TechSpot

Browser redirects on both Firefox/IE--please help

By harahap
Oct 16, 2011
  1. Hello. Long-time listener, first-time caller. Thank you for any help you can give. :)

    After clicking on links, my browser keeps redirecting to one site: [B]Redirect hyperlink deleted by Bobbye[/B] and no other site. Have tried on both Firefox and IE, and both do the same thing.


    Malwarebytes Anti-Malware log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7955

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/16/2011 5:25:50 AM
    mbam-log-2011-10-16 (05-25-50).txt

    Scan type: Quick scan
    Objects scanned: 162467
    Time elapsed: 8 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-10-16 18:01:08
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.01.0
    Running: yxejrode.exe; Driver: C:\DOCUME~1\DR70BA~1.DAM\LOCALS~1\Temp\kfkcqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7B98738]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7B987DC]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7B98878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7B98914]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1069E349 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1069E2DB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104589A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10458F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0121FAE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001ED0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
    IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002A90] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
    IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
    IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CopyFileExW] [10001F40] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
    IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002DE0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Ntfs \Ntfs mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)
    AttachedDevice \FileSystem\Ntfs \Ntfs mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS DDS.txt log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
    Run by Dr. Damayanti at 18:07:13 on 2011-10-16
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.129 [GMT 7:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe
    C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\snuvcdsm.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    svchost.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\PROLiNK HSPA\UIExec.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Launch Manager\dsiwmis.exe
    C:\Program Files\Acer\Acer VCM\AcerVCM.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Modem AC2726i UI\bin\MonServiceUDisk.exe
    C:\Program Files\PROLiNK HSPA\AssistantServices.exe
    C:\Program Files\Acer\Acer Updater\UpdaterService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
    mRun: [EgisTecLiveUpdate] "c:\program files\egistec egis software update\EgisUpdate.exe"
    mRun: [mwlDaemon] c:\program files\egistec\mywinlocker 3\x86\mwlDaemon.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [PLFSetL] c:\windows\PLFSetL.exe
    mRun: [SNUVCDSM] c:\windows\snuvcdsm.exe
    mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
    mRun: [LManager] c:\program files\launch manager\LManager.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [UIExec] "c:\program files\prolink hspa\UIExec.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
    TCP: DhcpNameServer = 202.162.209.26 8.8.8.8
    TCP: Interfaces\{C6D488D4-BE42-446B-A4E9-A58521C81AE4} : DhcpNameServer = 202.162.209.26 8.8.8.8
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dr. damayanti\application data\mozilla\firefox\profiles\lewd3wpu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2010-2-25 17840]
    R1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2010-2-25 15280]
    R1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2010-2-25 58800]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2010-2-25 109648]
    R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2010-2-25 253952]
    R2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726i ui\bin\MonServiceUDisk.exe [2010-7-19 266240]
    R2 UI Assistant Service;UI Assistant Service;c:\program files\prolink hspa\AssistantServices.exe [2011-8-21 252784]
    R2 Updater Service;Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2010-2-25 240160]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-2-25 45056]
    R3 MWLService;MyWinLocker Service;c:\program files\egistec\mywinlocker 3\x86\MWLService.exe [2009-9-10 305448]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-25 1691480]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-2-25 112640]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 135664]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-6-22 100480]
    S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-8-21 9216]
    S3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\drivers\PROLiNKusbdiag.sys [2011-8-21 107904]
    S3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\drivers\PROLiNKusbmodem.sys [2011-8-21 107904]
    S3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\drivers\PROLiNKusbnmea.sys [2011-8-21 107904]
    S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2010-7-19 104704]
    .
    =============== Created Last 30 ================
    .
    2011-10-16 11:05:33 607260 ------r- c:\program files\dds.scr
    2011-10-16 07:35:41 302592 ----a-w- c:\program files\yxejrode.exe
    2011-10-15 21:48:43 -------- d-----w- c:\documents and settings\dr. damayanti\application data\Malwarebytes
    2011-10-15 21:46:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-10-15 21:46:31 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-15 21:46:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-15 21:43:28 9852544 ----a-w- c:\program files\mbam-setup-1.51.2.1300.exe
    2011-10-15 20:05:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-10-15 20:05:58 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-22 05:25:01 -------- d-----w- c:\documents and settings\dr. damayanti\local settings\application data\Temp
    2011-09-20 14:54:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-20 14:54:20 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-09-20 14:54:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-20 14:16:12 -------- d-----w- c:\documents and settings\all users\application data\PopCap
    .
    ==================== Find3M ====================
    .
    2011-09-26 04:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 04:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 04:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-13 17:29:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 18:07:55.04 ===============


    DDS Attach.txt log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/10/2010 8:18:12 AM
    System Uptime: 10/16/2011 12:38:58 PM (6 hours ago)
    .
    Motherboard: Acer | | AO532h
    Processor: Intel(R) Atom(TM) CPU N450 @ 1.66GHz | CPU | 1662/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 138 GiB total, 118.344 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP70: 7/30/2011 10:36:31 AM - System Checkpoint
    RP71: 8/2/2011 3:22:46 PM - System Checkpoint
    RP72: 8/4/2011 1:17:30 AM - System Checkpoint
    RP73: 8/5/2011 5:30:07 AM - System Checkpoint
    RP74: 8/6/2011 10:26:02 PM - System Checkpoint
    RP75: 8/8/2011 2:15:43 PM - System Checkpoint
    RP76: 8/9/2011 4:02:46 PM - System Checkpoint
    RP77: 8/10/2011 10:52:13 AM - Software Distribution Service 3.0
    RP78: 8/11/2011 11:39:33 AM - System Checkpoint
    RP79: 8/15/2011 5:04:52 PM - System Checkpoint
    RP80: 8/16/2011 8:57:14 PM - System Checkpoint
    RP81: 8/18/2011 12:04:35 AM - System Checkpoint
    RP82: 8/21/2011 2:51:51 AM - Installed PROLiNK HSPA Modem
    RP83: 8/22/2011 8:04:11 PM - System Checkpoint
    RP84: 8/23/2011 8:40:28 PM - System Checkpoint
    RP85: 8/24/2011 3:16:45 PM - Software Distribution Service 3.0
    RP86: 8/25/2011 3:56:52 PM - System Checkpoint
    RP87: 8/26/2011 4:22:08 PM - System Checkpoint
    RP88: 8/27/2011 4:52:32 PM - System Checkpoint
    RP89: 8/28/2011 10:17:43 PM - System Checkpoint
    RP90: 8/30/2011 9:15:24 AM - System Checkpoint
    RP91: 8/31/2011 6:46:22 PM - System Checkpoint
    RP92: 9/2/2011 1:31:20 PM - System Checkpoint
    RP93: 9/3/2011 6:09:05 PM - System Checkpoint
    RP94: 9/5/2011 3:28:27 AM - System Checkpoint
    RP95: 9/6/2011 8:34:01 PM - System Checkpoint
    RP96: 9/7/2011 10:44:25 PM - System Checkpoint
    RP97: 9/8/2011 3:00:27 AM - Software Distribution Service 3.0
    RP98: 9/9/2011 3:08:31 PM - System Checkpoint
    RP99: 9/11/2011 12:15:08 AM - System Checkpoint
    RP100: 9/12/2011 7:39:56 AM - System Checkpoint
    RP101: 9/13/2011 8:03:58 AM - System Checkpoint
    RP102: 9/14/2011 4:34:49 PM - System Checkpoint
    RP103: 9/15/2011 9:20:37 PM - Restore Operation
    RP104: 9/17/2011 3:00:22 AM - Software Distribution Service 3.0
    RP105: 9/20/2011 9:53:43 PM - Installed Java(TM) 6 Update 27
    RP106: 9/22/2011 12:04:07 PM - Restore Operation
    RP107: 9/22/2011 12:21:33 PM - Restore Operation
    RP108: 9/24/2011 8:07:43 AM - System Checkpoint
    RP109: 9/26/2011 2:55:32 AM - System Checkpoint
    RP110: 9/27/2011 3:25:00 AM - System Checkpoint
    RP111: 9/28/2011 1:37:17 PM - System Checkpoint
    RP112: 9/28/2011 3:34:40 PM - Software Distribution Service 3.0
    RP113: 9/29/2011 4:04:50 PM - System Checkpoint
    RP114: 9/30/2011 5:59:10 PM - System Checkpoint
    RP115: 10/1/2011 6:18:04 PM - System Checkpoint
    RP116: 10/3/2011 12:33:43 AM - System Checkpoint
    RP117: 10/4/2011 2:47:13 AM - System Checkpoint
    RP118: 10/5/2011 3:16:55 AM - System Checkpoint
    RP119: 10/6/2011 11:28:25 AM - System Checkpoint
    RP120: 10/7/2011 3:58:11 PM - System Checkpoint
    RP121: 10/8/2011 5:11:29 PM - System Checkpoint
    RP122: 10/11/2011 7:22:31 PM - System Checkpoint
    RP123: 10/13/2011 2:21:59 AM - System Checkpoint
    RP124: 10/14/2011 3:00:23 AM - Software Distribution Service 3.0
    RP125: 10/15/2011 4:21:07 AM - System Checkpoint
    RP126: 10/16/2011 3:02:20 AM - Restore Operation
    RP127: 10/16/2011 12:00:12 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acer Crystal Eye Webcam
    Acer eRecovery Management
    Acer GameZone Console
    Acer ScreenSaver
    Acer Updater
    Acer VCM
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.5 MUI
    Alice Greenfingers
    Amazonia
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    AVG 2011
    Chicken Invaders 2
    Compatibility Pack for the 2007 Office system
    Dairy Dash
    Dream Day First Home
    ENE USB Card Reader Driver
    eSobi v2
    Farm Frenzy 2
    First Class Flurry
    Google Toolbar for Internet Explorer
    Google Update Helper
    Granny In Paradise
    Heroes of Hellas
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB969084)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB981793)
    Identity Card
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 27
    Junk Mail filter update
    Launch Manager
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Merriam Websters Spell Jam
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mobile Partner
    Modem AC2726i UI
    Mozilla Firefox 7.0.1 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP3 Parser (KB973685)
    MyWinLocker
    Nero 6 Ultra Edition
    PowerDVD
    PROLiNK HSPA Modem
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2483614)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skype™ 5.5
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebCam
    WebFldrs XP
    WhiteSmoke
    WIDCOMM Bluetooth Software
    Winamp (remove only)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format Runtime
    Windows Media Player 10
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/9/2011 11:05:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 705AB6D7211A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/16/2011 4:30:36 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\wdmaud.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! Glad you decided to stop by- I'll help with the redirect and make your experience more positive.

    You will note I have deleted the link you left for the redirect. It's okay to leave the domain> like sunday.com, but leaving a link means someone else may click on it.
    ==========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    My compliments for keeping such a good list of restore points! Allow me to ask about this to make sure: A System Restore was done>
    RP126: 10/16/2011 3:02:20 AM - Restore Operation
    Shortly after, you ran the Malwarebytes scan:
    mbam-log-2011-10-16 (05-25-50).txt10/16/2011 5:25:50 AM

    So it appears that the scans were run right after the restore- is that right? And you were still having the redirect after the restore?
    =====================================
    I see few entries to be removed, but we need to look further: Combofix won't run with AVG so it needs to be uninstalled temporarily:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==============================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    Please post the entire log with heading resembling this:
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    Please leave these two logs in your next reply.
     
  3. harahap

    harahap TS Rookie Topic Starter

    Thanks for your prompt and caring attention! So sorry about the link--will keep to domain names, or just not post it at all.

    Yes, since this is my first ever experience with redirect virus/malware, I did a restore, hoping it would magically uninstall/go to a previous state of cleanliness... but the redirects are still happening. I've so far uninstalled AVG, and am trying to install Avast, but have hit a roadblock with a pop-up called "Windows Installer" that says: "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package vc_red.msi in the box below." [OK] [Cancel] [Use source: (path)] [Browse]

    I've left the installation open. I thought I should tell you this before I move on in the steps, in case it has something to do with the virus/malware.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You will have to be connected to the internet to install the AV.
     
  5. harahap

    harahap TS Rookie Topic Starter

    Hi, Bobbye. Thanks for taking the time to do this. Here are the two scan logs:


    ComboFix log

    ComboFix 11-10-15.04 - Dr. Damayanti 10/17/2011 1:34.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.461 [GMT 7:00]
    Running from: c:\documents and settings\Dr. Damayanti\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Dr. Damayanti\Local Settings\Temporary Internet Files\cookies.sqlite
    c:\program files\mbam-setup-1.51.2.1300.exe
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-16 17:58 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-10-16 17:58 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-10-16 17:58 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-10-16 17:58 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-10-16 17:58 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-10-16 17:58 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-10-16 17:58 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-10-16 17:58 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-10-16 16:24 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
    2011-10-16 16:24 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-10-16 16:24 . 2011-10-16 16:24 -------- d-----w- c:\program files\AVAST Software
    2011-10-16 16:24 . 2011-10-16 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-10-16 15:21 . 2011-10-16 15:35 59854808 ----a-w- c:\program files\setup_av_free_cnet.exe
    2011-10-16 15:01 . 2011-10-16 15:03 8922408 ----a-w- c:\program files\AppRemover.exe
    2011-10-16 11:05 . 2011-10-16 11:05 607260 ------r- c:\program files\dds.scr
    2011-10-16 07:35 . 2011-10-16 07:35 302592 ----a-w- c:\program files\yxejrode.exe
    2011-10-15 21:48 . 2011-10-15 21:48 -------- d-----w- c:\documents and settings\Dr. Damayanti\Application Data\Malwarebytes
    2011-10-15 21:46 . 2011-10-15 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-15 21:46 . 2011-10-15 21:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-15 21:46 . 2011-08-31 10:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-15 20:05 . 2011-10-15 20:05 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-26 09:24 . 2011-09-26 09:24 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    2011-09-22 05:25 . 2011-09-22 05:25 -------- d-----w- c:\windows\Sun
    2011-09-22 05:25 . 2011-09-22 05:25 -------- d-----w- c:\documents and settings\Dr. Damayanti\Local Settings\Application Data\Temp
    2011-09-22 05:24 . 2011-09-22 05:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2011-09-22 05:23 . 2011-09-22 05:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2011-09-20 14:55 . 2011-09-20 14:55 -------- d-----w- c:\program files\Common Files\Java
    2011-09-20 14:54 . 2011-09-20 14:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-20 14:54 . 2011-09-20 14:53 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-09-20 14:54 . 2011-09-20 14:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-20 14:53 . 2011-09-20 14:53 -------- d-----w- c:\program files\Java
    2011-09-20 14:16 . 2011-09-20 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-26 04:41 . 2010-02-25 09:22 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 04:41 . 2008-07-30 03:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 04:41 . 2010-02-25 09:22 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2010-02-25 09:22 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2010-02-25 09:22 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2010-02-25 09:22 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2010-02-25 09:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2010-02-25 09:22 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2010-02-25 09:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2010-02-25 09:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-13 17:29 . 2011-05-30 04:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-01 04:06 . 2011-05-08 19:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2009-09-10 13:41 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141336]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 141336]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
    "RTHDCPL"="RTHDCPL.EXE" [2009-12-09 18789920]
    "AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]
    "EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
    "mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PLFSetL"="c:\windows\PLFSetL.exe" [2010-01-13 99712]
    "SNUVCDSM"="c:\windows\snuvcdsm.exe" [2010-01-13 30080]
    "snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2010-01-13 202112]
    "LManager"="c:\program files\Launch Manager\LManager.exe" [2009-12-11 1160272]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-23 1594664]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "UIExec"="c:\program files\PROLiNK HSPA\UIExec.exe" [2010-08-16 138584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2010-2-25 708608]
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-26 607584]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/17/2011 12:58 AM 320856]
    R1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2/25/2010 6:30 PM 17840]
    R1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2/25/2010 6:30 PM 15280]
    R1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2/25/2010 6:30 PM 58800]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/17/2011 12:58 AM 20568]
    R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2/25/2010 4:23 PM 109648]
    R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2/25/2010 6:41 PM 253952]
    R2 UI Assistant Service;UI Assistant Service;c:\program files\PROLiNK HSPA\AssistantServices.exe [8/21/2011 2:51 AM 252784]
    R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2/25/2010 6:23 PM 240160]
    R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2/25/2010 4:23 PM 45056]
    R3 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe [9/10/2009 8:42 PM 305448]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/17/2011 12:58 AM 442200]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/17/2011 2:56 AM 135664]
    S2 UDisk Monitor;UDisk Monitor;c:\program files\Modem AC2726i UI\bin\MonServiceUDisk.exe [7/19/2010 3:34 AM 266240]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/25/2010 5:57 PM 1691480]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2/25/2010 4:22 PM 112640]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/17/2011 2:56 AM 135664]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [6/22/2010 5:40 AM 100480]
    S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/21/2011 2:52 AM 9216]
    S3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\drivers\PROLiNKusbdiag.sys [8/21/2011 2:52 AM 107904]
    S3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\drivers\PROLiNKusbmodem.sys [8/21/2011 2:52 AM 107904]
    S3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\drivers\PROLiNKusbnmea.sys [8/21/2011 2:52 AM 107904]
    S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [7/19/2010 3:34 AM 104704]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AAVMKER4
    *NewlyCreated* - ASWFSBLK
    *NewlyCreated* - ASWMON2
    *NewlyCreated* - ASWRDR
    *NewlyCreated* - ASWSP
    *NewlyCreated* - ASWTDI
    *NewlyCreated* - AVAST!_ANTIVIRUS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-16 19:56]
    .
    2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-16 19:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 202.162.209.26 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Dr. Damayanti\Application Data\Mozilla\Firefox\Profiles\lewd3wpu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-17 01:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-17 01:46:09
    ComboFix-quarantined-files.txt 2011-10-16 18:46
    .
    Pre-Run: 127,394,316,288 bytes free
    Post-Run: 128,060,977,152 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - C77CEE81ED4B5C3A8EF45700767FD8B0


    ESET Scan log--n.b. I don't know how to get a log that looks like the one in the box you quoted. All it would give me is this list of 2 infected files.

    C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe a variant of Win32/WhiteSmoke application
    C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html HTML/WhiteSmoke application
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Maybe Eset isn't coming up with the full log like it use to.

    WhiteSmoke, an English translator program and/or toolbar,is usually downloaded with another program without the users permission or knowledge. In many cases, it has a TDSS rootkit with it.

    So first I'll have you remove the 2 entries Eset found, then follow with the rootkit scan, then a full scan with Mbam.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe 
      C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    Please look in Add/Remove Programs and see if there is an entry for WhiteSmoke. If there is, please uninstall it.
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ================================================
    I noticed Combofix deleted the setup for Mbam: c:\program files\mbam-setup-1.51.2.1300.exe
    Did you use the link for this program in the steps? Did you download it through a file sharing/torrent site?
    So you may not be able to update and run a full scan. Please uninstall the Malwarebytes you have now and run the following> the difference is that you will be running a Full Scan instead of Quick Scan.

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Full Scan option is selected and then click on the Scan button.Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please paste this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ==============================================
    Question: Do you know what this program is?
    2011-10-16 07:35:41 302592 ----a-w- c:\program files\yxejrode.exe
    Did you run the GMER scan?
     
  7. harahap

    harahap TS Rookie Topic Starter

    Okay, I've followed your steps exactly, and have removed Whitesmoke.

    The first time I downloaded MBAM and scanned, I accidentally closed the log in Notepad. I neglected to see that it kept the log, so thought I had to download it a second time, and scanned again. Does this maybe have anything to do with that log entry? I followed everything exactly, and did not get it from a sharing/torrent site.

    Yes, I did the GMER scan in the correct order. That .exe file is GMER, and the log is posted in my very first post in this thread.

    Here are the two logs you asked for:

    OTMoveIt log

    All processes killed
    ========== FILES ==========
    C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe moved successfully.
    C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 122946772 bytes
    ->Temporary Internet Files folder emptied: 216033 bytes
    ->Flash cache emptied: 396 bytes

    User: Dr. Damayanti
    ->Temp folder emptied: 5561556 bytes
    ->Temporary Internet Files folder emptied: 1226447 bytes
    ->Java cache emptied: 1 bytes
    ->FireFox cache emptied: 610935374 bytes
    ->Flash cache emptied: 33485 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 216301 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 707.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 10182011_232413


    MBAM log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7974

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/19/2011 1:21:45 AM
    mbam-log-2011-10-19 (01-21-44).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 215276
    Time elapsed: 59 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\dr. damayanti\Desktop\writers block\writer's block 3\writer_s_blocks3\writer's blocks3_\writer's.blocks.3-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.


    Is there anything else I need to do?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay! Lots of obstacles to overcome.

    About this entry I asked you about:
    2011-10-16 07:35 302592 ----a-w- c:\program files\yxejrode.exe
    While the GMER log shows this: Running: yxejrode.exe; Driver: C:\DOCUME~1\DR70BA~1.DAM\LOCALS~1\Temp\kfkcqpog.sys
    I thought it looked like to could be from GMER, but I've never seen it in Combofix running as the executable..
    ===================================
    As for this deletion: c:\program files\mbam-setup-1.51.2.1300.exe. Combofix does not usually remove a legitimate program setup.
    ==================================
    Eset is still not running clean.
    c:\documents and settings\dr. damayanti\Desktop\writers block\writer's block 3\writer_s_blocks3\writer's blocks3_\writer's.blocks.3-patch.exe (PUP.Hacktool.Patcher)
    -------------------
    HackTool:Win32/Patch.A is a generic detection for a series of hacking tools intended to "patch" programs that may be evaluation copies, or unregistered versions with limited features.
    -----------------
    This program has been pirated: Writer's Block.3 A free trial was offered for this $150 program, but a pirated key or license was used.

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
     
  9. harahap

    harahap TS Rookie Topic Starter

    Oh, that's fine. I'm just grateful you're willing to help.

    I got this netbook as a hand-me-down from someone, and don't really need anything beside an internet browser and MS Word. So I don't care that we had to get rid of Whitesmoke, and if we have to do the same with whatever this pirated "Writer's Block" is or any other programs to clean it up.

    Okay, this is what it came up with:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\zuma\zuma.deluxe.1.0.crack.exe
    scanner sequence 3.AP.11.NLNABV
    ----- EOF -----
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Zuma Deluxe offers a short free trial. The cost to buy the program is $7. Instead of paying the purchase price, a torrent site was visited to get a key or license number instead of paying. This is piracy.

    The netbook and everything on it is now your responsibility. With piracy and file sharing, you get malware.

    Please remove the pirated programs and downloads- this includes uninstalling in Add/Remove Programs, deleting Program folders, cleaning the temporary internet files and Cookies.

    When that has been completed, we'll see what malware is left. The following might help you understand what you are exposed to:

    P2P or 'file sharing' Warning:
    Even if you are using a "safe" P2P program, it is only the program that is safe. :
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...