[dolface755]

I was sent over from another topic to verify my system is clean because I'm having some SERIOUS issues with firefox constantly crashing I've checked and rechecked computer and found no viruses or threats I've uninstalled and CLEAN reinstall jfirefox 2x now and it still crashes and not always on the same sites

Posting Current Hijack This log and my Malware Bytes logs if someone could PLEASE help me

thanks

Hijack Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:55 AM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - D:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...undLauncher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 3741 bytes



Malware Log:

Malwarebytes' Anti-Malware 1.33
Database version: 1728
Windows 5.1.2600 Service Pack 2

2/4/2009 4:31:01 PM
mbam-log-2009-02-04 (16-31-01).txt

Scan type: Full Scan (C:\|D:\|E:\|I:\|J:\|)
Objects scanned: 128180
Time elapsed: 55 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[emeraldnzl]

Hello dolface755,

• Please download random's system information tool (RSIT) by random/random from here.
  
• It is important that it is saved to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

[dolface755]

Log. txt:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Donna at 2009-02-13 07:03:43
Microsoft Windows XP Professional Service Pack 2
System drive C: has 12 GB (60%) free of 20 GB
Total RAM: 1024 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:59 AM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Donna.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-746137067-1035525444-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'David')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - D:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...undLauncher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4032 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-12-24 304736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-01-31 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-07 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-07 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"type32"=C:\Program Files\Microsoft IntelliType Pro\type32.exe [2004-06-03 172032]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-01-31 1601304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-07 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
E:\PROGRA~1\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-01-31 10520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"D:\Program Files\uTorrent\uTorrent.exe"="D:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-02-13 07:03:43 ----D---- C:\rsit
2009-02-07 15:20:48 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-07 15:20:48 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-07 15:20:48 ----A---- C:\WINDOWS\system32\java.exe
2009-02-07 15:20:24 ----D---- C:\Program Files\Java
2009-02-06 09:32:43 ----D---- C:\Program Files\Trend Micro
2009-02-03 21:20:56 ----D---- C:\Program Files\Bubble Town
2009-02-03 21:20:17 ----D---- C:\Program Files\bfgclient
2009-02-03 21:19:24 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-02-03 10:51:42 ----D---- C:\Program Files\ABBYY FineReader 5.0 Sprint
2009-02-03 10:49:26 ----A---- C:\WINDOWS\LEXSTAT.INI
2009-02-03 10:48:16 ----D---- C:\Program Files\Lexmark X74-X75
2009-02-03 10:48:14 ----A---- C:\WINDOWS\system32\wiafbdrv.dll
2009-02-03 10:48:08 ----A---- C:\WINDOWS\uninst.exe
2009-01-27 03:46:56 ----D---- C:\Documents and Settings\All Users\Application Data\Zylom
2009-01-27 03:45:38 ----D---- C:\Program Files\Yahtzee
2009-01-25 20:38:50 ----A---- C:\WINDOWS\QuickInstall.INI
2009-01-21 08:16:03 ----D---- C:\Program Files\MyPhoneExplorer
2009-01-21 08:13:53 ----D---- C:\Documents and Settings\Donna\Application Data\AD ON Multimedia
2009-01-14 00:25:34 ----A---- C:\WINDOWS\iexplore.ini

======List of files/folders modified in the last 1 months======

2009-02-13 07:03:26 ----D---- C:\WINDOWS\Prefetch
2009-02-12 23:20:03 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-12 20:25:39 ----D---- C:\Program Files\Mozilla Firefox
2009-02-12 12:11:45 ----D---- C:\WINDOWS\Temp
2009-02-12 05:45:38 ----D---- C:\WINDOWS
2009-02-12 00:24:34 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-02-09 08:41:30 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-08 10:57:03 ----D---- C:\Documents and Settings\Donna\Application Data\uTorrent
2009-02-07 15:20:48 ----D---- C:\WINDOWS\system32
2009-02-07 15:20:30 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-07 15:20:28 ----SHD---- C:\WINDOWS\Installer
2009-02-07 15:20:24 ----RD---- C:\Program Files
2009-02-05 04:02:27 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-02-04 12:51:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-04 12:51:08 ----D---- C:\WINDOWS\system32\drivers
2009-02-04 12:51:05 ----HD---- C:\WINDOWS\inf
2009-02-04 12:51:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-03 10:48:29 ----D---- C:\WINDOWS\twain_32
2009-02-03 09:13:01 ----D---- C:\Documents and Settings\Donna\Application Data\MyPhoneExplorer
2009-02-01 13:26:56 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-31 11:36:37 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-01-31 11:36:33 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-01-30 10:22:54 ----D---- C:\WINDOWS\system32\Macromed
2009-01-30 10:10:30 ----D---- C:\WINDOWS\system32\Adobe
2009-01-30 09:31:27 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-30 09:31:09 ----D---- C:\Program Files\Common Files
2009-01-30 09:29:56 ----D---- C:\Documents and Settings\Donna\Application Data\Adobe
2009-01-25 20:18:55 ----SD---- C:\Documents and Settings\Donna\Application Data\Microsoft
2009-01-25 20:18:17 ----D---- C:\Program Files\Common Files\InstallShield
2009-01-25 05:06:47 ----D---- C:\Documents and Settings\Donna\Application Data\Pogo Games
2009-01-25 05:03:20 ----D---- C:\Program Files\Oberon Media
2009-01-24 08:48:23 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-01-31 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-01-31 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-01-31 107272]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-03-13 46652]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
R3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\point32.sys [2008-12-04 27784]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2004-04-13 16509]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-01-31 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 298264]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-07 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-10-14 303104]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------



Info.txt:

info.txt logfile of random's system information tool 1.05 2009-02-13 07:04:01

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->D:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint-->MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
Adobe Acrobat 4.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Amazonia-->"D:\Program Files\Amazonia\ReflexiveArcade\unins000.exe"
Ancient Quest Of Saqqarah-->"D:\Program Files\Ancient Quest Of Saqqarah\ReflexiveArcade\unins000.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AusLogics Disk Defrag-->"C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
Bubble Town-->"C:\Program Files\Bubble Town\Uninstall.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
ERUNT 1.1j-->"E:\Program Files\ERUNT\unins000.exe"
Fabulous Finds-->"E:\Program Files\Fabulous Finds\ReflexiveArcade\unins000.exe"
Ford Racing 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{797E03F8-C8A0-47ED-AA9F-D7076276E491}\setup.exe"
Free 3GP Video Converter version 3.1-->"I:\Program Files\DVDVideoSoft\Free 3GP Video Converter\unins000.exe"
Full Tilt Poker.Net-->"C:\Program Files\InstallShield Installation Information\{E07B7A31-E160-466D-A003-3BB7B8989D52}\setup.exe" -runfromtemp -l0x0009 -removeonly
Heartwild Solitaire-->"E:\Program Files\Heartwild Solitaire\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Instant Housecall - Specialist Sign-in-->C:\Documents and Settings\Donna\Application Data\Instant Housecall\Free Edition\Specialist\UninstallSignIn.exe
Jasc Paint Shop Pro 8-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Lexmark X74-X75-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75
Lottso! Deluxe-->"C:\Program Files\Oberon Media\Lottso! Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Lottso! Deluxe\install.log"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MIKSOFT Mobile 3GP converter-->"C:\Program Files\MIKSOFT\Mobile 3GP converter\unins000.exe"
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MyPhoneExplorer-->C:\Program Files\MyPhoneExplorer\uninstall.exe
Nero Suite-->C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Palm Desktop-->MsiExec.exe /X{E89D78B8-28F7-412F-8B26-C684739CBBDC}
PICTUREKA! MUSEUM MAYHEM-->"C:\Program Files\Oberon Media\PICTUREKA! MUSEUM MAYHEM\Uninstall.exe" "C:\Program Files\Oberon Media\PICTUREKA! MUSEUM MAYHEM\install.log"
PokerStars-->"D:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SKIPBO Castaway Caper-->"E:\Program Files\SKIPBO Castaway Caper\ReflexiveArcade\unins000.exe"
Slingo Quest Hawaii-->"E:\Program Files\Slingo Quest Hawaii\ReflexiveArcade\unins000.exe"
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Tri Peaks 2 Quest For The Ruby Ring-->"C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\Uninstall.exe" "C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\install.log"
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
ViewSonic Monitor Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Way To Go! Bowling-->"C:\Program Files\Oberon Media\Way To Go! Bowling\Uninstall.exe" "C:\Program Files\Oberon Media\Way To Go! Bowling\install.log"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Word Riot Deluxe-->"C:\Program Files\Oberon Media\Word Riot Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Word Riot Deluxe\install.log"
Word Whomp( TM) Underground-->"C:\Program Files\Oberon Media\Word Whomp Underground\Uninstall.exe" "C:\Program Files\Oberon Media\Word Whomp Underground\install.log"

======Security center information======

AV: AVG Anti-Virus Free

System event log

Computer Name: SALTER-GK7NJ4SL
Event Code: 7036
Message: The avast! Web Scanner service entered the running state.

Record Number: 353
Source Name: Service Control Manager
Time Written: 20081222201729.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 7035
Message: The Terminal Services service was successfully sent a start control.

Record Number: 352
Source Name: Service Control Manager
Time Written: 20081222201729.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SALTER-GK7NJ4SL
Event Code: 7035
Message: The avast! Web Scanner service was successfully sent a start control.

Record Number: 351
Source Name: Service Control Manager
Time Written: 20081222201729.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SALTER-GK7NJ4SL
Event Code: 26
Message: Application popup: : Machine Check: Regs

Record Number: 350
Source Name: Application Popup
Time Written: 20081222201611.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 26
Message: Application popup: : Machine Check:

Record Number: 349
Source Name: Application Popup
Time Written: 20081222201611.000000-480
Event Type: information
User:

Application event log

Computer Name: SALTER-GK7NJ4SL
Event Code: 701
Message: MsnMsgr (1060) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\pepsiholic_101@hotmail.com\SharingMetadata\Working\database_6C08_7FA1_87F_694A\dfsr.db'.

Record Number: 2533
Source Name: ESENT
Time Written: 20090128020103.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 700
Message: MsnMsgr (1060) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\pepsiholic_101@hotmail.com\SharingMetadata\Working\database_6C08_7FA1_87F_694A\dfsr.db'.

Record Number: 2532
Source Name: ESENT
Time Written: 20090128020103.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 701
Message: MsnMsgr (3508) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\Donna\Local Settings\Application Data\Microsoft\Messenger\dccollins17@hotmail.com\SharingMetadata\Working\database_6C08_7FA1_87F_694A\dfsr.db'.

Record Number: 2531
Source Name: ESENT
Time Written: 20090128020059.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 700
Message: MsnMsgr (3508) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\Donna\Local Settings\Application Data\Microsoft\Messenger\dccollins17@hotmail.com\SharingMetadata\Working\database_6C08_7FA1_87F_694A\dfsr.db'.

Record Number: 2530
Source Name: ESENT
Time Written: 20090128020059.000000-480
Event Type: information
User:

Computer Name: SALTER-GK7NJ4SL
Event Code: 701
Message: MsnMsgr (1060) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\pepsiholic_101@hotmail.com\SharingMetadata\Working\database_6C08_7FA1_87F_694A\dfsr.db'.

Record Number: 2529
Source Name: ESENT
Time Written: 20090128010103.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

[emeraldnzl]

Hello again dolface755,

Just a matter of elimination really. Getting more specific now. You have already checked out a number of things so in this post we will look at possible malware points that might be causing angst to Firefox.

• Please download OTListIt2 to your desktop.
  
• Open OTListIt2.exe
  
• Click the None button at the top
  
• Under the Custom Scan box at the bottom paste the contents of the code box below:
  

  %systemroot%\system32\wdmaud.sys

  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open a notepad window called OTListIt.Txt. This saved in the same location as OTListIt2.
  
• Please copy (Edit->Select All, Edit->Copy) the content of this file, and post it with your next reply.

Next

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Finally in this post

Download FoxScan to your desktop.

• Run the FoxScan file.
  
• A window will open up and give you an option for what language to use. Press 2 and then Enter, let the program run unhindered.
  
• The message Press any key to continue... will appear, do what it says and press any key you want.
  
• The program will then open its report in a Notepad file, it will also be saved to your C:\ drive.
  
• Post this log on the forum.

So when you return please post

• OTListIt2 custom scan results
  
• GooredFix log
  
• FoxScan log

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.

[dolface755]

ok ran those programs here are the logs you requested

thank you somuch for going thru this with me starting to tear myhair out

OTList Log:

OTListIt logfile created on: 2/14/2009 2:48:46 PM - Run
OTListIt2 by OldTimer - Version 2.0.0.11 Folder = D:\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.53 Mb Total Physical Memory | 676.33 Mb Available Physical Memory | 66.08% Memory free
2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.61% Paging File free
Paging file location(s): C:\pagefile.sys 1534 1534;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 11.66 Gb Free Space | 59.68% Space Free | Partition Type: NTFS
Drive D: | 27.49 Gb Total Space | 26.07 Gb Free Space | 94.82% Space Free | Partition Type: NTFS
Drive E: | 27.49 Gb Total Space | 21.45 Gb Free Space | 78.03% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 14.65 Gb Total Space | 2.10 Gb Free Space | 14.35% Space Free | Partition Type: NTFS
Drive I: | 39.06 Gb Total Space | 5.98 Gb Free Space | 15.32% Space Free | Partition Type: NTFS
Drive J: | 22.97 Gb Total Space | 4.56 Gb Free Space | 19.85% Space Free | Partition Type: NTFS

Computer Name: SALTER-GK7NJ4SL
Current User Name: Donna
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Custom Scans ==========


< %systemroot%\system32\wdmaud.sys >
< End of report >


Goord Logs:

GooredFix v1.91 by jpshortstuff
Log created at 14:50 on 14/02/2009 running Option #1 (Donna)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"


Fox Log:

FoxScan Version 1.0.5
Written by Loup blanc - Zebulon.fr
Scan started Sat 02/14/2009 at 14:51:20.65


Microsoft Windows XP [Version 5.1.2600]
Service Pack 2

Mozilla Firefox version : 3.0.6 (en-US)
Installation folder : C:\Program Files\Mozilla Firefox

Profil name : default
Profil folder : C:\Documents and Settings\Donna\Application Data\mozilla\firefox\Profiles\p6nh53n7.default\
Start pages : "www.yahoo.ca"

------------------------------------------------------


//////////// Add-on \\\\\\\\\\\\\
======= Profil name : default =======

Installation notification for Add-on is enabled

Name : AVG Safe Search
State : Activated
Folder : C:\Program Files\AVG\AVG8\Firefox

Name : DownThemAllname
State : Activated
Folder : C:\Documents and Settings\Donna\Application Data\Mozilla\Firefox\Profiles\p6nh53n7.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

Name : Java Console
State : Activated
Folder : C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

Name : Default
State : Activated
Folder : C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

Name : RealPlayer Browser Record Plugin
State : Deactivated

Name : Java Quick Starter
State : Deactivated



------------------------------------------------------



//////////// Search plugins \\\\\\\\\\\\\
======= Profil name : default =======

Search in "prefs.js" :

browser.search.defaultenginename : ""

browser.search.defaulturl : ""

browser.search.selectedEngine : ""

keyword.URL : ""


--------- Search engines found ------------
+ Search form configured for the engine


C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
template="http://www.amazon.com/exec/obidos/external-search/">


C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
template="http://www.answers.com/main/ntquery">


C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
template="http://search.creativecommons.org/">


C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
template="http://rover.ebay.com/rover/1/711-47294-18009-3/4">


C:\Program Files\Mozilla Firefox\searchplugins\google.xml
template="http://www.google.com/search">


C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
template="http://en.wikipedia.org/wiki/Special:Search">


C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
template="http://search.yahoo.com/search">


------------------------------------------------------


//////////// DLL found in C:\Program Files\Mozilla Firefox\components \\\\\\\\\\\\\

browserdirprovider.dll
brwsrcmp.dll

------------------------------------------------------

//////////// Plugins set in registry \\\\\\\\\\\\\


[HKEY_LOCAL_MACHINE\software\mozillaplugins\@adobe.com/FlashPlayer]
"Description"="Adobe® Flash® Player 10"
"Vendor"="Adobe Systems Incorporated"
"Path"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@adobe.com/ShockwavePlayer]
"Description"="Adobe Shockwave Player"
"Vendor"="Adobe Systems Inc"
"Path"="C:\WINDOWS\system32\Adobe\Director\np32dsw.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nppl3260;version=6.0.12.69]
"Description"="RealPlayer™ LiveConnect-Enabled Plug-In"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nprjplug;version=1.0.3.69]
"Description"="RealJukebox Netscape Plugin"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nprpjplug;version=6.0.12.69]
"Description"="6.0.12.69"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nsJSRealPlayerPlugin;version=]

------------------------------------------------------

//////////// Additional search for infections Goored, YoogSearch... \\\\\\\\\\\\\


[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" ==== Goored infection possible ====
Contents of folder :
C:\Program Files\Real\RealPlayer\browserrecord\chrome
C:\Program Files\Real\RealPlayer\browserrecord\chrome.manifest
C:\Program Files\Real\RealPlayer\browserrecord\components
C:\Program Files\Real\RealPlayer\browserrecord\install.rdf
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content
C:\Program Files\Real\RealPlayer\browserrecord\chrome\skin
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\algorithm.js
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\browserrecordoverlay.xul
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\contents.rdf
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\debug.js
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\urilistener.js
C:\Program Files\Real\RealPlayer\browserrecord\chrome\content\utils.js
C:\Program Files\Real\RealPlayer\browserrecord\chrome\skin\rp_logo.png
C:\Program Files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
C:\Program Files\Real\RealPlayer\browserrecord\components\nsIRPBrowserEmbeddedObjectUtils.xpt
C:\Program Files\Real\RealPlayer\browserrecord\components\nsIRPBrowserRecord.xpt
C:\Program Files\Real\RealPlayer\browserrecord\components\nsIRPBrowserRecordJS.xpt
C:\Program Files\Real\RealPlayer\browserrecord\components\nsIRPJavascriptHelperObject.xpt
C:\Program Files\Real\RealPlayer\browserrecord\components\nsIRPProtocolHandler.xpt
C:\Program Files\Real\RealPlayer\browserrecord\components\reg.js

"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" ==== Goored infection possible ====
Contents of folder :
C:\Program Files\AVG\AVG8\Firefox\Chrome
C:\Program Files\AVG\AVG8\Firefox\chrome.manifest
C:\Program Files\AVG\AVG8\Firefox\Components
C:\Program Files\AVG\AVG8\Firefox\install.rdf
C:\Program Files\AVG\AVG8\Firefox\Chrome\searchshield.jar
C:\Program Files\AVG\AVG8\Firefox\Components\avgssff.dll
C:\Program Files\AVG\AVG8\Firefox\Components\ISearchShield.xpt




[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]


------------------ End of report ------------------

[emeraldnzl]

Hello again dolface755,

Please go to Mozilla Firefox - Tools menu -> Add-ons. Find the AVG Toolbar here and click on the Disable button.

Come back and tell me if that has made a difference.

[dolface755]

ok disabled avg toolbar i thought when i installed it i checked to make sure that stupid thing wasn't installed dang it
ok here's hoping I can do the same easy thing to fix IE then

thank you so much for help it is working (crossing fingers toes and nose) for now

[dolface755]

ok well that worked for bout 10 min tried looking at yahoo news and a web page called pogoaddiciton and got a new error something about win32 i'm including screenshot

Attached thumbnail(s)

• 

[emeraldnzl]

Hi dolface755,

Quote

ok here's hoping I can do the same easy thing to fix IE then

This time I have included the instructions for both browsers. Should give you the information you need.

How to disable the AVG8 Security Toolbar

Internet Explorer - use the mouse right-click on the toolbar and check-off the AVGTOOLBAR option in the list

Mozilla Firefox - Tools menu -> Add-ons. Find the AVG Toolbar here and click on the Disable button.

Quote

ok well that worked for bout 10 min tried looking at yahoo news and a web page called pogoaddiciton and got a new error something about win32 i'm including screenshot

Well I think that error can be generated for a range of reasons many of which relate to Service Pack 2 updates. However it is a bit suspicious that it has happened so soon after disabling that add on.

My thought is that you should make the change in IE and browse on. When that error appears again, click on the "To see what data this error contains" and see if you can get specific information about the exact error i.e. the whole error with the numbers.

Come back and tell me so that I can follow it up.

Meantime I would like you to run a scan to make sure that that message was not generated by malware.

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
  
  
• Click on My Computer under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post

• Kaspersky scan results
  
• and tell me the specific error message if it has happened again

[dolface755]

ss for taking so long had some medical issues
going to try and run scan tried downloading but puter crashed bout 50% of updates

i have the file name thats mentioned in the critical shut down for firefox

C:Documents and settings/Donna/Locals/temp/WER2eda.dir00/svchost.exe.mdmp

appcompat.txt Generic Host Process Win32 Services

[emeraldnzl]

Quote

ss for taking so long had some medical issues

No worries, hope things are going all right for you.

Turning to your machine.

That looks like Kaspersky is recognizing something as a virus that is a dmp file produced when one of your programs crashes.

Lets not get too stressed with Kaspersky. Trying to find why it crashed might be like looking for needles in a haystack

Try this one:

Panda only works if you are using Internet Explorer.

Please go HERE to run Panda's ActiveScan
" Once you are on the Panda site click the Scan your PC button
" A new window will open...click the Check Now button
" Enter your Country
" Enter your State/Province
" Enter your e-mail address and click send
" Select either Home User or Company
" Click the big Scan Now button
" If it wants to install an ActiveX component allow it
" It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
" When download is complete, click on My Computer to start the scan
" When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[dolface755]

ok tried doing scan last night let it run while i went to bed it stopped and when i got up this morning there was a virus alert from AVG

sending screenshots

Attached thumbnail(s)

• 
• 

[emeraldnzl]

OK delf is a pretty serious infection. AVG can identify it but it won't be able to deal with it.

Might also be the reason we are having trouble in running Kaspersky and Panda.

There will a number of steps to take in attacking this particular nasty.

Please do this first.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[dolface755]

yea i was thinking the same thing just could not find where that stupid infection was hidden
avg 8 will not run updates for me for some reason unless i turn off my firewall
here's the logs you requested

Hijack This Feb 19:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:17 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Intel Physical Address Aventis 1.3] C:\WINDOWS\wciactrl.exe
O4 - HKUS\S-1-5-21-746137067-1035525444-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'David')
O4 - HKUS\S-1-5-21-746137067-1035525444-839522115-1003\..\Run: [Intel Physical Address Aventis 1.3] C:\WINDOWS\wciactrl.exe (User 'David')
O4 - HKUS\S-1-5-18\..\Run: [Intel Physical Address Aventis 1.3] C:\WINDOWS\wciactrl.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Intel Physical Address Aventis 1.3] C:\WINDOWS\wciactrl.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - D:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4385 bytes



Combo-Fix log:

ComboFix 09-02-18.01 - Donna 2009-02-19 20:21:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.730 [GMT -8:00]
Running from: d:\downloads\Cleaners\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-19 09:35 . 2009-02-19 09:35 162,304 -r-hs---- c:\windows\system32\txsocm32.dll
2009-02-18 00:27 . 2009-02-18 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreshGames
2009-02-16 11:18 . 2009-02-19 09:00 3 --a------ c:\windows\switch.inf
2009-02-16 03:30 . 2009-02-16 03:29 720,896 -r-hs---- c:\windows\wciactrl.exe
2009-02-16 03:30 . 2009-02-16 03:30 39,936 -r-hs---- c:\windows\system32\frnscli32.dll
2009-02-16 03:29 . 2009-02-16 03:29 65,664 --a------ c:\windows\system32\31.scr
2009-02-15 20:44 . 2009-02-15 20:44 <DIR> d-------- c:\documents and settings\David\Application Data\Alawar
2009-02-15 20:00 . 2009-02-15 20:00 <DIR> d-------- c:\documents and settings\Donna\Application Data\Alawar
2009-02-15 09:34 . 2009-02-19 20:15 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-13 07:11 . 2006-06-05 14:14 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-02-13 07:10 . 2009-02-13 07:10 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-13 07:03 . 2009-02-13 07:07 <DIR> d-------- C:\rsit
2009-02-09 12:24 . 2009-02-09 12:24 <DIR> d-------- c:\documents and settings\David\Saved Games
2009-02-07 15:20 . 2009-02-07 15:20 <DIR> d-------- c:\program files\Java
2009-02-07 15:20 . 2009-02-07 15:20 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-06 09:32 . 2009-02-06 09:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 12:51 . 2004-08-03 22:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-02-03 21:21 . 2009-02-03 21:21 <DIR> d-------- c:\documents and settings\Donna\Saved Games
2009-02-03 21:20 . 2009-02-03 21:20 <DIR> d-------- c:\program files\Bubble Town
2009-02-03 21:20 . 2009-02-03 21:20 <DIR> d-------- c:\program files\bfgclient
2009-02-03 21:19 . 2009-02-09 12:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-02-03 10:51 . 2009-02-03 10:52 <DIR> d-------- c:\program files\ABBYY FineReader 5.0 Sprint
2009-02-03 10:49 . 2009-02-03 10:53 224 --a------ c:\windows\LEXSTAT.INI
2009-02-03 10:48 . 2009-02-03 10:48 <DIR> d-------- c:\program files\Lexmark X74-X75
2009-02-03 10:48 . 1997-04-08 20:08 299,520 --a------ c:\windows\uninst.exe
2009-02-03 10:48 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-02-03 10:48 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-02-03 10:48 . 2004-08-03 21:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-03 10:48 . 2004-08-03 21:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-27 03:46 . 2009-01-27 03:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Zylom
2009-01-27 03:45 . 2009-01-30 09:31 <DIR> d-------- c:\program files\Yahtzee
2009-01-25 20:38 . 2009-01-25 20:38 0 --a------ c:\windows\QuickInstall.INI
2009-01-21 08:16 . 2009-01-21 08:16 <DIR> d-------- c:\program files\MyPhoneExplorer
2009-01-21 08:13 . 2009-01-21 08:13 <DIR> d-------- c:\documents and settings\Donna\Application Data\AD ON Multimedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 03:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 23:53 --------- d-----w c:\program files\Oberon Media
2009-02-17 17:40 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-08 18:57 --------- d-----w c:\documents and settings\Donna\Application Data\uTorrent
2009-02-07 23:20 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-03 17:13 --------- d-----w c:\documents and settings\Donna\Application Data\MyPhoneExplorer
2009-02-01 21:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 19:36 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 19:36 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-31 19:36 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-31 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-26 04:18 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-25 13:06 --------- d-----w c:\documents and settings\Donna\Application Data\Pogo Games
2009-01-24 16:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-22 05:19 --------- d-----w c:\documents and settings\David\Application Data\Pogo Games
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 04:21 --------- d-----w c:\documents and settings\Donna\Application Data\Fabulous Finds
2009-01-07 16:26 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-01-07 16:03 --------- d-----w c:\program files\MIKSOFT
2009-01-07 07:39 --------- d-----w c:\program files\AVG
2009-01-06 14:15 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-01-05 08:06 --------- d-----w c:\documents and settings\Donna\Application Data\Malwarebytes
2009-01-02 21:04 --------- d-----w c:\documents and settings\Donna\Application Data\Instant Housecall
2008-12-31 07:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-12-28 08:58 --------- d-----w c:\documents and settings\Donna\Application Data\Ancient Quest of Saqqarah__reflexive
2008-12-27 07:07 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-26 08:21 --------- d-----w c:\documents and settings\Donna\Application Data\funkitron
2008-12-25 10:21 --------- d-----w c:\documents and settings\Donna\Application Data\PlayFirst
2008-12-25 10:21 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-24 16:48 --------- d-----w c:\program files\Real
2008-12-24 16:48 --------- d-----w c:\program files\Common Files\xing shared
2008-12-24 16:48 --------- d-----w c:\program files\Common Files\Real
2008-12-24 08:52 --------- d-----w c:\documents and settings\Donna\Application Data\Skip-Bo
2008-12-23 19:51 --------- d-----w c:\program files\NOS
2008-12-23 19:51 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-12-23 17:32 --------- d-----w c:\documents and settings\Donna\Application Data\Auslogics
2008-12-23 17:23 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 17:02 --------- d-----w c:\program files\ReflexiveArcade
2008-12-23 16:31 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-12-23 16:07 --------- d-----w c:\documents and settings\David\Application Data\Jasc Software Inc
2008-12-23 15:59 --------- d-----w c:\documents and settings\Donna\Application Data\Ahead
2008-12-23 15:56 --------- d-----w c:\program files\Common Files\Ahead
2008-12-23 15:54 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-23 15:40 --------- d-----w c:\program files\Jasc Software Inc
2008-12-23 15:40 --------- d-----w c:\documents and settings\Donna\Application Data\Jasc Software Inc
2008-12-23 15:39 --------- d-----w c:\program files\Common Files\SWF Studio
2008-12-23 15:31 --------- d-----w c:\program files\Common Files\L&H
2008-12-23 15:30 --------- d-----w c:\program files\Microsoft Works
2008-12-23 15:30 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-23 05:51 --------- d-----w c:\program files\PowerISO
2008-12-23 05:47 --------- d-----w c:\program files\Auslogics
2008-12-23 05:47 --------- d-----w c:\documents and settings\David\Application Data\Auslogics
2008-12-23 05:41 --------- d-----w c:\program files\CCleaner
2008-12-23 05:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-23 05:24 --------- d-----w c:\program files\Windows Live
2008-12-23 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-23 03:47 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-12-23 03:46 --------- d-----w c:\program files\MSXML 6.0
2008-12-23 02:16 --------- d-----w c:\documents and settings\David\Application Data\Malwarebytes
2008-12-23 02:16 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 01:55 --------- d-----w c:\program files\Microsoft IntelliType Pro
2008-12-23 01:49 --------- d-----w c:\program files\viewsonic
2008-12-23 01:48 --------- d-----w c:\documents and settings\David\Application Data\Leadertech
2008-12-23 01:42 --------- d-----w c:\program files\PokerStars.NET
2008-12-23 01:38 --------- d-----w c:\program files\Alwil Software
2008-12-22 19:26 --------- d-----w c:\program files\microsoft frontpage
2008-11-24 22:01 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-24 22:01 348,160 ----a-w c:\windows\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Intel Physical Address Aventis 1.3"="c:\windows\wciactrl.exe" [2009-02-16 720896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Physical Address Aventis 1.3"="c:\windows\wciactrl.exe" [2009-02-16 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 11:36 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2008-06-10 12:56 1406024 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-01-14 16:11 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-07 15:20 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgcfgex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-06 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-06 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 298264]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-04-24 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Intel Physical Address Aventis 1.3]
c:\windows\wciactrl.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Donna\Application Data\Mozilla\Firefox\Profiles\p6nh53n7.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 20:23:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-19 20:25:18
ComboFix-quarantined-files.txt 2009-02-20 04:25:14

Pre-Run: 12,533,223,424 bytes free
Post-Run: 12,522,487,808 bytes free

208 --- E O F --- 2008-12-23 05:18:39

[emeraldnzl]

Hi dolface755,

Seems we might have to look a bit deeper.

Download GMER from here:

http://www.gmer.net/files.php

Unzip it to the desktop.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.