Jump to content

PC Infected - Internet Almost Completely Disabled


hyebba

Recommended Posts

First - THANK YOU GUYS FOR DOING WHAT YOU DO!!!! ;)

Beginning a few days ago, my computer started running slower and it has steadily progressed to where the internet is at a crawl. (servers reset in Firefox, pages won't load, pretty well worthless) I pretty much cannot use my computer.

Brand new hard drive installed a month ago.

Running XP, no MS Office products at all (but the ctfmon. exe service is running)

Adobe forced an update a few days ago.

Installed Microsoft Security Essentials last week (problems began shortly after)

Have free version of AVG anti virus (installed with new hard drive, ran problem free

CPU has been all over the place. Was staying high (over 80%), then changed to staying at 0% regardless of activity being attempted) with little spikes every now and then.

Automatic updater shows that it is on in control panel, but no icon anymore in tray and it hasn't been updating.

Here are my files:

MBAM Log:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

11/2/2009 9:54:27 PM

mbam-log-2009-11-02 (21-54-27).txt

Scan type: Full Scan (C:\|)

Objects scanned: 146157

Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\heather\My Documents\Downloads\SmileyCentralSetup2.3.50.53.ZSfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:34 PM, on 11/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

C:\Program Files\Dell Photo AIO Printer 944\memcard.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dlcdcoms.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"

O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"

O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [PDFtypewriterPrinterMonitor] "C:\Program Files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9771 bytes

Link to post
Share on other sites

Hello hyebba and welcome to the forums here at MalwareBytes.

The problem is likely due to having 2 AntiVirus programs running. You should never have more than one AV or Firewall running at a time as it can cause conflicts, errors, false positives, and (your problem) system slowdown.

I would suggest you uninstall one of the AntiVirus products and see if that gets you back to running better.

Let me know how you make out.

Link to post
Share on other sites

Hello hyebba and welcome to the forums here at MalwareBytes.

The problem is likely due to having 2 AntiVirus programs running. You should never have more than one AV or Firewall running at a time as it can cause conflicts, errors, false positives, and (your problem) system slowdown.

I would suggest you uninstall one of the AntiVirus products and see if that gets you back to running better.

Let me know how you make out.

I typically don't have two running, but was trying either or to find the virus. I have since uninstalled MS Essentials and the problems are still very bad. I use Firefox and I can't get to sites hardly at all now....took over 5 minutes to get back here. So I still need the same help and I'm worried my computer will completely crash soon (it's getting worse by the minute)

Link to post
Share on other sites

I typically don't have two running, but was trying either or to find the virus. I have since uninstalled MS Essentials and the problems are still very bad. I use Firefox and I can't get to sites hardly at all now....took over 5 minutes to get back here. So I still need the same help and I'm worried my computer will completely crash soon (it's getting worse by the minute)

IndiGenus:

Hello!

did a bit more digging around and found a couple of things.

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

I don't know if any of that will help us steer in the right direction, just wanted to make sure I told you everything that's catching my eye.

thanks for helping me with this....I really appreciate it.

Heather

Link to post
Share on other sites

Hi Heather,

Let's get a closer look at things.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Hi Heather,

Let's get a closer look at things.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Thanks Indi!

DDS.txt

DDS (Ver_09-06-26.01) - NTFSx86

Run by heather at 11:04:03.15 on Thu 11/05/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.240 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

C:\Program Files\Dell Photo AIO Printer 944\memcard.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\PDFtypewriter\Printer\PDFtypewriter_Printer_Monitor.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dlcdcoms.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\heather\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"

mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16

mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"

mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [PDFtypewriterPrinterMonitor] "c:\program files\pdftypewriter\printer\PDFtypewriterMonitorStart.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\yk9s5gim.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-14 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-6 54752]

R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\heather\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]

=============== Created Last 30 ================

2009-11-02 21:59 <DIR> --d----- c:\program files\Trend Micro

2009-11-02 21:03 <DIR> --d----- c:\docume~1\heather\applic~1\Malwarebytes

2009-11-02 21:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-02 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-11-02 21:03 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-11-02 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-11-02 21:01 <DIR> --d----- c:\windows\system32\NtmsData

2009-11-02 14:00 <DIR> --d----- c:\docume~1\heather\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2009-11-02 13:32 90,920 a------- c:\windows\system32\custmon32.dll

2009-11-02 13:32 <DIR> --d----- c:\windows\SigPlus

2009-11-02 13:31 <DIR> --d----- c:\program files\PDFtypewriter

2009-11-02 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CTdeveloping

2009-11-02 13:31 <DIR> --d----- c:\docume~1\heather\applic~1\CTdeveloping

2009-11-02 02:03 <DIR> --d----- C:\b2725bb553b499d6447c88

2009-11-01 02:09 <DIR> --d----- C:\5126b90f2e82c1cd141e

2009-10-31 10:35 <DIR> --d----- C:\296e633a8c10b8dcb748

2009-10-30 01:09 <DIR> --d----- C:\1b00fa8af810194faf851e21

2009-10-29 10:20 202,072 a----r-- c:\windows\system32\cpnprt2.cid

2009-10-29 10:20 <DIR> --d----- c:\windows\Cache

2009-10-29 10:20 <DIR> --d----- c:\program files\Coupons

2009-10-29 00:43 <DIR> --d----- C:\9d870a4543eaffdbe4a428035ec5

2009-10-28 07:55 <DIR> --d----- C:\05a1236ff083f0fba998c1c871f5

2009-10-27 13:16 <DIR> --d----- c:\program files\Windows Media Connect 2

2009-10-27 13:12 <DIR> --d----- c:\windows\system32\LogFiles

2009-10-23 07:50 195,440 -------- c:\windows\system32\MpSigStub.exe

2009-10-20 09:11 1,151 a------- c:\windows\wpo.ini

2009-10-20 09:08 <DIR> --d----- c:\program files\PinderSoft

2009-10-20 08:43 132,880 a------- c:\windows\system32\MSINET.OCX

2009-10-09 13:16 <DIR> --d----- c:\program files\Kelly Martens

2009-10-07 18:14 <DIR> --d----- c:\docume~1\heather\applic~1\Uniblue

2009-10-07 11:08 2,947,368 a------- c:\windows\system32\CT_imagelibrary.ocx

2009-10-07 11:08 41,768 a------- c:\windows\system32\PDFtypewriter_AddIn.dll

2009-10-07 11:08 1,825,064 a------- c:\windows\system32\QuickPDFAX0716.dll

2009-10-07 11:08 45,864 a------- c:\windows\system32\CT_xmlparser.dll

2009-10-07 11:08 2,063,656 a------- c:\windows\system32\CT_docengine.ocx

2009-10-07 11:08 299,816 a------- c:\windows\system32\CT_twain.dll

2009-10-07 02:09 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-10-07 02:04 117,760 -------- c:\windows\system32\prntvpt.dll

2009-10-07 02:04 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2009-10-07 02:04 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-10-07 02:04 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2009-10-07 02:04 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-10-07 02:04 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-10-07 02:04 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-10-07 02:04 <DIR> --d----- C:\6c2f0c95b67eb92ecf7f13e056

==================== Find3M ====================

2009-09-15 23:59 411,368 a------- c:\windows\system32\deploytk.dll

2009-09-14 20:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-09-14 20:22 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-09-14 20:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-09-14 14:03 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-09-14 13:16 21,640 a------- c:\windows\system32\emptyregdb.dat

2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll

2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll

2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll

2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 11:04:13.21 ===============

ATTCH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/14/2009 2:20:59 PM

System Uptime: 11/4/2009 4:52:35 AM (31 hours ago)

Motherboard: Dell Inc. | | 0JC474

Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 298 GiB total, 282.531 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/14/2009 2:29:08 PM - System Checkpoint

RP2: 9/14/2009 2:57:46 PM - Installed Windows XP Service Pack 3.

RP3: 9/14/2009 3:14:31 PM - Installed ATI Parental Control

RP4: 9/14/2009 3:16:23 PM - Installed SigmaTel Audio

RP5: 9/14/2009 8:54:05 PM - Software Distribution Service 3.0

RP6: 9/14/2009 9:00:07 PM - Software Distribution Service 3.0

RP7: 9/14/2009 9:13:52 PM - Installed Windows XP WgaNotify.

RP8: 9/14/2009 9:21:34 PM - Installed AVG Free 8.5

RP9: 9/15/2009 8:14:27 AM - Avg8 Update

RP10: 9/16/2009 12:50:15 AM - Installed Java 6 Update 15

RP11: 9/16/2009 12:59:11 AM - Removed Java 6 Update 15

RP12: 9/16/2009 12:59:30 AM - Installed Java 6 Update 16

RP13: 9/16/2009 12:59:51 AM - Installed OpenOffice.org 3.1

RP14: 9/16/2009 3:00:13 AM - Software Distribution Service 3.0

RP15: 9/17/2009 3:10:11 AM - System Checkpoint

RP16: 9/18/2009 4:10:11 AM - System Checkpoint

RP17: 9/18/2009 5:13:09 PM - Installed Adobe Reader 9.1.

RP18: 9/20/2009 1:45:36 AM - System Checkpoint

RP19: 9/21/2009 3:01:00 PM - System Checkpoint

RP20: 9/22/2009 9:01:59 AM - Installed DirectX

RP21: 9/23/2009 3:00:15 AM - Software Distribution Service 3.0

RP22: 9/23/2009 11:10:19 AM - Installed Windows Media Player 11

RP23: 9/23/2009 9:13:58 PM - Software Distribution Service 3.0

RP24: 9/24/2009 9:03:15 AM - Installed NetWaiting

RP25: 9/24/2009 9:21:19 AM - Installed Windows KB954550-v5.

RP26: 9/24/2009 9:21:28 AM - Printer Driver Microsoft XPS Document Writer Installed

RP27: 9/24/2009 9:21:36 AM - Printer Driver Microsoft XPS Document Writer Installed

RP28: 9/24/2009 9:26:25 AM - Software Distribution Service 3.0

RP29: 9/24/2009 11:13:52 AM - Restore Operation

RP30: 9/24/2009 11:19:59 AM - Software Distribution Service 3.0

RP31: 9/25/2009 12:39:50 PM - System Checkpoint

RP32: 9/26/2009 4:06:03 PM - System Checkpoint

RP33: 9/27/2009 4:20:13 PM - System Checkpoint

RP34: 9/28/2009 8:47:43 PM - System Checkpoint

RP35: 9/30/2009 8:35:57 AM - System Checkpoint

RP36: 10/1/2009 4:01:14 PM - System Checkpoint

RP37: 10/2/2009 7:09:56 PM - System Checkpoint

RP38: 10/4/2009 1:27:15 AM - System Checkpoint

RP39: 10/5/2009 6:23:20 AM - System Checkpoint

RP40: 10/5/2009 8:14:13 AM - Avg8 Update

RP41: 10/5/2009 8:14:53 AM - Avg8 Update

RP42: 10/6/2009 8:25:02 AM - System Checkpoint

RP43: 10/6/2009 8:47:22 AM - Installed Windows XP KB954708.

RP44: 10/6/2009 8:47:45 AM - Installed DirectX

RP45: 10/7/2009 3:00:14 AM - Software Distribution Service 3.0

RP46: 10/7/2009 9:05:10 AM - Avg8 Update

RP47: 10/7/2009 7:19:18 PM - Software Distribution Service 3.0

RP48: 10/9/2009 1:56:22 AM - System Checkpoint

RP49: 10/9/2009 2:11:49 PM - Installed Polaroid Picture v1.7

RP50: 10/9/2009 2:12:11 PM - Installed Windows Live Writer Blog This for Mozilla Firefox

RP51: 10/9/2009 2:16:10 PM - Installed TagCreator for Windows Live Writer

RP52: 10/10/2009 3:33:42 PM - System Checkpoint

RP53: 10/12/2009 1:06:33 AM - System Checkpoint

RP54: 10/13/2009 1:15:36 AM - System Checkpoint

RP55: 10/14/2009 6:31:05 AM - System Checkpoint

RP56: 10/15/2009 3:00:15 AM - Software Distribution Service 3.0

RP57: 10/16/2009 3:16:03 PM - System Checkpoint

RP58: 10/17/2009 9:40:16 AM - Avg8 Update

RP59: 10/18/2009 10:50:09 PM - System Checkpoint

RP60: 10/20/2009 12:52:15 AM - System Checkpoint

RP61: 10/20/2009 10:08:28 AM - Installed Writers Project Organizer

RP62: 10/21/2009 9:40:15 AM - Avg8 Update

RP63: 10/22/2009 10:32:49 AM - System Checkpoint

RP64: 10/23/2009 8:50:03 AM - Software Distribution Service 3.0

RP65: 10/23/2009 11:34:37 AM - Microsoft Antimalware Checkpoint

RP66: 10/24/2009 2:29:39 AM - Software Distribution Service 3.0

RP67: 10/25/2009 4:26:02 PM - System Checkpoint

RP68: 10/26/2009 8:54:32 AM - Software Distribution Service 3.0

RP69: 10/27/2009 2:10:02 PM - Installed Windows Media Player 11

RP70: 10/27/2009 2:10:58 PM - Software Distribution Service 3.0

RP71: 10/28/2009 3:00:22 AM - Software Distribution Service 3.0

RP72: 10/28/2009 8:55:22 AM - Software Distribution Service 3.0

RP73: 10/29/2009 1:43:21 AM - Software Distribution Service 3.0

RP74: 10/29/2009 3:51:19 AM - Microsoft Antimalware Checkpoint

RP75: 10/29/2009 10:55:16 AM - Software Distribution Service 3.0

RP76: 10/30/2009 2:09:03 AM - Software Distribution Service 3.0

RP77: 10/30/2009 11:34:27 AM - Software Distribution Service 3.0

RP78: 10/31/2009 11:35:13 AM - Software Distribution Service 3.0

RP79: 11/1/2009 3:09:04 AM - Software Distribution Service 3.0

RP80: 11/2/2009 3:03:22 AM - Software Distribution Service 3.0

RP81: 11/2/2009 2:31:50 PM - Installed PDFtypewriter with PDF Printer Driver

RP82: 11/2/2009 2:32:23 PM - Printer Driver CUSTPDF Writer Installed

RP83: 11/3/2009 9:25:36 AM - Avg8 Update

RP84: 11/4/2009 4:00:14 AM - Software Distribution Service 3.0

RP85: 11/5/2009 4:56:55 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.2

ATI - Software Uninstall Utility

ATI Parental Control

AVG Free 8.5

Conexant D850 56K V.9x DFVc Modem

Coupon Printer for Windows

Dell Photo AIO Printer 944

DirectXInstallService

ERUNT 1.1j

FileZilla Client 3.2.8.1

GIMP 2.6.7

Google Toolbar for Internet Explorer

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Jasc Paint Shop Photo Album 5

Jasc Paint Shop Pro Studio, Dell Editon

Java 6 Update 16

Java SE Runtime Environment 6 Update 1

Junk Mail filter update

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.5.4)

MSN

MSVCRT

MSXML 4.0 SP2 (KB954430)

Nvu 1.0PR

OpenOffice.org 3.1

PDFtypewriter Printer Driver

PDFtypewriter with PDF Printer Driver

Polaroid Picture v1.7

Powerbullet Presenter 1.44

Roxio Activation Module

Roxio CinePlayer Decoder Pack

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator Premier

Roxio Creator Premier 10

Roxio Creator Tools

Roxio Express Labeler

Roxio Update Manager

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Segoe UI

SigmaTel Audio

Sonar2

Spelling Dictionaries Support For Adobe Reader 9

TagCreator for Windows Live Writer

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live Call

Windows Live Essentials

Windows Live Family Safety

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

Windows Live Writer Blog This for Mozilla Firefox

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

Writers Project Organizer

Yahoo! Messenger

Yahoo! Search Protection

Yahoo! Software Update

Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/3/2009 9:12:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}

11/1/2009 10:53:41 PM, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).

10/31/2009 2:09:19 AM, error: Microsoft Antimalware [2001] -

10/31/2009 12:43:18 PM, error: Dhcp [1002] - The IP address lease 192.168.251.199 for the Network Card with network address 00167636F2DA has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).

10/29/2009 11:28:34 AM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================

Thank you for your help!

Link to post
Share on other sites

So, now that you have uninstalled the MS security essentials program how's it running?

Hi Indi,

It is definitely a virus. There was no change after removing MS Essentials. The problems continued to get worse (with firefox always being redirected, etc) so I disabled the ctfmon.exe service that was running and now I can search the internet just fine. But I know I have to get that off of the computer because when I reboot the service restarts and the problems start again.

Below is my earlier post:

I lost all ability to connect to the internet so on a chance I disabled the ctfmon.exe service that was running (i have no MS office products on my computer) I am now able to get back online and it has been pretty problem free so far, but we'll see.

Also, found a file in my application data folder titled com. adobe. share. prefs. sol and a folder name that just didn't seem right and in a different location than the other adobe files and folders.

My windows Updater folder is completely empty...and as I had said, it has not been running updates (obviously, there's no files anymore)

Link to post
Share on other sites

Let's get a rootkit scan here.

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

Let's get a rootkit scan here.

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi IndiGenus!! thank you again for assisting with this! below is the root repeal report, as requested.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/06 19:23

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAAB72000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7B10000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA99CB000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\4c072de7-a74f-4e5c-bee6-71fa531a3f93

Status: Locked to the Windows API!

==EOF==

Link to post
Share on other sites

Nothing there.....I see where the bad ctfmon process is getting loaded, but I still think we may have a rootkit hiding here.

Let's get out the big gun.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated DDS log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to post
Share on other sites

Nothing there.....I see where the bad ctfmon process is getting loaded, but I still think we may have a rootkit hiding here.

Let's get out the big gun.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated DDS log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hiya IndiGenus!! As requested...here is the combofix log.

THANK YOU!!! :) (and thanks for not being too afraid to pull out the big guns for us! ha ha)

ComboFix 09-11-06.03 - heather 11/07/2009 1:23.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.306 [GMT -5:00]

Running from: c:\documents and settings\heather\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))

.

2009-11-04 02:18 . 2009-11-04 02:18 -------- d-----w- c:\program files\ERUNT

2009-11-03 02:59 . 2009-11-03 02:59 -------- d-----w- c:\program files\Trend Micro

2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\heather\Application Data\Malwarebytes

2009-11-03 02:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-03 02:03 . 2009-11-03 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 02:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-03 02:01 . 2009-11-03 02:56 -------- d-----w- c:\windows\system32\NtmsData

2009-11-02 19:00 . 2009-11-02 19:00 -------- d-----w- c:\documents and settings\heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2009-11-02 18:32 . 2009-10-07 16:08 90920 ----a-w- c:\windows\system32\custmon32.dll

2009-11-02 18:32 . 2009-11-02 18:32 -------- d-----w- c:\windows\SigPlus

2009-11-02 18:31 . 2009-11-02 18:32 -------- d-----w- c:\program files\PDFtypewriter

2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CTdeveloping

2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\heather\Application Data\CTdeveloping

2009-11-02 07:03 . 2009-11-02 07:03 -------- d-----w- C:\b2725bb553b499d6447c88

2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- C:\5126b90f2e82c1cd141e

2009-10-31 16:56 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-10-31 15:35 . 2009-10-31 15:36 -------- d-----w- C:\296e633a8c10b8dcb748

2009-10-30 06:09 . 2009-10-30 06:09 -------- d-----w- C:\1b00fa8af810194faf851e21

2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\windows\Cache

2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\program files\Coupons

2009-10-29 05:43 . 2009-10-29 05:43 -------- d-----w- C:\9d870a4543eaffdbe4a428035ec5

2009-10-28 12:55 . 2009-10-28 12:55 -------- d-----w- C:\05a1236ff083f0fba998c1c871f5

2009-10-27 18:16 . 2009-10-27 18:16 -------- d-----w- c:\program files\Windows Media Connect 2

2009-10-27 18:12 . 2009-10-27 18:14 -------- d-----w- c:\windows\system32\drivers\UMDF

2009-10-27 18:12 . 2009-10-27 18:12 -------- d-----w- c:\windows\system32\LogFiles

2009-10-23 12:50 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe

2009-10-20 14:08 . 2009-10-20 14:08 -------- d-----w- c:\program files\PinderSoft

2009-10-17 13:40 . 2009-10-17 13:40 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

2009-10-16 17:14 . 2009-10-16 17:14 -------- d-----w- c:\program files\FileZilla FTP Client

2009-10-13 12:28 . 2009-11-05 20:19 -------- d-----w- c:\documents and settings\heather\Application Data\FileZilla

2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\Kelly Martens

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-05 19:47 . 2009-09-16 05:02 1 ----a-w- c:\documents and settings\heather\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-11-05 17:35 . 2009-09-28 21:09 -------- d-----w- c:\documents and settings\heather\Application Data\gtk-2.0

2009-11-04 21:16 . 2009-10-04 14:43 -------- d-----w- c:\program files\Dl_cats

2009-11-04 02:16 . 2009-09-15 17:44 -------- d-----w- c:\documents and settings\heather\Application Data\MP3Rocket

2009-10-28 14:48 . 2009-09-24 13:30 34256 ----a-w- c:\documents and settings\heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-28 06:52 . 2009-09-18 21:13 -------- d-----w- c:\program files\Common Files\Adobe

2009-10-21 13:40 . 2009-11-06 13:50 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-10-07 23:14 . 2009-10-07 23:14 -------- d-----w- c:\documents and settings\heather\Application Data\Uniblue

2009-10-07 16:08 . 2009-10-07 16:08 41768 ----a-w- c:\windows\system32\PDFtypewriter_AddIn.dll

2009-10-07 16:08 . 2009-10-07 16:08 1825064 ----a-w- c:\windows\system32\QuickPDFAX0716.dll

2009-10-07 16:08 . 2009-10-07 16:08 45864 ----a-w- c:\windows\system32\CT_xmlparser.dll

2009-10-07 16:08 . 2009-10-07 16:08 299816 ----a-w- c:\windows\system32\CT_twain.dll

2009-10-07 07:15 . 2009-10-06 12:52 -------- d-----w- c:\program files\Microsoft Silverlight

2009-10-06 14:28 . 2009-10-06 14:25 -------- d-----w- c:\documents and settings\heather\Application Data\Windows Live Writer

2009-10-06 13:03 . 2009-10-04 14:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944

2009-10-06 12:52 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live

2009-10-06 12:48 . 2009-10-06 12:48 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-10-06 12:47 . 2009-10-06 12:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-10-06 12:46 . 2009-10-06 12:46 -------- d-----w- c:\program files\Microsoft

2009-10-06 12:45 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-10-06 12:41 . 2009-10-06 12:41 -------- d-----w- c:\program files\Common Files\Windows Live

2009-10-04 15:06 . 2009-10-04 15:06 25214 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe

2009-10-04 15:05 . 2009-10-04 15:05 -------- d-----w- c:\documents and settings\heather\Application Data\Jasc Software Inc

2009-10-04 15:05 . 2009-10-04 15:04 -------- d-----w- c:\program files\Jasc Software Inc

2009-10-04 15:05 . 2009-10-04 15:05 4710 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe

2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe

2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe

2009-10-04 15:04 . 2009-10-04 15:04 -------- d-----w- c:\program files\Common Files\Jasc Software Inc

2009-10-04 15:03 . 2009-10-04 15:03 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2009-09-28 22:52 . 2009-09-28 20:53 -------- d-----w- c:\documents and settings\heather\Application Data\Nvu

2009-09-28 20:53 . 2009-09-28 20:53 -------- d-----w- c:\program files\Nvu

2009-09-24 15:20 . 2009-09-24 15:20 -------- d-----w- c:\program files\MSXML 4.0

2009-09-24 15:15 . 2009-09-24 13:03 -------- d-----w- c:\program files\NetWaiting

2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\CONEXANT

2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\MSBuild

2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\Reference Assemblies

2009-09-24 13:03 . 2009-09-14 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-24 01:15 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\heather\Application Data\Roxio

2009-09-22 13:11 . 2009-09-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall

2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Roxio

2009-09-22 13:09 . 2009-09-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-09-22 13:07 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-09-22 13:05 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2009-09-22 13:03 . 2009-09-22 13:03 -------- d-----w- c:\program files\Common Files\SureThing Shared

2009-09-22 13:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2009-09-22 13:02 . 2009-09-14 19:14 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-22 13:01 . 2009-09-22 13:01 10134 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-09-20 14:38 . 2009-09-18 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\heather\Application Data\Yahoo!

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\program files\Yahoo!

2009-09-18 21:12 . 2009-09-18 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-18 21:11 . 2009-09-18 21:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-09-16 21:58 . 2009-09-16 21:58 -------- d-----w- c:\program files\Powerbullet

2009-09-16 05:21 . 2009-09-16 05:21 -------- d-----w- c:\program files\GIMP-2.0

2009-09-16 05:01 . 2009-09-16 05:01 -------- d-----w- c:\documents and settings\heather\Application Data\OpenOffice.org

2009-09-16 05:00 . 2009-09-16 05:00 -------- d-----w- c:\program files\JRE

2009-09-16 05:00 . 2009-09-16 04:59 -------- d-----w- c:\program files\OpenOffice.org 3

2009-09-16 04:59 . 2009-09-16 04:50 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-16 04:59 . 2009-09-15 17:45 -------- d-----w- c:\program files\Java

2009-09-16 04:49 . 2009-09-16 04:49 152576 ----a-w- c:\documents and settings\heather\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-09-15 17:45 . 2009-09-15 17:45 -------- d-----w- c:\program files\Common Files\Java

2009-09-15 01:30 . 2009-09-15 01:30 0 ----a-w- c:\windows\nsreg.dat

2009-09-15 01:26 . 2009-09-15 01:25 -------- d-----w- c:\program files\Google

2009-09-15 01:23 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-15 01:22 . 2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-15 01:22 . 2009-09-15 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-15 01:21 . 2009-09-15 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-15 01:21 . 2009-09-15 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\program files\AVG

2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-15 01:15 . 2009-09-15 01:15 -------- d-----w- c:\documents and settings\heather\Application Data\AVG8

2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\program files\SigmaTel

2009-09-14 19:14 . 2009-09-14 19:14 -------- d-----w- c:\program files\ATI Technologies

2009-09-14 19:03 . 2009-09-14 18:18 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-09-14 18:19 . 2009-09-14 18:19 -------- d-----w- c:\program files\microsoft frontpage

2009-09-14 18:16 . 2009-09-14 18:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]

"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]

"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"PDFtypewriterPrinterMonitor"="c:\program files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe" [2009-10-07 25384]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Nvu\\nvu.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 8:21 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 8:22 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/14/2009 8:21 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 8:21 PM 297752]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/6/2009 7:52 AM 54752]

R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 9:32 AM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 9:32 AM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 9:31 AM 1120752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*NewlyCreated* - PROCEXP113

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

FF - ProfilePath - c:\documents and settings\heather\Application Data\Mozilla\Firefox\Profiles\yk9s5gim.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-07 01:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-11-07 1:29

ComboFix-quarantined-files.txt 2009-11-07 06:28

Pre-Run: 303,147,810,816 bytes free

Post-Run: 303,454,617,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6F24C0618F03BDB06F6B90DD1F02F73D

Link to post
Share on other sites

How's it running now? Are you still getting redirected when browsing? If so is that only with Firefox? Or with IE too?

You mentioned earlier something I wanted to address...

Running XP, no MS Office products at all (but the ctfmon. exe service is running)

ctfmon.exe is not part of MS Office. It's part of Windows. I believe with SP3 Windows has it start automatically (not 100% sure of that but I think so). I myself just turn it off. Sometimes it can be malicious but I think yours is legit. You can try turning it off. How to do that is covered in the link below.

http://www.microsoft.com/resources/documen...n.mspx?mfr=true

Link to post
Share on other sites

How's it running now? Are you still getting redirected when browsing? If so is that only with Firefox? Or with IE too?

You mentioned earlier something I wanted to address...

ctfmon.exe is not part of MS Office. It's part of Windows. I believe with SP3 Windows has it start automatically (not 100% sure of that but I think so). I myself just turn it off. Sometimes it can be malicious but I think yours is legit. You can try turning it off. How to do that is covered in the link below.

http://www.microsoft.com/resources/documen...n.mspx?mfr=true

Hi Indi!

My bad, I thought the ctfmon service was just for MS Office products. thanks for the clarification.

I'm not sure if it ever redirected with IE as it's just a 'policy' of mine not to run IE. I started IE and it seems to be fine when I do google searches and click through. but again, that service is turned off so I wouldn't expect any hangups right now.

The computer runs fine with the ctfmon service disabled, but the concern comes in with restarting (it automatically starts and I'm worried at that time it will send whatever info it is gathering to whoever is doing the harvesting)

I followed the link you provided, but the instructions didn't match with my version of XP. I will research to find the right way for my system. thanks for the heads up on that.

I'm wondering: Since I've had the ctfmon service disabled while I ran all these diagnostics, could that be why we aren't seeing anything? should I restart that service and begin running the diagnostics again? Also, if it is a virus, will just turning off that service be adequate enough to keep me safe?

thanks for everything you're doing to help me out. I truly appreciate it!

Link to post
Share on other sites

I can see where the process is being launched from.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I really don't think it's the issue, but we can have the file checked.

Please go to http://www.virustotal.com/en/indexf.html

click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

Link to post
Share on other sites

I can see where the process is being launched from.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I really don't think it's the issue, but we can have the file checked.

Please go to http://www.virustotal.com/en/indexf.html

click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

Yep, you're right...no issue there it looks like. What do we do now? And if the file is clean, why would it mess me up so bad when it runs? (just trying to understand how that works ) ;) thanks for helping!! Report is below.

MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3

First received: 2009.02.11 22:51:11 UTC

Date: 2009.11.08 00:16:29 UTC [<1D]

Results: 0/40

Permalink: analisis/5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1-1257639389

Link to post
Share on other sites

I've never heard of the ctfmon.exe (legitimate) process causing issues, with redirects or other. So you are saying that you still are getting redirected when this process is running?

Aw man, really???

Unfortunately, I've seen a lot (from techs) regarding ctfmon messing things up. Obviously, and just like you had said, the legit ones are fine (it seems) but this one's legit (pretty positive anyway) and it still seems completely connected to the problem somehow. Could a virus depend on this service running to be able to execute? (I don't even know if I asked that correctly) ;) I was hoping you were going to be my knight in shining armor on that one!! :( :(

The problem has not changed. :)

The best that I can say is that once I had turned that service off, the problems stopped. Outside of that, I don't know.

Then, this morning there were two instances of ctfmon.exe showing in my processes (how they started and why there was two, with different mem. usage, I have no idea. I had not restarted the computer.). When I tried to upgrade my AVG to a new version today, the AVG program will not connect to the site through firefox or IE. On firefox I get teh server reset error and on IE it just hangs up on a blank page and does nothing. ) Also, when AVG runs its scan no 'warnings' pop up (I usually have at least 50 from cookies), so it seems that AVG looks like its running, but isn't really doing anything. Also, my computer started running really slow again. Whatever is in here, it's rebuilding itself somehow, or restarting itself???? Is that possible?

I'm stumped. And oh so worried. I literally just put in a new hard drive. Brand new, out of the box, and she was purring oh so well. :(

Thanks for fightin' the fight with me! Lead my way to cleanliness!! :) :)

Link to post
Share on other sites

Aw man, really???

Unfortunately, I've seen a lot (from techs) regarding ctfmon messing things up. Obviously, and just like you had said, the legit ones are fine (it seems) but this one's legit (pretty positive anyway) and it still seems completely connected to the problem somehow. Could a virus depend on this service running to be able to execute? (I don't even know if I asked that correctly) ;) I was hoping you were going to be my knight in shining armor on that one!! :( :(

The problem has not changed. :)

The best that I can say is that once I had turned that service off, the problems stopped. Outside of that, I don't know.

Then, this morning there were two instances of ctfmon.exe showing in my processes (how they started and why there was two, with different mem. usage, I have no idea. I had not restarted the computer.). When I tried to upgrade my AVG to a new version today, the AVG program will not connect to the site through firefox or IE. On firefox I get teh server reset error and on IE it just hangs up on a blank page and does nothing. ) Also, when AVG runs its scan no 'warnings' pop up (I usually have at least 50 from cookies), so it seems that AVG looks like its running, but isn't really doing anything. Also, my computer started running really slow again. Whatever is in here, it's rebuilding itself somehow, or restarting itself???? Is that possible?

I'm stumped. And oh so worried. I literally just put in a new hard drive. Brand new, out of the box, and she was purring oh so well. :(

Thanks for fightin' the fight with me! Lead my way to cleanliness!! :) :)

Oh, and I don't know if this means anything, but it's a change in behavior. I have to click everything twice now, or refresh pages to get them to load. It's getting worse???? It's to the point now that EVERY time, I have to click at least twice. aacckk!!!!

Link to post
Share on other sites

Let's get another rootkit scan.

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

Ran the scan, logs are below.

I see the folders where the ctfmon is, however I cannot find it 'running' anywhere except the task manager so that I can turn it off.

I went to Control Panel > Administrative Tools > Services = It's not listed in the services anywhere.

I went to Start > Run > msconfig > start.ini > = It's not listed their either.

I can't find it to turn it off, so I am left with End Process in the task manager, and I hear that's not such a good thing to do.

The computer is beginning to get worse, literally by the minute. Last time, I just turned off the ctfmon, but now it just keeps reappearing and I can't locate it to turn it off.??

Here's the logs:

thanks again for everything!

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit scan 2009-11-09 14:18:36

Windows 5.1.2600 Service Pack 3

Running: malfix41gbwvqp.exe; Driver: C:\DOCUME~1\heather\LOCALS~1\Temp\fwncifob.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1472] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CAE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CAEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!socket 71AB4211 5 Bytes JMP 46CAE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 46CAE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!send 71AB4C27 5 Bytes JMP 46CAE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] ws2_32.dll!recv 71AB676F 5 Bytes JMP 46CAF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2852] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3672] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I see the folders where the ctfmon is, however I cannot find it 'running' anywhere except the task manager so that I can turn it off.

It should only be in your system32 folder. Where else do you see it?

I went to Control Panel > Administrative Tools > Services = It's not listed in the services anywhere.

It's not a service, it's a process, so you will not see it there.

I went to Start > Run > msconfig > start.ini > = It's not listed their either.

The valid ctfmon is starting from a run key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

I can't find it to turn it off, so I am left with End Process in the task manager, and I hear that's not such a good thing to do.

Stopping this process (either the good or bad one) will not hurt anything.

The computer is beginning to get worse, literally by the minute. Last time, I just turned off the ctfmon, but now it just keeps reappearing and I can't locate it to turn it off.??

Stay calm, we'll get it sorted out.

Not seeing anything in GMER.

Do me a favor. Delete the copy of combofix I had you download earlier and download a fresh copy. Then run as advised before and post the log.

Link to post
Share on other sites

Thank you for such a detailed response. It helped me understand things better. I'm a web publisher and am currently learning coding and scripts, and I know I need to have some kind of malware knowledge, so again, thank you.

It should only be in your system32 folder. Where else do you see it?

ctfmon.exe C:\WINDOWS\$NtServicePackUninstall$

CTFMON.EXE-0E17969B.pf C:\WINDOWS\Prefetch

ctfmon.exe C:\WINDOWS\system32

ctfmon.exe C:WINDOWS\ERDNT\cache

ctfmon.exe C:\WINDOWS\ServicePackFiles\i386

They each seem to be from Microsoft.

The valid ctfmon is starting from a run key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

Can I go into that folder and just delete the word 'run' to turn it off for good?

Here is the Combo Fix log. I had accidentally ran the rootrepeal tool first, so I included those too, just in case there was something in there.

COMBOFIX:

ComboFix 09-11-08.03 - heather 11/09/2009 17:01.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.336 [GMT -5:00]

Running from: c:\documents and settings\heather\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))

.

2009-11-09 18:19 . 2009-11-09 18:20 291328 ----a-w- C:\malfix41gbwvqp.exe

2009-11-06 13:50 . 2009-10-21 13:40 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-11-04 02:18 . 2009-11-04 02:18 -------- d-----w- c:\program files\ERUNT

2009-11-03 02:59 . 2009-11-03 02:59 -------- d-----w- c:\program files\Trend Micro

2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\heather\Application Data\Malwarebytes

2009-11-03 02:03 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 02:03 . 2009-11-03 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-03 02:03 . 2009-11-03 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 02:03 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-03 02:01 . 2009-11-03 02:56 -------- d-----w- c:\windows\system32\NtmsData

2009-11-02 19:00 . 2009-11-02 19:00 -------- d-----w- c:\documents and settings\heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2009-11-02 18:32 . 2009-10-07 16:08 90920 ----a-w- c:\windows\system32\custmon32.dll

2009-11-02 18:32 . 2009-11-02 18:32 -------- d-----w- c:\windows\SigPlus

2009-11-02 18:31 . 2009-11-02 18:32 -------- d-----w- c:\program files\PDFtypewriter

2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CTdeveloping

2009-11-02 18:31 . 2009-11-02 18:31 -------- d-----w- c:\documents and settings\heather\Application Data\CTdeveloping

2009-11-02 07:03 . 2009-11-02 07:03 -------- d-----w- C:\b2725bb553b499d6447c88

2009-11-01 07:09 . 2009-11-01 07:09 -------- d-----w- C:\5126b90f2e82c1cd141e

2009-10-31 16:56 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-10-31 15:35 . 2009-10-31 15:36 -------- d-----w- C:\296e633a8c10b8dcb748

2009-10-30 06:09 . 2009-10-30 06:09 -------- d-----w- C:\1b00fa8af810194faf851e21

2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\windows\Cache

2009-10-29 15:20 . 2009-10-29 15:20 -------- d-----w- c:\program files\Coupons

2009-10-29 05:43 . 2009-10-29 05:43 -------- d-----w- C:\9d870a4543eaffdbe4a428035ec5

2009-10-28 12:55 . 2009-10-28 12:55 -------- d-----w- C:\05a1236ff083f0fba998c1c871f5

2009-10-27 18:16 . 2009-10-27 18:16 -------- d-----w- c:\program files\Windows Media Connect 2

2009-10-27 18:12 . 2009-10-27 18:14 -------- d-----w- c:\windows\system32\drivers\UMDF

2009-10-27 18:12 . 2009-10-27 18:12 -------- d-----w- c:\windows\system32\LogFiles

2009-10-23 12:50 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe

2009-10-20 14:08 . 2009-10-20 14:08 -------- d-----w- c:\program files\PinderSoft

2009-10-17 13:40 . 2009-10-17 13:40 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

2009-10-16 17:14 . 2009-10-16 17:14 -------- d-----w- c:\program files\FileZilla FTP Client

2009-10-13 12:28 . 2009-11-09 18:10 -------- d-----w- c:\documents and settings\heather\Application Data\FileZilla

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-07 23:55 . 2009-10-04 14:43 -------- d-----w- c:\program files\Dl_cats

2009-11-07 20:12 . 2009-09-16 05:02 1 ----a-w- c:\documents and settings\heather\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-11-07 19:59 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-11-05 17:35 . 2009-09-28 21:09 -------- d-----w- c:\documents and settings\heather\Application Data\gtk-2.0

2009-11-04 02:16 . 2009-09-15 17:44 -------- d-----w- c:\documents and settings\heather\Application Data\MP3Rocket

2009-10-28 14:48 . 2009-09-24 13:30 34256 ----a-w- c:\documents and settings\heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-28 06:52 . 2009-09-18 21:13 -------- d-----w- c:\program files\Common Files\Adobe

2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\Kelly Martens

2009-10-07 23:14 . 2009-10-07 23:14 -------- d-----w- c:\documents and settings\heather\Application Data\Uniblue

2009-10-07 16:08 . 2009-10-07 16:08 41768 ----a-w- c:\windows\system32\PDFtypewriter_AddIn.dll

2009-10-07 16:08 . 2009-10-07 16:08 1825064 ----a-w- c:\windows\system32\QuickPDFAX0716.dll

2009-10-07 16:08 . 2009-10-07 16:08 45864 ----a-w- c:\windows\system32\CT_xmlparser.dll

2009-10-07 16:08 . 2009-10-07 16:08 299816 ----a-w- c:\windows\system32\CT_twain.dll

2009-10-07 07:15 . 2009-10-06 12:52 -------- d-----w- c:\program files\Microsoft Silverlight

2009-10-06 14:28 . 2009-10-06 14:25 -------- d-----w- c:\documents and settings\heather\Application Data\Windows Live Writer

2009-10-06 13:03 . 2009-10-04 14:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944

2009-10-06 12:52 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live

2009-10-06 12:48 . 2009-10-06 12:48 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-10-06 12:47 . 2009-10-06 12:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-10-06 12:46 . 2009-10-06 12:46 -------- d-----w- c:\program files\Microsoft

2009-10-06 12:45 . 2009-10-06 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-10-06 12:41 . 2009-10-06 12:41 -------- d-----w- c:\program files\Common Files\Windows Live

2009-10-04 15:06 . 2009-10-04 15:06 25214 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}\ARPPRODUCTICON.exe

2009-10-04 15:05 . 2009-10-04 15:05 -------- d-----w- c:\documents and settings\heather\Application Data\Jasc Software Inc

2009-10-04 15:05 . 2009-10-04 15:04 -------- d-----w- c:\program files\Jasc Software Inc

2009-10-04 15:05 . 2009-10-04 15:05 4710 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut3_4192EAC06B364723B216D0E86E7757AC.exe

2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\NewShortcut5_4192EAC06B364723B216D0E86E7757AC.exe

2009-10-04 15:05 . 2009-10-04 15:05 22486 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{4192EAC0-6B36-4723-B216-D0E86E7757AC}\ARPPRODUCTICON.exe

2009-10-04 15:04 . 2009-10-04 15:04 -------- d-----w- c:\program files\Common Files\Jasc Software Inc

2009-10-04 15:03 . 2009-10-04 15:03 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2009-09-28 22:52 . 2009-09-28 20:53 -------- d-----w- c:\documents and settings\heather\Application Data\Nvu

2009-09-28 20:53 . 2009-09-28 20:53 -------- d-----w- c:\program files\Nvu

2009-09-24 15:20 . 2009-09-24 15:20 -------- d-----w- c:\program files\MSXML 4.0

2009-09-24 15:15 . 2009-09-24 13:03 -------- d-----w- c:\program files\NetWaiting

2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\CONEXANT

2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\MSBuild

2009-09-24 13:21 . 2009-09-24 13:21 -------- d-----w- c:\program files\Reference Assemblies

2009-09-24 13:03 . 2009-09-14 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\heather\Application Data\Roxio

2009-09-22 13:11 . 2009-09-22 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall

2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-09-22 13:11 . 2009-09-22 13:02 -------- d-----w- c:\program files\Roxio

2009-09-22 13:09 . 2009-09-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-09-22 13:07 . 2009-09-22 13:02 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-09-22 13:05 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2009-09-22 13:03 . 2009-09-22 13:03 -------- d-----w- c:\program files\Common Files\SureThing Shared

2009-09-22 13:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2009-09-22 13:02 . 2009-09-14 19:14 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-22 13:01 . 2009-09-22 13:01 10134 ----a-r- c:\documents and settings\heather\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-09-20 14:38 . 2009-09-18 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\documents and settings\heather\Application Data\Yahoo!

2009-09-19 02:33 . 2009-09-19 02:32 -------- d-----w- c:\program files\Yahoo!

2009-09-18 21:12 . 2009-09-18 21:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-18 21:11 . 2009-09-18 21:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-09-16 21:58 . 2009-09-16 21:58 -------- d-----w- c:\program files\Powerbullet

2009-09-16 05:21 . 2009-09-16 05:21 -------- d-----w- c:\program files\GIMP-2.0

2009-09-16 05:01 . 2009-09-16 05:01 -------- d-----w- c:\documents and settings\heather\Application Data\OpenOffice.org

2009-09-16 05:00 . 2009-09-16 05:00 -------- d-----w- c:\program files\JRE

2009-09-16 05:00 . 2009-09-16 04:59 -------- d-----w- c:\program files\OpenOffice.org 3

2009-09-16 04:59 . 2009-09-16 04:50 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-16 04:59 . 2009-09-15 17:45 -------- d-----w- c:\program files\Java

2009-09-16 04:49 . 2009-09-16 04:49 152576 ----a-w- c:\documents and settings\heather\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-09-15 17:45 . 2009-09-15 17:45 -------- d-----w- c:\program files\Common Files\Java

2009-09-15 01:30 . 2009-09-15 01:30 0 ----a-w- c:\windows\nsreg.dat

2009-09-15 01:26 . 2009-09-15 01:25 -------- d-----w- c:\program files\Google

2009-09-15 01:23 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-15 01:22 . 2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-15 01:22 . 2009-09-15 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-15 01:21 . 2009-09-15 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-15 01:21 . 2009-09-15 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\program files\AVG

2009-09-15 01:21 . 2009-09-15 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-15 01:15 . 2009-09-15 01:15 -------- d-----w- c:\documents and settings\heather\Application Data\AVG8

2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\program files\SigmaTel

2009-09-14 19:14 . 2009-09-14 19:14 -------- d-----w- c:\program files\ATI Technologies

2009-09-14 19:03 . 2009-09-14 18:18 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-09-14 18:19 . 2009-09-14 18:19 -------- d-----w- c:\program files\microsoft frontpage

2009-09-14 18:16 . 2009-09-14 18:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-12 13:33 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_06.27.22 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-14 18:56 . 2009-11-09 19:37 15360 c:\windows\$NtServicePackUninstall$\ctfmon.exe

- 2009-09-14 18:56 . 2004-08-12 13:18 15360 c:\windows\$NtServicePackUninstall$\ctfmon.exe

+ 2009-11-07 19:59 . 2009-11-07 19:59 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]

"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]

"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"PDFtypewriterPrinterMonitor"="c:\program files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe" [2009-10-07 25384]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-15 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Nvu\\nvu.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 8:21 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 8:22 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/14/2009 8:21 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 8:21 PM 297752]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/6/2009 7:52 AM 54752]

R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 9:32 AM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 9:32 AM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\heather\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 9:31 AM 1120752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FWNCIFOB

*NewlyCreated* - MBR

*NewlyCreated* - PROCEXP113

*NewlyCreated* - RASAUTO

*Deregistered* - fwncifob

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

FF - ProfilePath - c:\documents and settings\heather\Application Data\Mozilla\Firefox\Profiles\yk9s5gim.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-09 17:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1512)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-11-09 17:08

ComboFix-quarantined-files.txt 2009-11-09 22:07

ComboFix2.txt 2009-11-07 06:29

Pre-Run: 303,449,387,008 bytes free

Post-Run: 303,419,002,880 bytes free

- - End Of File - - DEBB8EFEE49E68FEF454DDEEC16E78A4

ROOT REPEAL

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/09 16:46

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\heather\LOCALS~1\Temp\catchme.sys

Address: 0xF7996000 Size: 31744 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAAB72000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7B10000 Size: 8192 File Visible: No Signed: -

Status: -

Name: fwncifob.sys

Image Path: C:\DOCUME~1\heather\LOCALS~1\Temp\fwncifob.sys

Address: 0xA93C0000 Size: 87040 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF7B22000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9E10000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\4c072de7-a74f-4e5c-bee6-71fa531a3f93

Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\82d3bd9a-a64e-4dc8-b1a6-a832535fdfa3

Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\a12414cc-3c8f-4276-becc-9d2da43743c2

Status: Locked to the Windows API!

==EOF==

Thank you Indi!

Link to post
Share on other sites

ctfmon.exe C:\WINDOWS\$NtServicePackUninstall$

CTFMON.EXE-0E17969B.pf C:\WINDOWS\Prefetch

ctfmon.exe C:\WINDOWS\system32

ctfmon.exe C:WINDOWS\ERDNT\cache

ctfmon.exe C:\WINDOWS\ServicePackFiles\i386

They each seem to be from Microsoft.

Yes, those are likely also legit MS files. I should have noted to you that MS keeps backups of system files to protect itself.

Now, I'm still not seeing anything malicious. To get past this ctfmon running issue I found an article with pics that describes how to disable it safely, and for good unless you decide to turn it back on. So please try that, reboot and make sure it doesn't restart, then we'll go from there.

http://www.pchell.com/support/ctfmon.shtml

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.