OpenOffice.org 3.1
PDFtypewriter Printer Driver
PDFtypewriter with PDF Printer Driver
Polaroid Picture v1.7
Powerbullet Presenter 1.44
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SigmaTel Audio
Sonar2
Spelling Dictionaries Support For Adobe Reader 9
TagCreator for Windows Live Writer
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Essentials
Windows Live Family Safety
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Live Writer Blog This for Mozilla Firefox
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Writers Project Organizer
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/9/2009 9:08:15 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
11/13/2009 10:19:43 AM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/13/2009 1:00:40 PM, error: Service Control Manager [7000] - The COMODO Firewall Pro Helper Service service failed to start due to the following error: The system cannot find the file specified.
11/10/2009 2:51:37 PM, error: Print [6161] - The document FloridaWindZones.pdf owned by heather failed to print on printer Dell Photo AIO Printer 944. Data type: LEMF. Size of the spool file in bytes: 6495070. Number of bytes printed: 0. Total number of pages in the document: 4. Number of pages printed: 1. Client machine: \\HY-257343010234. Win32 error code returned by the print processor: 0 (0x0).
11/10/2009 12:56:00 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
11/10/2009 12:46:49 AM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).
11/10/2009 1:14:11 PM, error: Dhcp [1002] - The IP address lease 72.40.118.18 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

DDS File

DDS (Ver_09-06-26.01) - NTFSx86
Run by heather at 13:28:40.34 on Fri 11/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.642 [GMT -5:00]

AV: avast! antivirus 4.8.1356 [VPS 091113-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\heather\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PDFtypewriterPrinterMonitor] "c:\program files\pdftypewriter\printer\PDFtypewriterMonitorStart.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\yk9s5gim.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-10 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-10 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-10 24208]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-10 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-6 54752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-10 352920]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 cmdAgent;COMODO Firewall Pro Helper Service;"c:\program files\comodo\firewall\cmdagent.exe" --> c:\program files\comodo\firewall\cmdagent.exe [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\heather\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]

=============== Created Last 30 ================

2009-11-13 13:14 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-10 18:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2009-11-10 18:54 87,056 a------- c:\windows\system32\drivers\cmdguard.sys
2009-11-10 18:54 24,208 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-11-10 18:27 <DIR> --d----- c:\docume~1\heather\applic~1\Comodo
2009-11-10 18:27 <DIR> --d----- c:\program files\COMODO
2009-11-10 13:37 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-10 08:48 <DIR> --d----- c:\program files\ESET
2009-11-09 17:00 <DIR> --d----- C:\ComboFix
2009-11-09 14:25 <DIR> --d----- c:\windows\pss
2009-11-09 13:19 291,328 a------- C:\malfix41gbwvqp.exe
2009-11-07 01:22 <DIR> a-dshr-- C:\cmdcons
2009-11-07 01:21 267,264 a------- c:\windows\PEV.exe
2009-11-07 01:21 161,792 a------- c:\windows\SWREG.exe
2009-11-07 01:21 98,816 a------- c:\windows\sed.exe
2009-11-07 01:21 77,312 a------- c:\windows\MBR.exe
2009-11-02 21:59 <DIR> --d----- c:\program files\Trend Micro
2009-11-02 21:03 <DIR> --d----- c:\docume~1\heather\applic~1\Malwarebytes
2009-11-02 21:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-02 21:03 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-02 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-11-02 14:00 <DIR> --d----- c:\docume~1\heather\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-02 13:32 90,920 a------- c:\windows\system32\custmon32.dll
2009-11-02 13:32 <DIR> --d----- c:\windows\SigPlus
2009-11-02 13:31 <DIR> --d----- c:\program files\PDFtypewriter
2009-11-02 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CTdeveloping
2009-11-02 13:31 <DIR> --d----- c:\docume~1\heather\applic~1\CTdeveloping
2009-11-02 02:03 <DIR> --d----- C:\b2725bb553b499d6447c88
2009-11-01 02:09 <DIR> --d----- C:\5126b90f2e82c1cd141e
2009-10-31 10:35 <DIR> --d----- C:\296e633a8c10b8dcb748
2009-10-30 01:09 <DIR> --d----- C:\1b00fa8af810194faf851e21
2009-10-29 10:20 <DIR> --d----- c:\windows\Cache
2009-10-29 10:20 <DIR> --d----- c:\program files\Coupons
2009-10-29 00:43 <DIR> --d----- C:\9d870a4543eaffdbe4a428035ec5
2009-10-28 07:55 <DIR> --d----- C:\05a1236ff083f0fba998c1c871f5
2009-10-27 13:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-10-27 13:12 <DIR> --d----- c:\windows\system32\LogFiles
2009-10-23 07:50 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-20 09:11 1,151 a------- c:\windows\wpo.ini
2009-10-20 09:08 <DIR> --d----- c:\program files\PinderSoft
2009-10-20 08:43 132,880 a------- c:\windows\system32\MSINET.OCX

==================== Find3M ====================

2009-11-10 13:37 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-07 11:08 41,768 a------- c:\windows\system32\PDFtypewriter_AddIn.dll
2009-10-07 11:08 1,825,064 a------- c:\windows\system32\QuickPDFAX0716.dll
2009-10-07 11:08 45,864 a------- c:\windows\system32\CT_xmlparser.dll
2009-10-07 11:08 299,816 a------- c:\windows\system32\CT_twain.dll
2009-09-14 14:03 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-14 13:16 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:08 916,480 -------- c:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 13:29:14.06 ===============

I hate to give in, but sometimes we have to. But I definitely don't think it's malware related, so what if it just comes back when you re-install???

I have a couple more things up my sleeve. But you could also post in the PC help forum here now that we can be pretty sure you're clean. They have some good techs in there that may be able to easily sort this out without a reformat.

Question. When the web surfing slows down, disconnects, ect... does your whole PC slow down? If you bring up task manager, what is the CPU and memory usage? Is it high? If so, on what process(es)?

Also, you should uninstall combofix and you can delete Root Repeal if you haven't already done so.

Uninstall Combofix

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

The above procedure will:

• Delete the following: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Ok, I uninstalled Combofix and deleted Root Repeal.


Well, I've had different things happen, and about equally.

I had a couple of times where the whole PC slowed down, but really it's mainly just the internet.
When I pull up the task manager to see what's going on, it would either be at a flat 0 with no activity no matter what I tried to do (connect to the internet, click on a link, etc.)
OR it will be at 100% or close to it. The processes: firefox and ctfmon (before we disabled it).

Odd thing is that it does the same thing even if I'm in IE, which makes me think it's not firefox related but network related.

I'll hold off on posting in the help forum until you give me the green light. I truly do appreciate you sticking this out with me, I know it hasn't been an easy one.

Yes, go ahead and post over at the PC Help Forum. Post a link back to here and let them know you were here for possible Malware issue. That way they can see what's been done up to this point and where we're at.

Let me know how you make out.

Hey! Just wanted to let you know that I posted over in PC Help. I will definitely let you know what's going on once I find out. Thank you very much for all the assistance you gave, you are a Godsend. I appreciate it a lot.

Have a fantastic Saturday and I'll drop you a line soon!

Heather

Hi again,

Looks like you got things cleared up in the other thread Heather, nice job. Do you have any more questions about the Malware or security related issues?

Regards,
Dave