[Resolved] Redirected

[billyclubz]

I am sorry I wasnt clear.  There is only one computer that has issues.  I was trying to say that I had to use my work computer to communicate, but there is only one computer with issues. 

AFter I tried to uninstall and reinstall mcafee that didnt work.  Mcafee wanted me to pay 90 bucks to keep going.....so I just reinstalled windows tonight.   I havent reinstalled mcafee again, but it still doesnt work.  Computer is still slow, but I did get a few notification bar icons back with the windows repair/install.  I didnt do a format and reinstall...just a windows repair.  Below is my latest Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:05 PM, on 2/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jason Coryell\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=EC144UA&product_full_name=HP%20Pavilion%20dv1000&PROD_SERIAL_ID=CNF52838HL&PURCH_DT_MONTH=08&PURCH_DT_DAY=23&PURCH_DT_YEAR=2005&gwCountry=US&language=EN&prodOS=011
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100208164720.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ddexpshare.exe] C:\WINDOWS\TEMP\ddexpshare.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ddexpshare.exe] C:\WINDOWS\TEMP\ddexpshare.exe (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5886/mcfscan.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - AppInit_DLLs: c:\windows\system32\papororo.dll fubatuzo.dll 
O21 - SSODL: zunagisuj - {996b2dcd-5337-4d9b-abad-779b9cab57ad} - (no file)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8862 bytes

[Hoov]

OK, because of the problems with McAfee, lets first make sure that it is uninstalled. Follow the instructions here to make sure McAfee is gone. Then I would like you to run an online virus scan using the instructions below.



Please perform a BitDefender Online Virus and Malware Scan here:
http://www.bitdefender.com/scan8/ie.html
    * Click on I Agree.
    * An ActiveX warning box will appear, click on Install.
    * Under Select What You Want To Check For Viruses.
    * Please Check My Computer and Click Ok
    * Now Click On Click Here To Scan
    * Next, Click on Click here to export the scan report
    * Save it to your Desktop.
    * In your next reply, please include the BitDefender log and a fresh HijackThis log.

Then please run ccleaner to cleanup all the temp files from your system, and then run Malwarebytes' Anti-Malware to make sure you don't have any malware.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.[/COLOR]

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.[/COLOR]

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Once you have gotten this far, let me know how the computer is running. Also is it slow loading programs, or just after they are running. Also is the internet slow?

[billyclubz]

Thank you.  I will try this procedure over the next 2 days.  I appreciate all of your support. 

Regards,
Jason

[billyclubz]

I have performed the mcafee removal successfully.  However, note that I could not go to the site (I had to go through mcafee support to get the mcpr.exe file)...could be virus related, not sure.  When i got the file, i could not run it.  I had to rename it to something abstract before it would run, but with that it worked.

When I shutdown, i get a viewmgr error.  And when i start mozilla, it always asks if i want it to be the default internet browser....so it is reverting back to IE.  also, randomly, i get an audible error tone and other random things.

I ran the bitdefender and new hijack this..i will now proceed with the ccleaner and malewarebytes, but here were the logs before i do those:

BitDefender QuickScan Beta 32-bit v0.9.9.0
------------------------------------------

Scan date:  Tue Feb 09 17:54:06 2010
Machine ID: 7D97E0CC

Process svchost.exe (900) is affected by Gen:Trojan.Heur.TP.bu4@b4Cv1Ie


Found 1 infected file!
------------------------
C:\WINDOWS\system32\_VOIDlirfuyuedb.dll - Gen:Trojan.Heur.TP.bu4@b4Cv1Ie


Processes
---------
<unsigned>  QuickTime                                           1324    C:\Program Files\QuickTime\QTTask.exe

<verified>  CommandService Application                          1856    C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
<verified>  Firefox                                             3080    C:\Program Files\Mozilla Firefox\firefox.exe
<verified>  Intel(R) Common User Interface                      1932    C:\WINDOWS\system32\hkcmd.exe
<verified>  Intel(R) Common User Interface                      1152    C:\WINDOWS\system32\igfxtray.exe
<verified>  Intuit Update Service                               1692    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
<verified>  Java(TM) Platform SE 6 U17                          1792    C:\Program Files\Java\jre6\bin\jqs.exe
<verified>  Java(TM) Platform SE 6 U17                          1228    C:\Program Files\Java\jre6\bin\jusched.exe
<verified>  LightScribe                                         1896    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<verified>  MarkVision for Windows (32 bit)                     1472    C:\WINDOWS\system32\LEXBCES.EXE
<verified>  MarkVision for Windows (32 bit)                     1504    C:\WINDOWS\system32\LEXPPS.EXE
<verified>  Microsoft® Windows® Operating System                3992    C:\Program Files\Internet Explorer\iexplore.exe
<verified>  Microsoft® Windows® Operating System                1808    C:\WINDOWS\Explorer.EXE
<verified>  Microsoft® Windows® Operating System                2288    C:\WINDOWS\System32\alg.exe
<verified>  Microsoft® Windows® Operating System                 676    C:\WINDOWS\system32\csrss.exe
<verified>  Microsoft® Windows® Operating System                1312    C:\WINDOWS\system32\ctfmon.exe
<verified>  Microsoft® Windows® Operating System                 756    C:\WINDOWS\system32\lsass.exe
<verified>  Microsoft® Windows® Operating System                 744    C:\WINDOWS\system32\services.exe
<verified>  Microsoft® Windows® Operating System                 608    C:\WINDOWS\System32\smss.exe
<verified>  Microsoft® Windows® Operating System                1488    C:\WINDOWS\system32\spoolsv.exe
<verified>  Microsoft® Windows® Operating System                 120    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                 900    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                 992    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1028    C:\WINDOWS\System32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1072    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1156    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                 700    C:\WINDOWS\system32\winlogon.exe
<verified>  Microsoft® Windows® Operating System                1404    C:\WINDOWS\system32\wuauclt.exe
<verified>  Synaptics Pointing Device Driver                     848    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified>  Synaptics Pointing Device Driver                    1408    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


Network activity
----------------
Process firefox.exe (3080) connected on port 80 (HTTP) - 173.194.8.100
Process firefox.exe (3080) connected on port 80 (HTTP) - 209.85.225.105
Process firefox.exe (3080) connected on port 80 (HTTP) - 96.17.197.115
Process firefox.exe (3080) connected on port 80 (HTTP) - 74.125.95.101
Process firefox.exe (3080) connected on port 80 (HTTP) - 209.85.225.105
Process firefox.exe (3080) connected on port 80 (HTTP) - 209.85.225.104
Process firefox.exe (3080) connected on port 80 (HTTP) - 209.85.225.138
Process firefox.exe (3080) connected on port 80 (HTTP) - 66.235.143.54
Process firefox.exe (3080) connected on port 80 (HTTP) - 96.17.204.20
Process iexplore.exe (3992) connected on port 80 (HTTP) - 209.212.147.208

Process svchost.exe (992) listens on ports: 135 (RPC)
Process LEXPPS.EXE (1504) listens on ports: 1025 (RPC)


Autoruns and critical files
---------------------------
<unsigned>  cpqset.exe                                          C:\Program Files\HPQ\Default Settings\cpqset.exe
<unsigned>  QuickTime                                           C:\Program Files\QuickTime\QTTask.exe

<verified>  Apple Software Update                               C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified>  Google Update                                       C:\Program Files\Google\Update\GoogleUpdate.exe
<verified>  ImScInst.exe                                        C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\hkcmd.exe
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\igfxsrvc.dll
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\igfxtray.exe
<verified>  Java(TM) Platform SE 6 U17                          C:\Program Files\Java\jre6\bin\jusched.exe
<verified>  Microsoft IME 2002                                  C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
<verified>  Microsoft Korean IME 2002                           C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
<verified>  Microsoft(R) Windows(R) Operating System            C:\WINDOWS\system32\hplampc.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\browseui.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\crypt32.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\cryptnet.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\cscdll.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\ctfmon.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\dimsntfy.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\logonui.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\rundll32.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\sclgntfy.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\shell32.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\stobject.dll
<verified>  Microsoft® Windows® Operating System                c:\windows\system32\userinit.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\webcheck.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\wlnotify.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\WPDShServiceObj.dll
<verified>  Synaptics Pointing Device Driver                    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified>  Synaptics Pointing Device Driver                    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
<verified>  Windows Genuine Advantage                           C:\WINDOWS\system32\WgaLogon.dll
<verified>  新注音                                                 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
<unsigned>  Google Earth Plugin                                 C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
<unsigned>  IE Tab Plug-in                                      C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
<unsigned>  Java(TM) Platform SE 6 U17                          c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\Uploader.exe
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned>  RealJukebox NS Plugin                               C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned>  RealJukebox NS Plugin                               C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned>  RealPlayer Version Plugin                           C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned>  RealPlayer Version Plugin                           C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned>  Turner Media Plugin 1.0.0.7                         C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

<verified>  AcroIEHelper Library                                c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
<verified>  ActiveTouch General Plugin Container                C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
<verified>  Adobe Acrobat                                       C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified>  Adobe Acrobat                                       C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified>  AOL Instant Messenger                               C:\Program Files\AIM\aim.exe
<verified>  atcliun                                             C:\Program Files\Mozilla Firefox\plugins\atcliun.exe
<verified>  AtMcCli Module                                      C:\Program Files\Mozilla Firefox\plugins\atmccli.dll
<verified>  AtMgr Module                                        C:\Program Files\Mozilla Firefox\plugins\atmgr.exe
<verified>  BitDefender QuickScan                               C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
<verified>  BitDefender QuickScan                               C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified>  Bonjour                                             C:\Program Files\Bonjour\mdnsNSP.dll
<verified>  Domino Web Access                                   C:\WINDOWS\Downloaded Program Files\inotes6W.dll
<verified>  Google Update                                       C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\isusweb.dll
<verified>  Internet Pictures Corp. iPIX Plugin v6.2            C:\Program Files\Mozilla Firefox\plugins\AppSub32.dll
<verified>  Internet Pictures Corp. iPIX Plugin v6.2            C:\Program Files\Mozilla Firefox\plugins\NpIpx32.dll
<verified>  Java Deployment Toolkit 6.0.170.4                   C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified>  Java(TM) Platform SE 6 U17                          C:\Program Files\Java\jre6\bin\jp2ssv.dll
<verified>  McAfee Clinic                                       C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McContentMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McHealthCheck.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McLogMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McPlugins.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McProdMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\MVT.dll
<verified>  Messenger                                           C:\Program Files\Messenger\msmsgs.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\mswsock.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\rsvpsp.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\shdocvw.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\winrnr.dll
<verified>  Move Streaming Media Player                         C:\Documents and Settings\Jason Coryell\Application Data\Move Networks\plugins\npqmp071701000002.dll
<verified>  Mozilla ActiveX control and plugin support          C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
<verified>  Mozilla Default Plug-in                             C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified>  npitunes.dll                                        C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified>  NPSWF32.dll                                         C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified>  PokerStars                                          C:\Program Files\PokerStars\PokerStarsUpdate.exe
<verified>  RealNetworks Rhapsody Player Engine                 C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
<verified>  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-  C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified>  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-  C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified>  Snapfish Plugin for Firefox                         C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
<verified>  ViewBarBHO Module                                   c:\program files\viewpoint\viewpoint toolbar\3.8.0\viewbarbho.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
<verified>  Windows Presentation Foundation                     c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified>  Yahoo Application State Plugin                      C:\Program Files\Yahoo!\Shared\npYState.dll


Missing files
-------------
File not found: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll
 referenced in: HLKM\Software\MozillaPlugins\@mcafee.com/MVT\"Path"

File not found: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
 referenced in: HLKM\Software\MozillaPlugins\@viewpoint.com/VMP\"Path"

File not found: C:\WINDOWS\System32\appmgmts.dll
 referenced in: HKLM\System\CurrentControlSet\Services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\System32\hidserv.dll
 referenced in: HKLM\System\CurrentControlSet\Services\HidServ\Parameters\"ServiceDll"

File not found: c:\windows\system32\papororo.dll
 referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: fubatuzo.dll
 referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: system32\DRIVERS\rasirda.sys
 referenced in: HKLM\System\CurrentControlSet\Services\Rasirda\"ImagePath"


Scan
----

No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.01 MB sent, 0.38 KB recvd
Scanned 673 files and modules - 40 seconds

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:59 PM, on 2/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason Coryell\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=EC144UA&product_full_name=HP%20Pavilion%20dv1000&PROD_SERIAL_ID=CNF52838HL&PURCH_DT_MONTH=08&PURCH_DT_DAY=23&PURCH_DT_YEAR=2005&gwCountry=US&language=EN&prodOS=011
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ddexpshare.exe] C:\WINDOWS\TEMP\ddexpshare.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ddexpshare.exe] C:\WINDOWS\TEMP\ddexpshare.exe (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5886/mcfscan.cab
O20 - AppInit_DLLs: c:\windows\system32\papororo.dll fubatuzo.dll 
O21 - SSODL: zunagisuj - {996b2dcd-5337-4d9b-abad-779b9cab57ad} - (no file)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6688 bytes

[billyclubz]

I ran Malwarebytes, after ccleaner and it didnt find anything.  I did realize I didnt do an "update" first, but I just downloaded Malwarebytes, so I dont think it will make a difference.  A couple things to note:

1.  I noticed that your online scan showed a Trojan, but that was before the ccleaner removal of temp files....so I haven't reran the scan to see.  I wanted to follow your instructions as close as possible.

2.  There seems to be a lot of "interesting things" in my bitdefender and hijack this logs.

3.  When I first logon, and go into Mozilla....it always says it is not my default browers, even if I change it to being my default browser.

4.  I notice that in my task/processes......iexplorer is running when i never open it.

5.  I get viewmgr error at login and at shutdown.

6.  When I try to open mozilla, it seems to take forever to open.  Once open, it seems to be ok in terms of speed.

7.  Everyone once in awhile, and randomly, I hear the audible fault beep like what happens when there is a computer error.  However, I nothing pops up.

8.  Also, randomly, it sounds as if there is a audible video running (it comes and goes)...when there are no windows open on my computer.  Very weird.

[Hoov]

Can you please post the log from Malwarebytes' Anti-Malware, and from the bitdefender scans? Then please attach a runscanner log using the instructions below.

Please download RunScanner

• Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  
• Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
• Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
• Check Beginner Mode
• Click Scan computer
• Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
• At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
• A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
• Next, zip up the runscanner.run file that you just saved.
• I want you to upload the zipped runscanner.run file as an attachment in your next reply
• To do that choose "Additional Options" under "Post Reply"
• Browse to the zipped RUN file location and then click the "Post" button to attach the file.
• I will review the run file, and then upload it back to you with items marked for deletion.
• Please await my directions and the returned RUN file, and do not delete anything in the interim

[billyclubz]

Just now, I updated the Malwarebytes are re-ran scan.  It indicated it found 11 items.  Here is the log following the scan.  I did immediate reboot. 

Malwarebytes' Anti-Malware 1.44
Database version: 3722
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/10/2010 7:16:48 PM
mbam-log-2010-02-10 (19-16-48).txt

Scan type: Quick Scan
Objects scanned: 141013
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fci (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melodie Fisk\Local Settings\Temporary Internet Files\Content.IE5\FHP7VCUC\get[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\ucoroluqotiwu.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\_VOIDshsyst.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[billyclubz]

Next, I reran bitdefender.  Note that i already posted yesterdays scan that showed an infection.  Below is the current log (no infections found)....

BitDefender QuickScan Beta 32-bit v0.9.9.0
------------------------------------------

Scan date:  Wed Feb 10 19:28:37 2010
Machine ID: 7D97E0CC



No infection found.
---------------------


Processes
---------
<unsigned>  QuickTime                                            388    C:\Program Files\QuickTime\QTTask.exe

<verified>  CommandService Application                          1748    C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
<verified>  Firefox                                             3100    C:\Program Files\Mozilla Firefox\firefox.exe
<verified>  Intel(R) Common User Interface                       256    C:\WINDOWS\system32\hkcmd.exe
<verified>  Intel(R) Common User Interface                       228    C:\WINDOWS\system32\igfxtray.exe
<verified>  Intuit Update Service                               1672    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
<verified>  Java(TM) Platform SE 6 U17                          1716    C:\Program Files\Java\jre6\bin\jqs.exe
<verified>  Java(TM) Platform SE 6 U17                           380    C:\Program Files\Java\jre6\bin\jusched.exe
<verified>  LightScribe                                         1776    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<verified>  Malwarebytes' Anti-Malware                          3352    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.exe
<verified>  MarkVision for Windows (32 bit)                     1452    C:\WINDOWS\system32\LEXBCES.EXE
<verified>  MarkVision for Windows (32 bit)                     1484    C:\WINDOWS\system32\LEXPPS.EXE
<verified>  Microsoft® Windows® Operating System                 416    C:\WINDOWS\Explorer.EXE
<verified>  Microsoft® Windows® Operating System                 868    C:\WINDOWS\System32\alg.exe
<verified>  Microsoft® Windows® Operating System                 684    C:\WINDOWS\system32\csrss.exe
<verified>  Microsoft® Windows® Operating System                 548    C:\WINDOWS\system32\ctfmon.exe
<verified>  Microsoft® Windows® Operating System                 764    C:\WINDOWS\system32\lsass.exe
<verified>  Microsoft® Windows® Operating System                1764    C:\WINDOWS\system32\NOTEPAD.EXE
<verified>  Microsoft® Windows® Operating System                 752    C:\WINDOWS\system32\services.exe
<verified>  Microsoft® Windows® Operating System                 636    C:\WINDOWS\System32\smss.exe
<verified>  Microsoft® Windows® Operating System                1468    C:\WINDOWS\system32\spoolsv.exe
<verified>  Microsoft® Windows® Operating System                1132    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1008    C:\WINDOWS\System32\svchost.exe
<verified>  Microsoft® Windows® Operating System                 972    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                 908    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1956    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                1052    C:\WINDOWS\system32\svchost.exe
<verified>  Microsoft® Windows® Operating System                3008    C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified>  Microsoft® Windows® Operating System                 708    C:\WINDOWS\system32\winlogon.exe
<verified>  Microsoft® Windows® Operating System                2752    C:\WINDOWS\system32\wuauclt.exe
<verified>  Synaptics Pointing Device Driver                     504    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified>  Synaptics Pointing Device Driver                     468    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
<verified>  Viewpoint Manager                                   1988    C:\Program Files\Viewpoint\Common\ViewpointService.exe
<verified>  Viewpoint Manager                                   2940    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


Network activity
----------------
Process firefox.exe (3100) connected on port 80 (HTTP) - iw-in-f101.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f132.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 80 (HTTP) - a96-17-56-100.deploy.akamaitechnologies.com
Process firefox.exe (3100) connected on port 80 (HTTP) - a96-17-60-20.deploy.akamaitechnologies.com
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f189.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f147.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 80 (HTTP) - dc3.122.2o7.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f165.1e100.net
Process firefox.exe (3100) connected on port 443 (HTTP over SSL) - iy-in-f83.1e100.net
Process firefox.exe (3100) connected on port 80 (HTTP) - a96-17-53-115.deploy.akamaitechnologies.com

Process svchost.exe (972) listens on ports: 135 (RPC)
Process LEXPPS.EXE (1484) listens on ports: 1025 (RPC)


Autoruns and critical files
---------------------------
<unsigned>  cpqset.exe                                          C:\Program Files\HPQ\Default Settings\cpqset.exe
<unsigned>  QuickTime                                           C:\Program Files\QuickTime\QTTask.exe

<verified>  Apple Software Update                               C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified>  Google Update                                       C:\Program Files\Google\Update\GoogleUpdate.exe
<verified>  ImScInst.exe                                        C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\hkcmd.exe
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\igfxsrvc.dll
<verified>  Intel(R) Common User Interface                      C:\WINDOWS\system32\igfxtray.exe
<verified>  Java(TM) Platform SE 6 U17                          C:\Program Files\Java\jre6\bin\jusched.exe
<verified>  Microsoft IME 2002                                  C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
<verified>  Microsoft Korean IME 2002                           C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
<verified>  Microsoft(R) Windows(R) Operating System            C:\WINDOWS\system32\hplampc.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\browseui.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\crypt32.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\cryptnet.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\cscdll.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\ctfmon.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\dimsntfy.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\logonui.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\rundll32.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\sclgntfy.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\shell32.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\stobject.dll
<verified>  Microsoft® Windows® Operating System                c:\windows\system32\userinit.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\webcheck.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\wlnotify.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\WPDShServiceObj.dll
<verified>  Synaptics Pointing Device Driver                    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified>  Synaptics Pointing Device Driver                    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
<verified>  Windows Genuine Advantage                           C:\WINDOWS\system32\WgaLogon.dll
<verified>  新注音                                                 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
<unsigned>  Google Earth Plugin                                 C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
<unsigned>  IE Tab Plug-in                                      C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
<unsigned>  Java(TM) Platform SE 6 U17                          c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\Uploader.exe
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned>  QuickTime Plug-in 7.6.4                             C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned>  RealJukebox NS Plugin                               C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned>  RealJukebox NS Plugin                               C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned>  RealPlayer Version Plugin                           C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned>  RealPlayer Version Plugin                           C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned>  Turner Media Plugin 1.0.0.7                         C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

<verified>  AcroIEHelper Library                                c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
<verified>  ActiveTouch General Plugin Container                C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
<verified>  Adobe Acrobat                                       C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified>  Adobe Acrobat                                       C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified>  AOL Instant Messenger                               C:\Program Files\AIM\aim.exe
<verified>  atcliun                                             C:\Program Files\Mozilla Firefox\plugins\atcliun.exe
<verified>  AtMcCli Module                                      C:\Program Files\Mozilla Firefox\plugins\atmccli.dll
<verified>  AtMgr Module                                        C:\Program Files\Mozilla Firefox\plugins\atmgr.exe
<verified>  BitDefender QuickScan                               C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
<verified>  BitDefender QuickScan                               C:\Documents and Settings\Jason Coryell\Application Data\Mozilla\Firefox\Profiles/74w51qij.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified>  Bonjour                                             C:\Program Files\Bonjour\mdnsNSP.dll
<verified>  Domino Web Access                                   C:\WINDOWS\Downloaded Program Files\inotes6W.dll
<verified>  Google Update                                       C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<verified>  InstallShield Update Service                        C:\WINDOWS\Downloaded Program Files\isusweb.dll
<verified>  Internet Pictures Corp. iPIX Plugin v6.2            C:\Program Files\Mozilla Firefox\plugins\AppSub32.dll
<verified>  Internet Pictures Corp. iPIX Plugin v6.2            C:\Program Files\Mozilla Firefox\plugins\NpIpx32.dll
<verified>  Java Deployment Toolkit 6.0.170.4                   C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified>  Java(TM) Platform SE 6 U17                          c:\program files\java\jre6\bin\jp2ssv.dll
<verified>  McAfee Clinic                                       C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McContentMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McHealthCheck.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McLogMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McPlugins.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\McProdMgr.dll
<verified>  McAfee Virtual Technician                           C:\WINDOWS\Downloaded Program Files\MVT.dll
<verified>  Messenger                                           C:\Program Files\Messenger\msmsgs.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\mswsock.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\rsvpsp.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\shdocvw.dll
<verified>  Microsoft® Windows® Operating System                C:\WINDOWS\system32\winrnr.dll
<verified>  Move Streaming Media Player                         C:\Documents and Settings\Jason Coryell\Application Data\Move Networks\plugins\npqmp071701000002.dll
<verified>  Mozilla ActiveX control and plugin support          C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
<verified>  Mozilla Default Plug-in                             C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified>  npitunes.dll                                        C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified>  NPSWF32.dll                                         C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified>  PokerStars                                          C:\Program Files\PokerStars\PokerStarsUpdate.exe
<verified>  RealNetworks Rhapsody Player Engine                 C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
<verified>  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-  C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified>  RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-  C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified>  Snapfish Plugin for Firefox                         C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
<verified>  ViewBarBHO Module                                   c:\program files\viewpoint\viewpoint toolbar\3.8.0\viewbarbho.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
<verified>  WebEx Download Module                               C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
<verified>  Windows Presentation Foundation                     c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified>  Yahoo Application State Plugin                      C:\Program Files\Yahoo!\Shared\npYState.dll


Missing files
-------------
File not found: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll
 referenced in: HLKM\Software\MozillaPlugins\@mcafee.com/MVT\"Path"

File not found: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
 referenced in: HLKM\Software\MozillaPlugins\@viewpoint.com/VMP\"Path"

File not found: C:\WINDOWS\System32\appmgmts.dll
 referenced in: HKLM\System\CurrentControlSet\Services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\System32\hidserv.dll
 referenced in: HKLM\System\CurrentControlSet\Services\HidServ\Parameters\"ServiceDll"

File not found: c:\windows\system32\papororo.dll
 referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: fubatuzo.dll
 referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: system32\DRIVERS\rasirda.sys
 referenced in: HKLM\System\CurrentControlSet\Services\Rasirda\"ImagePath"


Scan
----

No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.01 MB sent, 0.40 KB recvd
Scanned 690 files and modules - 66 seconds

[billyclubz]

Here is the runscanner zip.

Thanks.

[Hoov]

This is the kind of stuff I was worried about. Rootkit.TDSS

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[billyclubz]

I will try and run your procedure tonight. 

Also, I was reading about the rootkit.tdss (sounds nasty).  In another thread, someone talks about router infection.  I want to let you know that a couple files showed up on my desktop  containing my router password info and i dont remember putting them there ( I just noticed them and they aren't easy to see amidst all my other icons).  According to the file properties, the files were created a long time ago  so I dismissed it.

Keep this in mind, but I am sure it is first things first.  Unless I hear otherwise before i leave work at 4 eastern, I will run your combofix procedure.

[billyclubz]

here is the combofix log.

[Hoov]

How is your system running now? Also for future information, please paste the logs in unless specifically asked for attachments. Its for our protection as well as yours. Event viewer logs and Runscanner logs have to be attached because there is more info in the logs than can be printed to a text file.

[billyclubz]

The system errors have seemed to go away.  Mozilla still takes awhile to open once I click to open it and I still observe popups.

Do you see any other processes running that need to be from my log that need to be cleaned up.  How do I guarantee that Rookit.tdss is gone.....scary stuff if someone can take control of things. 

Are there any other measures I should take, am I read to try to reinstall McAfee or do you need any other logs for review?

[Hoov]

Go ahead and try the McAfee reinstall. About guarantee TDSS is gone, there are still pieces on your machine, but as long as you don't try to do a system restore, it will stay gone. Don't get rid of the system restore files yet, we will do it later when we are done.

About Firefox, I would like you to try running Firefox in Firefox safe mode using the following instructions,

1.  Close down Firefox completely: At the top of the Firefox window, click the File menu, and select the Exit menu item.

2.  In Windows, click Start, open the All Programs list, and navigate to the Mozilla Firefox folder. In the Mozilla Firefox folder, select Mozilla Firefox (Safe Mode).

3.  Firefox should start up with a Firefox Safe Mode dialog.

4. Click Continue In Safe Mode. This starts Firefox in its Safe Mode. While you are in Safe Mode, your extensions and themes will be disabled, and any toolbar customizations will be reverted back to their defaults. These changes are not permanent - when you leave Safe Mode and start Firefox up normally, your extensions, themes, and settings will return to the state they were in before you entered Safe Mode.

How does FireFox run this way?