Inactive Firefox malware homepage redirect

[ayumist]

Hi!

Since a couple of months ago, my firefox homepage (originally google) has been redirected to " http://www.2345dotcom/?ab99 ".
However, when I checked the internet options on firefox, the web address remains as google.

I have updated my antivirus but it does not seem to detect the malware.

Moreover, I have noticed my firefox browser hangs often the small browser window appears when I want to download files.
I ran Malwarebytes just before stumbling upon this site, but the problem persists.

I would greatly appreciate any help given. Thanks in advance!!

I followed the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and posted the logs below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6173

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

26/3/2011 1:43:39 PM
mbam-log-2011-03-26 (13-43-39).txt

Scan type: Quick scan
Objects scanned: 148674
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-26 15:25:05
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002
Running: so5fbjuo.exe; Driver: C:\Users\DUCKIE~1\AppData\Local\Temp\axliqaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA4BC8780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA4BC8830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA4BC88D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA4BC8970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 820B9B74 4 Bytes [80, 87, BC, A4]
.text ntkrnlpa.exe!KeSetEvent + 621 820B9DA4 8 Bytes [30, 88, BC, A4, D0, 88, BC, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 820B9E04 4 Bytes [70, 89, BC, A4]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3596] kernel32.dll!SetUnhandledExceptionFilter 75E3A84F 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/ASUSTek Computer Inc)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d60c5c31d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243cbba22
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d60c5c31d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002243cbba22 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes

---- EOF - GMER 1.0.15 ----



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by duckieblues at 15:32:54.36 on Sat 26/03/2011
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2032 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\Explorer.EXE
C:\Program files\P4G\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Windows\System32\ACEngSvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Windows\AsScrPro.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\duckieblues\Desktop\OOOO\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.sg/
uDefault_Page_URL = hxxp://asus.msn.com
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: IE2EMBHO Class: {0a0ddbd3-6641-40b9-873f-bbdd26d6c14e} - c:\program files\easymule\modules\IE2EM.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SRS Premium Sound] "c:\program files\srs labs\srs premium sound\SRSPremiumSoundBig_Small.exe" /hideme
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [ATKOSD2] c:\program files\asus\atkosd2\ATKOSD2.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Wireless Console 3] c:\program files\asus\wireless console 3\wcourier.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMedia.exe
mRun: [ADSMTray] c:\program files\asus\asus data security manager\ADSMTray.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\fancys~1.lnk - c:\windows\installer\{a9feb6d7-9c52-49fc-b956-7ab275b78890}\_5598CE641C54B66A23693F.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download by easyMule - c:\program files\easymule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Notification Packages = scecli c:\program files\asus\asus data security manager\ASPWDFLT
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\duckie~1\appdata\roaming\mozilla\firefox\profiles\b9b3x8yr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\duckieblues\appdata\roaming\mozilla\firefox\profiles\b9b3x8yr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.103.018.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\srs labs\srs premium sound\SRS_VolSync.exe [2009-4-8 70880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-4-21 90112]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-4-1 50176]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-22 52768]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-8-23 233128]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-27 517448]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-23 29736]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-7 6656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 05:28:04 -------- d-----w- c:\users\duckie~1\appdata\roaming\StoryView
2011-03-26 05:28:03 -------- d-----w- c:\program files\StoryViewSE
2011-03-24 18:01:35 -------- d-----w- c:\users\duckie~1\appdata\roaming\Malwarebytes
2011-03-24 18:01:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 18:01:29 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-24 18:01:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 18:01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-23 21:50:42 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 21:50:42 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50:31 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-23 21:50:31 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-23 21:50:31 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-23 21:50:31 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-23 21:50:18 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-23 21:50:18 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-23 19:51:10 -------- d-----w- c:\users\duckie~1\appdata\roaming\AVG
2011-03-23 17:30:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 17:30:35 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-12 04:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 04:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-05 19:16:53 -------- d-----w- c:\progra~2\PopCap Games
.
==================== Find3M ====================
.
2011-03-26 07:28:00 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-02-09 14:26:39 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-09 14:26:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 15:33:33.63 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 23/8/2009 7:02:33 PM
System Uptime: 26/3/2011 3:26:23 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer Inc. | | U50Vg
Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | Socket 478 | 2534/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 101.348 GiB free.
D: is FIXED (NTFS) - 221 GiB total, 211.136 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 932 GiB total, 172.764 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
???? 2.4.9
2007 Microsoft Office system
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.3
Apple Application Support
Apple Software Update
ASUS AI Recovery
ASUS Data Security Manager
ASUS FancyStart
ASUS LifeFrame3
ASUS Live Update
ASUS MultiFrame
ASUS Power4Gear Hybrid
ASUS SmartLogon
ASUS Splendid Video Enhancement Technology
ASUS Virtual Camera
Asus_U_Series_ScreenSaver
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
AVG 2011
AVG PC Tuneup 2011
Beauty Factory (remove only)
BitTorrent
CCleaner
Content Transfer
CyberLink LabelPrint
CyberLink Power2Go
D3DX10
ETDWare PS/2-x86 7.0.5.3 WHQL
Express Gate
ffdshow [rev 3200] [2010-01-12]
FLVPlayer4Free Free FLV Player 3.8.0.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware
Media Manager for WALKMAN 1.2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Chinese (Simplified)) 2007
Microsoft Office Access MUI (Chinese (Traditional)) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel 2007 Help ¸üР(KB963678)
Microsoft Office Excel 2007 Help Actualización (KB963678)
Microsoft Office Excel 2007 Help §ó·sµ{¦¡ (KB963678)
Microsoft Office Excel MUI (Chinese (Simplified)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Home and Student 2007
Microsoft Office IME (Chinese (Simplified)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007 Help ¸üР(KB963677)
Microsoft Office Outlook 2007 Help Actualización (KB963677)
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (Chinese (Simplified)) 2007
Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office Powerpoint 2007 Help ¸üР(KB963669)
Microsoft Office Powerpoint 2007 Help Actualización (KB963669)
Microsoft Office Powerpoint 2007 Help §ó·sµ{¦¡ (KB963669)
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Chinese (Simplified)) 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Chinese (Simplified)) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Chinese (Simplified)) 2007
Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Chinese (Simplified)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007 Help ¸üР(KB963665)
Microsoft Office Word 2007 Help Actualización (KB963665)
Microsoft Office Word 2007 Help §ó·sµ{¦¡ (KB963665)
Microsoft Office Word MUI (Chinese (Simplified)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mise à jour Microsoft Office Excel 2007 Help (KB963678)
Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
Mise à jour Microsoft Office Word 2007 Help (KB963665)
Mozilla Firefox (3.6)
MSVCRT
Multimedia Card Reader
Norton Internet Security
NVIDIA Drivers
Orbit Downloader
Picasa 3
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
SRS Premium Sound
StoryView SE
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2508979)
USB 2.0 1.3M UVC WebCam
VLC media player 1.0.3
WIDCOMM Bluetooth Software
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinFlash
WinRAR archiver
Wireless Console 3
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll help you sort out the problems: Thank you for removing the hyperlink!

I'd like to make you aware of potentially bad program or sites:
1. Easy Mule downloader: It is from a site that has this McAfee Warning: verycd.com
McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.
2. Orbit Downloader: Orbit Downloader is an advertising-supported product since it may change the web browser's homepage upon installation and also offers to install software that are not critical for its operation.
======================================
You still have Norton Internet Security. Even though you may be using a different security program now, it should be removed: Please run this Norton Removal Tool
Reboot the computer when finished.
======================================
While I finish checking these logs, please run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

================================================
Note - Due to recent changes in how AVG targets the Combofix internal tools, it must be uninstalled before running ComboFix.
Download AppRemover and save to the desktop]
How to Use AppRemover to Remove a Complete Security Application

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
   [*] Check the AVG program you want to uninstall
   [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
   =====================================
   [B]Temporary AV:[/B]
   [url=http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914][b][color=blue]Avira-AntiVir-Personal-Free-Antivirus[/b][/color][/url]
   [URL="http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button"][B][COLOR="RoyalBlue"]Avast Free Version[/COLOR][/B][/URL]
   =======================================
   [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
   [*]Double click combofix.exe & follow the prompts.
   [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
   [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
   [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
5. .Click on Yes, to continue scanning for malware
6. .If Combofix asks you to update the program, allow
7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
8. .Close any open browsers.
9. .Double click combofix.exe
   
   & follow the prompts to run.
10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[ayumist]

Hi Bobbye,

Thanks so much for your help!

Can I also check with you if it is safe to just "uninstall programs" for Orbit Downloader and easymule? Or do I need a special software to purge them?

I forgot to mention in the first post that my IE was highjacked by the same website. Sorry it totally slipped my mind as I have not been using IE for months now.

Thanks again!


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=0702bc48294c4243b9b7b1976f9bffc5
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-26 07:11:33
# local_time=2011-03-27 03:11:33 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1032 16777213 100 96 23846 44476497 0 0
# compatibility_mode=5378 16777214 0 8 23418880 23418880 0 0
# compatibility_mode=5892 16776574 100 100 10298576 138690033 0 0
# compatibility_mode=8192 67108863 100 0 926 926 0 0
# scanned=353870
# found=4
# cleaned=0
# scan_time=5788
C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url Win32/TrojanClicker.BHO.NBH trojan (unable to clean) 00000000000000000000000000000000 I
G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe a variant of Win32/WretchXD.AA application (unable to clean) 00000000000000000000000000000000 I
G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I



ComboFix 11-03-26.01 - duckieblues 27/03/2011 3:53.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2235 [GMT 8:00]
Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ime\SPTIPIME.ini
c:\windows\ime\SPTIPIMERS.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-26 19:58 . 2011-03-26 19:58 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
2011-03-26 19:58 . 2011-03-26 19:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 17:27 . 2011-03-23 17:27 -------- d-----w- c:\programdata\McAfee
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-05 19:16 . 2011-03-05 19:16 -------- d-----w- c:\programdata\PopCap Games
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-26 19:48 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 17:02 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 15:35 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
"SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
"ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
"Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 03:58
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????
.
scanning hidden files ...
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(688)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
Completion time: 2011-03-27 04:00:09
ComboFix-quarantined-files.txt 2011-03-26 20:00
.
Pre-Run: 108,564,758,528 bytes free
Post-Run: 108,531,810,304 bytes free
.
- - End Of File - - 5557447A8A12ECAF2E919FE9C62FDA58

 

[Bobbye]

Go ahead and run this for the Eset entries. I'm going to take a lunch break and will go over the Combofix log when I get back. You have an infected URL saved in your Favorites. If you can recognize this site, I recommend you delete it:

C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url 
  G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe 
  G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi 
  G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009avii 
  :Commands
  [purity]
  emptytempp]
  [start explorer]
  [Reboot]

• Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red [bMoveitt![/b] button.
• A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close [bOTMoveItt3[/b]

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Two of the infected files have an avi file extension:
Description: Primary association: Audio Video Interleave File
File classification: Video
Mime type: videoavii, videomsvideoo, video/xmsvideoo, imageavii, videoxmpg22, application/xtrofffmsvideoo, audioaifff, audioavii
Program ID:AnimationShop33.Animation ,ati_mfplayy ,avifilee ,Cliprexx Video File , Frigate3.view ,IrfanVieww.AVI ,MPlayerr ,NeroMediaPlayerr.File ,Winampp.File ,QuickTimeeavii , RealPlayer.AVI.6 ,SlowVieww AVI

My guess- and that's all it is- is that these files may have come from a torrent/file sharing site

And if Drive G is a flash drive, we will need to disinfect it, so let me know.

 

[ayumist]

Hi Bobbye,
Thanks heaps for your reply!

Drive G is an external hard disk drive.

I have found and deleted the URLs in C:\Users\duckieblues.


========== FILES ==========
File/Folder C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url not found.
G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe moved successfully.
G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi moved successfully.
File/Folder G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009avii not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.17.2 log created on 03292011_025734



Thanks!

 

[Bobbye]

Internet went down-again yesterday. Sorry.

You will need to disinfect the external drive. It's movable hardware and you should be able to use the following:
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================

"uninstall programs" for Orbit Downloader and easymule?

Yes, go ahead and do this now. When I set up script for you to run through Combofix, I'll include any entries that are 'left over'' but I don't want to do that before you uninstall as I might damage their uninstaller. See if the program has it's own uninstall first> if it does, use that. If it does not, uninstall in Add/Remove Programs.
====================
Do you plan to reinstall AVG when we finish? Did you put either Avast or Avira on the system to protect it while AVG is off?.

 

[ayumist]

No worries! I understand how inconvenient it must be without internet access.

Unfortunately, I had a few issues this time:

1. I downloaded the program Flash_Disinfector.exe (129KB?) and hit the run button.
However, nothing happens. No prompts or anything appears. I thought it might be running in the background so I left my computer running for about half an hour while I accessed some txt files. Still nothing happens.
Am I doing anything wrong? How do I check if the program is functioning?

2. I have unistalled Orbit Downloader. However, my siblings still have some files downloading on Emule and they have requested that I remove it at a later period. Is that okay?

3. Yes, I plan to reinstall AVG.

4. Did you put either Avast or Avira on the system to protect it while AVG is off?
Well to be honest I only remembered after you asked... so I have just installed Avira. Do I have to remove it when I reinstall AVG again?

I forgot to mention that after I finished with OTMoveIt3.exe, I had desktop.ini, $RECYCLE.BIN, System Volume Information, ASUS.DAT folders appearing on both C drive and the flash drive. The icons are lighter in appearance compared to the "normal" ones. Is that a cause for concern?

And finally thanks for all your assistance thus far.

 

[Bobbye]

You're welcome. I'm going to try and get you going before I shut down. There is a tornado watch with a squall line coming through and I'll have to shut down.

Keep Emule- tell kids to be careful.

For this:

I forgot to mention that after I finished with OTMoveIt3.exe, I had desktop.ini, $RECYCLE.BIN, System Volume Information, ASUS.DAT folders appearing on both C drive and the flash drive. The icons are lighter in appearance compared to the "normal" ones. Is that a cause for concern?

Easy fix: you have the hidden files and folders showing:
Rehide Hidden Folders/Files

• Open My Computer.
• Go to Tools > Folder Options.
• Select the View tab.
• Uncheck Show hidden files and folders.
• Check Hide extensions of known file types.
• Check Hide protected operating system files (Recommended).
• Click OK.
• Close My Computer.

That should remove the icons from the desktop.
=======================================
I'll have to check on the flash program- have had a few complaints of nothing happening.
NOTE: I will be able to reset the homepage with script you'll run through Combofix.
=======================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Folder::
c:\programdata\McAfee
DDS::
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
Registry::
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Remove the Orbit entries, left EMule.
How is system now?

 

[ayumist]

Whoa! Sounds serious. Do you have these warnings often? Hope you remain safe!

1. Rehide Hidden Folders/Files
All settled! Thanks for the tip!

2.

ComboFix 11-03-26.01 - duckieblues 31/03/2011 4:49.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.1905 [GMT 8:00]
Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
Command switches used :: c:\users\duckieblues\Desktop\OOOO\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\McAfee
c:\programdata\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 20:53 . 2011-03-30 20:54 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
2011-03-30 20:53 . 2011-03-30 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 18:15 . 2011-03-04 08:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-30 18:15 . 2011-03-04 06:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\programdata\Avira
2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\program files\Avira
2011-03-30 17:56 . 2011-03-30 17:56 -------- d-----w- c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}
2011-03-28 18:57 . 2011-03-28 18:57 -------- d-----w- C:\_OTM
2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
2011-03-26 05:28 . 2011-03-27 04:25 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-05 19:16 . 2011-03-05 19:16 -------- d-----w- c:\programdata\PopCap Games
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-27 12:57 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-26 19:48 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 17:02 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
"ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
"Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 04:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????
.
scanning hidden files ...
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(688)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
Completion time: 2011-03-31 04:55:32
ComboFix-quarantined-files.txt 2011-03-30 20:55
ComboFix2.txt 2011-03-26 20:00
.
Pre-Run: 106,311,446,528 bytes free
Post-Run: 106,280,767,488 bytes free
.
- - End Of File - - A74BA39F0692DDE03615DF41ADAE4FFB


3. How is system now?
I still get http://www.ab99dotcom/?b when I start Firefox. The link will then re-direct itself to http://www.2345dotcom/?ab99.


Thanks for your patience in answering my many questions!

Kindly note that I will have limited Internet access for the next 3 days.

10Q!

 

[Bobbye]

For the 2 search redirects you're getting: Before you do the following, I suggest you run TFC from our steps. Then go to Tools> Options> Privacy> Show Cookies> Note: If you have not done this before, you will have a great number of Cookies. Although some of these will hold your registration and password information for some sites, I advise you to delete all of the Cookies at this time. And you will see the redirected site Cookie right at the top.

After you have cleaned the Cookies out, you will have to re-register at some sites, but you can open the Privacy section> Show Cookies occasionally and selectively delete the Cookies you don't want to save, leaving those for the registered sites.

Once that has been done: Open Firefox: Tools> Options>:

• Advanced tab> Accessibility section> Check Warn me when web sites try to redirect or reload the page
• Privacy tab> Uncheck "Accept third party Cookies"> Check Allow cookies from sites
• Exceptions> enter below one at a time and click on Block for each:
  

  *.2345.com> Click on Block>
  *.ab99.com/*> Click on Block

  The * will act as a Wild Card for any combination of the above.
• Click on OK

I recommend that you add Easy List to the AdBlockPlus addon. It has additional filters.
=========================================
The Combofix log is fine with one exception: Sidebar.exe is a program most likely was already installed on your computer since the day your purchased. But it is hidden and on autorun. I suggest you peek at the hiddden files and folders again and find Sidebar. If you use this, just find the autorun box and uncheck it. IF you don't use it, uninstall the program and delete the program folder.
=======================================
Be sure to reboot after completing the above.
======================================
If this additional work resolves the redirects, you can Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

 

[ayumist]

Hi!

I'm having some problems here:

1. Ran TFC and added Exceptions and closed Firefox.
When I opened it again, the website showed up again.
Edit: Image deleted

I restarted the comp and opened Firefox and the unwanted website showed up again and this time when I checked the Exception list, it was empty.

Note: I've added the Easy List to the AdBlockPlus.

2. Sidebar.exe
I'm not too sure what you meant by "peek at hidden files and folders again and find Sidebar" so I just went to Program Files.
I found the folder but there is no unistall option for it.
I tried to use "Unistall a program" but couldn't find Sidebar on the list.
What should I do next?

3.

You will need to disinfect the external drive...
Please download Flash_Disinfector.exe

As the program the did not run the previous time, am I supposed to run other programs etc?

Thanks heaps!

 

[Bobbye]

FF - Ext: Embedded Objects>> A Firefox add-on that allows you to download embedded content from web pages. The extension has email address of red-cog.com The site looks suspicious and when I clicked on Inquire about this domainI got alert from my security starting the site has a poor reputation and would load.

Embedded objects are a risk and it appears that you did not get the extension for the Mozilla addon site.

Try removing this extension, reboot the computer. See if that handles it.

 

[ayumist]

Hi Bobbye,

I've removed the aforementioned extension (and also a couple of other extensions).
The 1st time I opened firefox, the website did not load - blank page (though its web address was shown).
On the other hand, my desginated homepage did not load as well.

However, that didn't do the trick and the same website appeared again when I re-opened Firefox again.

Anything else I need to do?

Thanks!

 

[Bobbye]

I am going to reset both your Firefox Start page and the Search page to the defaults. IF you want to change the Homepage to another URL, you can do that. But don't set it to a Search page
===================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Extra::
Firefox::
Firefox-:  -Profile - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
Firefox-: prefs.js - SEARCH.DEFAULTURL
Firefox-: prefs.js - STARTUP.HOMEPAGE

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
This is the 'start' page you have set up for Firefox:

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en

This is an advanced search age, not a home page. When you open the browser, whether it's IE or Firefox, the search engine will be within the page, not the page itself. For instance, let's say you like baseball and would like to see balls and bats when you launch your browser. So set the page to open to ESPN, like this> http://sports.espn.go.com/, then click on Tools in Firefox> Main Page> Choose 'use current.'
====================================
Now, when you launch Firefox, this page will display and you'll have a nice Google box for your searches. Give this a try after you run the script.

This part, google.com.sg This is offerred in Bahasa Malaysia. This would explain why your are getting the foreign page.

Let me know.

 

[ayumist]

Hi Bobbye,

Not sure if I'm doing anything wrong because I ran the Combofix without changing the "homepage" in FF as I thought that the script is supposed to change it.
And I clicked "yes" when Combofix needed a critical update.

In the end, I still had that dreaded homepage when I opened FF.

Right now, I have changed FF to the "default homepage". Should I run Combofix again?

Sorry for any inconvenience caused.


ComboFix 11-04-07.07 - duckieblues 08/04/2011 12:28:39.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2166 [GMT 8:00]
Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
Command switches used :: c:\users\duckieblues\Desktop\OOOO\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-08 04:33 . 2011-04-08 04:33 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
2011-04-08 04:33 . 2011-04-08 04:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-07 15:46 . 2011-04-07 15:46 -------- d-----w- c:\users\duckieblues\AppData\Local\{E6BD6E30-C610-42CF-9BF8-595EA7D400A7}
2011-04-06 19:01 . 2011-04-06 19:01 -------- d-----w- c:\users\duckieblues\AppData\Local\{752D5958-BFD5-4B38-AC05-772F4C976055}
2011-04-03 16:40 . 2011-04-03 16:40 -------- d-----w- c:\users\duckieblues\AppData\Local\{20658AE3-F25C-4D80-8B61-D31D676B7EA3}
2011-04-02 15:41 . 2011-04-02 15:41 -------- d-----w- c:\users\duckieblues\AppData\Local\{F54FDD64-A9A2-40D1-85DD-156CF02B88EB}
2011-03-31 16:20 . 2011-03-31 16:20 -------- d-----w- c:\users\duckieblues\AppData\Local\{308359CA-7AE4-4FD3-BFB9-484C150C5CF6}
2011-03-30 20:56 . 2011-03-30 20:56 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Avira
2011-03-30 18:15 . 2011-03-04 08:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-30 18:15 . 2011-03-04 06:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\programdata\Avira
2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\program files\Avira
2011-03-30 17:56 . 2011-03-30 17:56 -------- d-----w- c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}
2011-03-28 18:57 . 2011-03-28 18:57 -------- d-----w- C:\_OTM
2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
2011-03-26 05:28 . 2011-03-27 04:25 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-02 15:40 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-03-27 12:57 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
"ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
"Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 12:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????????????4???????????????????????????4?????????#?????
.
scanning hidden files ...
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(696)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
- - - - - - - > 'Explorer.exe'(5688)
c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
c:\windows\system32\btmmhook.dll
.
Completion time: 2011-04-08 12:35:10
ComboFix-quarantined-files.txt 2011-04-08 04:35
ComboFix2.txt 2011-03-30 20:55
ComboFix3.txt 2011-03-26 20:00
.
Pre-Run: 103,485,280,256 bytes free
Post-Run: 103,493,308,416 bytes free
.
- - End Of File - - F35D07B91ED68E27E158A9E4ABFF85DB

 

[Bobbye]

Have you done this:

1. Go to the site you want for your homepage first
2. Open Tools in Firefox> Options> Main> Startup section> "When Firefox starts"> click on the arrow to the right of the dialog box: There are 3 choices here:
   [o]. Use my homepage<< Choose this. The URL for the site you went to will be here.
   [o]. Use a blank page>>> this is what you see now
   [o]. Show my Windows & tabs from last time.>>> I have never used this because I set my home page up with the tabs I wanted all the time. I don't recommend choosing this option.
3. There are 3 choices in the Homepage dialog box.
   [o] Use Current pages<< Choose this
   [o] Use Bookmark>> Don't use now
   [o] Restore to Default>> Do not use.

Don't be concerned with any other tabs at this point- you can set them later. You need to get the homepage set, but you have to choose the site and tell the system "this is what I want for my home page>" Open to this page when I launch Firefox".

Don't put any search engine as your homepage. All browsers have a place for the search engine. You can choose any site on the internet for your home page. But be sure it's a good, reputable site.

If you don't have a Site Advisor, use The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected. Choose only the Green lights!

Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

I have a feeling that you haven't been setting the homepage up correctly. Let me know if this gets set up.

 

[ayumist]

Hi Bobbye,

Thanks for the detailed explaination.

Update:
- WOT is up and running.
- homepage is now http://www.straitstimes.com/

However, even when the *.2345.com is still in the exceptions list, the webpage contuinues popping up.

So what do I need to do next?

 

[Bobbye]

Glad you put WOT on the system! You may be amazed at how many of the site have the 'red light'! When I am trying to identify a process, most of the site have this, so I have to be very careful to choose green wisely!

As for the homepage, you can use the same process anytime you decide you'd like something different. Just be sure to choose a good site

The site you're still seeing is connected to what made the homepage change. I'd like for you to update and do Full Scan with Malwarebytes. We've missed something. Originally you were asked to just do the Quick Scan, but this needs to be more in depth.

 

[ayumist]

Hi Bobbye,

Thanks for the great recommendation! After installing WOT, realized that some of the innocuous-looking sites were actually in the "red" category. Guess I have to learn to be more discerning on the links I click.


Malwarebytes's log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6333

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/4/2011 12:25:08 AM
mbam-log-2011-04-12 (00-25-08).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 498284
Time elapsed: 1 hour(s), 42 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks for your help!

 

[Bobbye]

You're welcome. I was just as surprised as you about all the 'red lights'! I have to be so careful when I need to identify a process- Vendor reliability is part of their rating, as is their privacy policy.

Okay, the Mbam scan is clean. You will surely have rebooted the system by now- did the homepage remain? Are you still getting the 2345 site? If you are, now that you have WOT on the system, see if the 2345 appears for any specific web site you click on.
=======================================
I'd like for you to see if you can identify any of the repeating AppData. Here is a screen shot for Vista:

Image courtesy ComputerPerformance UK. This replaces the Documents & Settings we had in Windows XP. and renamed to Users

So here is your path:
1. Under Users[/b> Choose duckieblues
2. Under duckieblues> Choose AppData
3. Under AppData> Choose Local (this is one of the 3 sub-folders under AppData)
Once you are in Local, you should see entries like this:
c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}

Do a Right click> Properties and see if you can ID the source for any of them.

If you used Windows XP, this will help you understand this placement:

The key phrase is, change in location. Vista has a new Users Folder which replaces XP's Documents and Settings. Within the new folder structure, Vista has a folder called plain 'Documents', which replaces XP's 'My Documents' folder. The most important new subfolder is AppData. Also to maintain backward compatibility, Vista has shortcut links to the old XP folders such as Local Settings and Application Data.

Most users have founf these filders empty, so okay to delete. But some are also suppose to hold program daya within. But I have yet to learn how to identify what is adding this 'data'!

 

[ayumist]

Hi Bobbye,

A few questions for you:

see if the 2345 appears for any specific web site you click on

Am I supposed to click on all the links in my favorite folders or...?
Because currently, 2345 only pops out upon start-up of FF. As of right now, it hasn't appeared due to any links that I click.

Edit: Excess images deleted

Not sure why but user duckieblues does not have any AppData folder.

So I went to "search for files and folders" but could only find it under "public" user and the "local" folder was empty. (Ok to delete right?)
Spotted something that looks like what you were asking me to look out for...
But unable to access it.

So I think I have to trouble you again...

 

[Bobbye]

No, you do not need to click on all your Favorites.
The offender show in the images you left. I don't know if you put this together:

This file that you listed, shows in 2 places in the image:
(C:\Users\duckieblues\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5)

The first line is:
Name: 2736628[1]
Date Modified: 29/11/2009 8:50
Type: Firefox Document
Folder: VX4CQUHU (C:\Users
Author: None
Tags: Asian symbols

The second line> the one where you showed the full path is:
Name: p1_120580[1]
Date Modified: 29/11/2009 8:50
Type: Firefox Document
Folder: VX4CQUHU (C:\Users\duckieblues\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5)

I went to the 2345 site to see if I could match up the symbols- not an easy ting to do! It also had a redirect that I didn't allow. But I do think this is the offending entry that is coming up when you launch Firefox. It isn't going to let you delete it if it's in Firefox and you have Firefox open.

I have been scratching my head trying to figure out how to do this. You need to have Firefox closed, then go in to Windows Explorer. I did some searching trying to identify the folder above- no luck. But I did find p1_120580[1] here: http://travel.webshots.com/photo/2868048140045422942IxJQll

These are webshots uploaded by someone in Thailand and they are showing on several of the imaging sites and there is also a YouTube video of same name here: http://www.youtube.com/watch?v=cYxtAJoKld4
Also Asian.

I think that somewhere in your adventures, you either got the video or an embedded ad from one of the site you surfed with Firefox. So when you're in Windows Explorer, go to Programs> Click on Mozilla Firefox> Look on the right screen and see if you have a folder VX4CQUHU. Make sure you're in 'duckieblues' account.

One other unknown is the following:
FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
It should be in the extensions, but I don't know what 'Embedded Objects are.

Fish around and see what you come up with- let me know.

 

[ayumist]

Hi Bobbye,

I'm kind of lost so just bear with me here...

see if you have a folder VX4CQUHU

Edit: Excess images deleted

So I went to PROGRAM FILES -> MOZILLA FF but didn't find it
Checked again just in case I missed anything...

FF - Ext: Embedded Objects... should be in the extensions

Edit: Excess images deleted
Btw, the chrome folder has another 2 folders in it- CONTENT & LOCALE

I'm really not sure if this's what you are asking me to look for.
Pls correct me if I'm veering in the wrong direction.

Thanks!

 

[Bobbye]

Okay, while I realize " a picture is worth a thousand words", I think you need to stop the images- they are very space consuming!

You found the file- I'm not sure why you didn't just delete it. Delete these 2 folders:VX4CQUHU

No more images pasted in. If you do find it absolutely necessary to use an image, leave it as an attachment instead of pasting it in.