TechSpot

Firefox malware homepage redirect

By ayumist
Mar 26, 2011
  1. Hi!

    Since a couple of months ago, my firefox homepage (originally google) has been redirected to " http://www.2345dotcom/?ab99 ".
    However, when I checked the internet options on firefox, the web address remains as google.

    I have updated my antivirus but it does not seem to detect the malware.

    Moreover, I have noticed my firefox browser hangs often the small browser window appears when I want to download files.
    I ran Malwarebytes just before stumbling upon this site, but the problem persists.

    I would greatly appreciate any help given. Thanks in advance!!

    I followed the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and posted the logs below:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6173

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    26/3/2011 1:43:39 PM
    mbam-log-2011-03-26 (13-43-39).txt

    Scan type: Quick scan
    Objects scanned: 148674
    Time elapsed: 3 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-26 15:25:05
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002
    Running: so5fbjuo.exe; Driver: C:\Users\DUCKIE~1\AppData\Local\Temp\axliqaog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA4BC8780]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA4BC8830]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA4BC88D0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA4BC8970]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 3F1 820B9B74 4 Bytes [80, 87, BC, A4]
    .text ntkrnlpa.exe!KeSetEvent + 621 820B9DA4 8 Bytes [30, 88, BC, A4, D0, 88, BC, ...]
    .text ntkrnlpa.exe!KeSetEvent + 681 820B9E04 4 Bytes [70, 89, BC, A4]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3596] kernel32.dll!SetUnhandledExceptionFilter 75E3A84F 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/ASUSTek Computer Inc)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d60c5c31d
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243cbba22
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d60c5c31d (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002243cbba22 (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\ADSM_PData_0150 0 bytes
    File C:\ADSM_PData_0150\DB 0 bytes
    File C:\ADSM_PData_0150\DB\SI.db 624 bytes
    File C:\ADSM_PData_0150\DB\UL.db 16 bytes
    File C:\ADSM_PData_0150\DB\VL.db 16 bytes
    File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
    File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
    File C:\ADSM_PData_0150\_avt 512 bytes

    ---- EOF - GMER 1.0.15 ----



    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by duckieblues at 15:32:54.36 on Sat 26/03/2011
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_24
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2032 [GMT 8:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
    C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\ATKGFNEX\GFNEXSrv.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\ASUS\ATK Hotkey\HControl.exe
    C:\Program Files\ASUS\Wireless Console 3\wcourier.exe
    C:\Program Files\ASUS\Splendid\ACMON.exe
    C:\Windows\Explorer.EXE
    C:\Program files\P4G\BatteryLife.exe
    C:\Program Files\ASUS\ASUS Live Update\ALU.exe
    C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
    C:\Windows\System32\ACEngSvr.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
    C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
    C:\Program Files\ASUS\ATK Hotkey\WDC.exe
    C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\ASUS\ATK Media\DMedia.exe
    C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe
    C:\Windows\AsScrPro.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Users\duckieblues\Desktop\OOOO\dds.scr
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.sg/
    uDefault_Page_URL = hxxp://asus.msn.com
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: IE2EMBHO Class: {0a0ddbd3-6641-40b9-873f-bbdd26d6c14e} - c:\program files\easymule\modules\IE2EM.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [SRS Premium Sound] "c:\program files\srs labs\srs premium sound\SRSPremiumSoundBig_Small.exe" /hideme
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
    mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
    mRun: [ATKOSD2] c:\program files\asus\atkosd2\ATKOSD2.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [Wireless Console 3] c:\program files\asus\wireless console 3\wcourier.exe
    mRun: [ATKMEDIA] c:\program files\asus\atk media\DMedia.exe
    mRun: [ADSMTray] c:\program files\asus\asus data security manager\ADSMTray.exe
    mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
    mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\fancys~1.lnk - c:\windows\installer\{a9feb6d7-9c52-49fc-b956-7ab275b78890}\_5598CE641C54B66A23693F.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: Download by easyMule - c:\program files\easymule\IE2EM.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    LSA: Notification Packages = scecli c:\program files\asus\asus data security manager\ASPWDFLT
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\duckie~1\appdata\roaming\mozilla\firefox\profiles\b9b3x8yr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\users\duckieblues\appdata\roaming\mozilla\firefox\profiles\b9b3x8yr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: AVG Security Toolbar em:version=6.103.018.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
    FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\srs labs\srs premium sound\SRS_VolSync.exe [2009-4-8 70880]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-4-21 90112]
    R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-4-1 50176]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-22 52768]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-8-23 233128]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-27 517448]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-23 29736]
    S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-7 6656]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-26 05:28:04 -------- d-----w- c:\users\duckie~1\appdata\roaming\StoryView
    2011-03-26 05:28:03 -------- d-----w- c:\program files\StoryViewSE
    2011-03-24 18:01:35 -------- d-----w- c:\users\duckie~1\appdata\roaming\Malwarebytes
    2011-03-24 18:01:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 18:01:29 -------- d-----w- c:\progra~2\Malwarebytes
    2011-03-24 18:01:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-24 18:01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-23 21:50:42 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 21:50:42 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 21:50:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 21:50:31 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-23 21:50:31 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-23 21:50:31 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-23 21:50:31 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-23 21:50:18 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-23 21:50:18 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-23 19:51:10 -------- d-----w- c:\users\duckie~1\appdata\roaming\AVG
    2011-03-23 17:30:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-23 17:30:35 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-12 04:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-03-12 04:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-03-05 19:16:53 -------- d-----w- c:\progra~2\PopCap Games
    .
    ==================== Find3M ====================
    .
    2011-03-26 07:28:00 45056 ----a-w- c:\windows\system32\acovcnt.exe
    2011-02-09 14:26:39 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-02-09 14:26:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
    .
    ============= FINISH: 15:33:33.63 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 23/8/2009 7:02:33 PM
    System Uptime: 26/3/2011 3:26:23 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer Inc. | | U50Vg
    Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | Socket 478 | 2534/267mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 101.348 GiB free.
    D: is FIXED (NTFS) - 221 GiB total, 211.136 GiB free.
    E: is CDROM ()
    G: is FIXED (NTFS) - 932 GiB total, 172.764 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    ???? 2.4.9
    2007 Microsoft Office system
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.3
    Apple Application Support
    Apple Software Update
    ASUS AI Recovery
    ASUS Data Security Manager
    ASUS FancyStart
    ASUS LifeFrame3
    ASUS Live Update
    ASUS MultiFrame
    ASUS Power4Gear Hybrid
    ASUS SmartLogon
    ASUS Splendid Video Enhancement Technology
    ASUS Virtual Camera
    Asus_U_Series_ScreenSaver
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    ATK Generic Function Service
    ATK Hotkey
    ATK Media
    ATKOSD2
    AVG 2011
    AVG PC Tuneup 2011
    Beauty Factory (remove only)
    BitTorrent
    CCleaner
    Content Transfer
    CyberLink LabelPrint
    CyberLink Power2Go
    D3DX10
    ETDWare PS/2-x86 7.0.5.3 WHQL
    Express Gate
    ffdshow [rev 3200] [2010-01-12]
    FLVPlayer4Free Free FLV Player 3.8.0.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java Auto Updater
    Java(TM) 6 Update 24
    Malwarebytes' Anti-Malware
    Media Manager for WALKMAN 1.2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (Chinese (Simplified)) 2007
    Microsoft Office Access MUI (Chinese (Traditional)) 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (French) 2007
    Microsoft Office Access MUI (Spanish) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel 2007 Help ¸üР(KB963678)
    Microsoft Office Excel 2007 Help Actualización (KB963678)
    Microsoft Office Excel 2007 Help §ó·sµ{¦¡ (KB963678)
    Microsoft Office Excel MUI (Chinese (Simplified)) 2007
    Microsoft Office Excel MUI (Chinese (Traditional)) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office Excel MUI (Spanish) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office IME (Chinese (Simplified)) 2007
    Microsoft Office IME (Chinese (Traditional)) 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook 2007 Help ¸üР(KB963677)
    Microsoft Office Outlook 2007 Help Actualización (KB963677)
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (Chinese (Simplified)) 2007
    Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Outlook MUI (French) 2007
    Microsoft Office Outlook MUI (Spanish) 2007
    Microsoft Office Powerpoint 2007 Help ¸üР(KB963669)
    Microsoft Office Powerpoint 2007 Help Actualización (KB963669)
    Microsoft Office Powerpoint 2007 Help §ó·sµ{¦¡ (KB963669)
    Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
    Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office PowerPoint MUI (Spanish) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Basque) 2007
    Microsoft Office Proof (Catalan) 2007
    Microsoft Office Proof (Chinese (Simplified)) 2007
    Microsoft Office Proof (Chinese (Traditional)) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Galician) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Portuguese (Brazil)) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (Chinese (Simplified)) 2007
    Microsoft Office Proofing (Chinese (Traditional)) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing (Spanish) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (Chinese (Simplified)) 2007
    Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Publisher MUI (French) 2007
    Microsoft Office Publisher MUI (Spanish) 2007
    Microsoft Office Shared MUI (Chinese (Simplified)) 2007
    Microsoft Office Shared MUI (Chinese (Traditional)) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Shared MUI (Spanish) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word 2007 Help ¸üР(KB963665)
    Microsoft Office Word 2007 Help Actualización (KB963665)
    Microsoft Office Word 2007 Help §ó·sµ{¦¡ (KB963665)
    Microsoft Office Word MUI (Chinese (Simplified)) 2007
    Microsoft Office Word MUI (Chinese (Traditional)) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (French) 2007
    Microsoft Office Word MUI (Spanish) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mise à jour Microsoft Office Excel 2007 Help (KB963678)
    Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
    Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
    Mise à jour Microsoft Office Word 2007 Help (KB963665)
    Mozilla Firefox (3.6)
    MSVCRT
    Multimedia Card Reader
    Norton Internet Security
    NVIDIA Drivers
    Orbit Downloader
    Picasa 3
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Segoe UI
    SRS Premium Sound
    StoryView SE
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2508979)
    USB 2.0 1.3M UVC WebCam
    VLC media player 1.0.3
    WIDCOMM Bluetooth Software
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinFlash
    WinRAR archiver
    Wireless Console 3
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help you sort out the problems: Thank you for removing the hyperlink!

    I'd like to make you aware of potentially bad program or sites:
    1. Easy Mule downloader: It is from a site that has this McAfee Warning: verycd.com
    McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.
    2. Orbit Downloader: Orbit Downloader is an advertising-supported product since it may change the web browser's homepage upon installation and also offers to install software that are not critical for its operation.
    ======================================
    You still have Norton Internet Security. Even though you may be using a different security program now, it should be removed: Please run this Norton Removal Tool
    Reboot the computer when finished.
    ======================================
    While I finish checking these logs, please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ================================================
    Note - Due to recent changes in how AVG targets the Combofix internal tools, it must be uninstalled before running ComboFix.
    Download AppRemover and save to the desktop]
    How to Use AppRemover to Remove a Complete Security Application
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      http://www.appremover.com/about/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
      [*] Check the AVG program you want to uninstall
      [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
      =====================================
      [B]Temporary AV:[/B]
      [url=http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914][b][color=blue]Avira-AntiVir-Personal-Free-Antivirus[/b][/color][/url]
      [URL="http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button"][B][COLOR="RoyalBlue"]Avast Free Version[/COLOR][/B][/URL]
      =======================================
      [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
      [*]Double click combofix.exe & follow the prompts.
      [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
      [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
    5. .Click on Yes, to continue scanning for malware
    6. .If Combofix asks you to update the program, allow
    7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    8. .Close any open browsers.
    9. .Double click combofix.exe[​IMG] & follow the prompts to run.
    10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  3. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    Thanks so much for your help! :)

    Can I also check with you if it is safe to just "uninstall programs" for Orbit Downloader and easymule? Or do I need a special software to purge them?

    I forgot to mention in the first post that my IE was highjacked by the same website. Sorry :eek: it totally slipped my mind as I have not been using IE for months now.

    Thanks again!


    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=0702bc48294c4243b9b7b1976f9bffc5
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-26 07:11:33
    # local_time=2011-03-27 03:11:33 (+0800, Malay Peninsula Standard Time)
    # country="Singapore"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1032 16777213 100 96 23846 44476497 0 0
    # compatibility_mode=5378 16777214 0 8 23418880 23418880 0 0
    # compatibility_mode=5892 16776574 100 100 10298576 138690033 0 0
    # compatibility_mode=8192 67108863 100 0 926 926 0 0
    # scanned=353870
    # found=4
    # cleaned=0
    # scan_time=5788
    C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url Win32/TrojanClicker.BHO.NBH trojan (unable to clean) 00000000000000000000000000000000 I
    G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe a variant of Win32/WretchXD.AA application (unable to clean) 00000000000000000000000000000000 I
    G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
    G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I



    ComboFix 11-03-26.01 - duckieblues 27/03/2011 3:53.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2235 [GMT 8:00]
    Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\ime\SPTIPIME.ini
    c:\windows\ime\SPTIPIMERS.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-26 19:58 . 2011-03-26 19:58 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
    2011-03-26 19:58 . 2011-03-26 19:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
    2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
    2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
    2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
    2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-23 17:27 . 2011-03-23 17:27 -------- d-----w- c:\programdata\McAfee
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-03-05 19:16 . 2011-03-05 19:16 -------- d-----w- c:\programdata\PopCap Games
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-26 19:48 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
    2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 17:02 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-12 15:35 413696 ----a-w- c:\windows\system32\odbc32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
    2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
    "SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
    "ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
    "Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
    "ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
    "ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
    "ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
    "ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
    FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer5"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
    R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.sg/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
    FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-27 03:58
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????
    .
    scanning hidden files ...
    .
    .
    C:\ADSM_PData_0150
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(688)
    c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
    .
    Completion time: 2011-03-27 04:00:09
    ComboFix-quarantined-files.txt 2011-03-26 20:00
    .
    Pre-Run: 108,564,758,528 bytes free
    Post-Run: 108,531,810,304 bytes free
    .
    - - End Of File - - 5557447A8A12ECAF2E919FE9C62FDA58
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go ahead and run this for the Eset entries. I'm going to take a lunch break and will go over the Combofix log when I get back. You have an infected URL saved in your Favorites. If you can recognize this site, I recommend you delete it:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url 
      G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe 
      G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi 
      G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009avii 
      :Commands
      [purity]
      emptytempp]
      [start explorer]
      [Reboot]
    • Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red [bMoveitt![/b] button.
    • A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close [bOTMoveItt3[/b]
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    Two of the infected files have an avi file extension:
    Description: Primary association: Audio Video Interleave File
    File classification: Video
    Mime type: videoavii, videomsvideoo, video/xmsvideoo, imageavii, videoxmpg22, application/xtrofffmsvideoo, audioaifff, audioavii
    Program ID:AnimationShop33.Animation ,ati_mfplayy ,avifilee ,Cliprexx Video File , Frigate3.view ,IrfanVieww.AVI ,MPlayerr ,NeroMediaPlayerr.File ,Winampp.File ,QuickTimeeavii , RealPlayer.AVI.6 ,SlowVieww AVI

    My guess- and that's all it is- is that these files may have come from a torrent/file sharing site

    And if Drive G is a flash drive, we will need to disinfect it, so let me know.
     
  5. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,
    Thanks heaps for your reply!

    Drive G is an external hard disk drive.

    I have found and deleted the URLs in C:\Users\duckieblues.


    ========== FILES ==========
    File/Folder C:\Users\duckieblues\Favorites\¾«Æ·ÍøÖ·µ¼º½.url not found.
    G:\bks\YUAN CHUANG\New Folder (2)\WretchXD.exe moved successfully.
    G:\OVA\MOVIES\ENG (H - P)\Julie and Julia 2009.avi moved successfully.
    File/Folder G:\OVA\MOVIES\ENG (Q - Z)\The Time Travelers Wife 2009avii not found.
    ========== COMMANDS ==========

    OTM by OldTimer - Version 3.1.17.2 log created on 03292011_025734



    Thanks!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Internet went down-again yesterday. Sorry.

    You will need to disinfect the external drive. It's movable hardware and you should be able to use the following:
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Yes, go ahead and do this now. When I set up script for you to run through Combofix, I'll include any entries that are 'left over'' but I don't want to do that before you uninstall as I might damage their uninstaller. See if the program has it's own uninstall first> if it does, use that. If it does not, uninstall in Add/Remove Programs.
    ====================
    Do you plan to reinstall AVG when we finish? Did you put either Avast or Avira on the system to protect it while AVG is off?.
     
  7. ayumist

    ayumist TS Rookie Topic Starter

    No worries! I understand how inconvenient it must be without internet access.

    Unfortunately, I had a few issues this time:

    1. I downloaded the program Flash_Disinfector.exe (129KB?) and hit the run button.
    However, nothing happens. No prompts or anything appears. I thought it might be running in the background so I left my computer running for about half an hour while I accessed some txt files. Still nothing happens.
    Am I doing anything wrong? How do I check if the program is functioning?

    2. I have unistalled Orbit Downloader. However, my siblings still have some files downloading on Emule and they have requested that I remove it at a later period. Is that okay?

    3. Yes, I plan to reinstall AVG.

    4. Did you put either Avast or Avira on the system to protect it while AVG is off?
    Well to be honest :eek: I only remembered after you asked... so I have just installed Avira. Do I have to remove it when I reinstall AVG again?

    I forgot to mention that after I finished with OTMoveIt3.exe, I had desktop.ini, $RECYCLE.BIN, System Volume Information, ASUS.DAT folders appearing on both C drive and the flash drive. The icons are lighter in appearance compared to the "normal" ones. Is that a cause for concern?

    And finally thanks for all your assistance thus far.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I'm going to try and get you going before I shut down. There is a tornado watch with a squall line coming through and I'll have to shut down.

    Keep Emule- tell kids to be careful.

    For this:
    Easy fix: you have the hidden files and folders showing:
    Rehide Hidden Folders/Files
    • Open My Computer.
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Uncheck Show hidden files and folders.
    • Check Hide extensions of known file types.
    • Check Hide protected operating system files (Recommended).
    • Click OK.
    • Close My Computer.
    That should remove the icons from the desktop.
    =======================================
    I'll have to check on the flash program- have had a few complaints of nothing happening.
    NOTE: I will be able to reset the homepage with script you'll run through Combofix.
    =======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    
    Folder::
    c:\programdata\McAfee
    DDS::
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    Registry::
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Remove the Orbit entries, left EMule.
    How is system now?
     
  9. ayumist

    ayumist TS Rookie Topic Starter

    Whoa! Sounds serious. Do you have these warnings often? Hope you remain safe!

    1. Rehide Hidden Folders/Files
    All settled! Thanks for the tip!

    2.

    ComboFix 11-03-26.01 - duckieblues 31/03/2011 4:49.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.1905 [GMT 8:00]
    Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
    Command switches used :: c:\users\duckieblues\Desktop\OOOO\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\McAfee
    c:\programdata\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-30 20:53 . 2011-03-30 20:54 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
    2011-03-30 20:53 . 2011-03-30 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-30 18:15 . 2011-03-04 08:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-30 18:15 . 2011-03-04 06:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\programdata\Avira
    2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\program files\Avira
    2011-03-30 17:56 . 2011-03-30 17:56 -------- d-----w- c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}
    2011-03-28 18:57 . 2011-03-28 18:57 -------- d-----w- C:\_OTM
    2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
    2011-03-26 05:28 . 2011-03-27 04:25 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
    2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
    2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
    2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-03-05 19:16 . 2011-03-05 19:16 -------- d-----w- c:\programdata\PopCap Games
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-27 12:57 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-26 19:48 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
    2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 17:02 2039808 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
    2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
    "SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
    "ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
    "Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
    "ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
    "ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
    "ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
    "ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
    FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer5"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
    R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
    S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AVGNTFLT
    *NewlyCreated* - AVIPBB
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.sg/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
    FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 04:54
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????? ??????4???????????????????????????4???????????????
    .
    scanning hidden files ...
    .
    .
    C:\ADSM_PData_0150
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(688)
    c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
    .
    Completion time: 2011-03-31 04:55:32
    ComboFix-quarantined-files.txt 2011-03-30 20:55
    ComboFix2.txt 2011-03-26 20:00
    .
    Pre-Run: 106,311,446,528 bytes free
    Post-Run: 106,280,767,488 bytes free
    .
    - - End Of File - - A74BA39F0692DDE03615DF41ADAE4FFB


    3. How is system now?
    I still get http://www.ab99dotcom/?b when I start Firefox. The link will then re-direct itself to http://www.2345dotcom/?ab99.


    Thanks for your patience in answering my many questions!

    Kindly note that I will have limited Internet access for the next 3 days.

    10Q!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the 2 search redirects you're getting: Before you do the following, I suggest you run TFC from our steps. Then go to Tools> Options> Privacy> Show Cookies> Note: If you have not done this before, you will have a great number of Cookies. Although some of these will hold your registration and password information for some sites, I advise you to delete all of the Cookies at this time. And you will see the redirected site Cookie right at the top.

    After you have cleaned the Cookies out, you will have to re-register at some sites, but you can open the Privacy section> Show Cookies occasionally and selectively delete the Cookies you don't want to save, leaving those for the registered sites.

    Once that has been done: Open Firefox: Tools> Options>:
    • Advanced tab> Accessibility section> Check Warn me when web sites try to redirect or reload the page
    • Privacy tab> Uncheck "Accept third party Cookies"> Check Allow cookies from sites
    • Exceptions> enter below one at a time and click on Block for each:
      The * will act as a Wild Card for any combination of the above.
    • Click on OK

    I recommend that you add Easy List to the AdBlockPlus addon. It has additional filters.
    =========================================
    The Combofix log is fine with one exception: Sidebar.exe is a program most likely was already installed on your computer since the day your purchased. But it is hidden and on autorun. I suggest you peek at the hiddden files and folders again and find Sidebar. If you use this, just find the autorun box and uncheck it. IF you don't use it, uninstall the program and delete the program folder.
    =======================================
    Be sure to reboot after completing the above.
    ======================================
    If this additional work resolves the redirects, you can Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  11. ayumist

    ayumist TS Rookie Topic Starter

    Hi!

    I'm having some problems here:

    1. Ran TFC and added Exceptions and closed Firefox.
    When I opened it again, the website showed up again.
    Edit: Image deleted

    I restarted the comp and opened Firefox and the unwanted website showed up again and this time when I checked the Exception list, it was empty.

    Note: I've added the Easy List to the AdBlockPlus.

    2. Sidebar.exe
    I'm not too sure what you meant by "peek at hidden files and folders again and find Sidebar" so I just went to Program Files.
    I found the folder but there is no unistall option for it.
    I tried to use "Unistall a program" but couldn't find Sidebar on the list.
    What should I do next?

    3.
    As the program the did not run the previous time, am I supposed to run other programs etc?

    Thanks heaps!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FF - Ext: Embedded Objects>> A Firefox add-on that allows you to download embedded content from web pages. The extension has email address of red-cog.com The site looks suspicious and when I clicked on Inquire about this domainI got alert from my security starting the site has a poor reputation and would load.

    Embedded objects are a risk and it appears that you did not get the extension for the Mozilla addon site.

    Try removing this extension, reboot the computer. See if that handles it.
     
  13. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    I've removed the aforementioned extension (and also a couple of other extensions).
    The 1st time I opened firefox, the website did not load - blank page (though its web address was shown).
    On the other hand, my desginated homepage did not load as well.

    However, that didn't do the trick and the same website appeared again when I re-opened Firefox again.

    Anything else I need to do?

    Thanks!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am going to reset both your Firefox Start page and the Search page to the defaults. IF you want to change the Homepage to another URL, you can do that. But don't set it to a Search page
    ===================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Extra::
    Firefox::
    Firefox-:  -Profile - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
    Firefox-: prefs.js - SEARCH.DEFAULTURL
    Firefox-: prefs.js - STARTUP.HOMEPAGE
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    This is the 'start' page you have set up for Firefox:

    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en

    This is an advanced search age, not a home page. When you open the browser, whether it's IE or Firefox, the search engine will be within the page, not the page itself. For instance, let's say you like baseball and would like to see balls and bats when you launch your browser. So set the page to open to ESPN, like this> http://sports.espn.go.com/, then click on Tools in Firefox> Main Page> Choose 'use current.'
    ====================================
    Now, when you launch Firefox, this page will display and you'll have a nice Google box for your searches. Give this a try after you run the script.

    This part, google.com.sg This is offerred in Bahasa Malaysia. This would explain why your are getting the foreign page.

    Let me know.
     
  15. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    Not sure if I'm doing anything wrong because I ran the Combofix without changing the "homepage" in FF as I thought that the script is supposed to change it.
    And I clicked "yes" when Combofix needed a critical update.

    In the end, I still had that dreaded homepage when I opened FF.

    Right now, I have changed FF to the "default homepage". Should I run Combofix again?

    Sorry for any inconvenience caused.


    ComboFix 11-04-07.07 - duckieblues 08/04/2011 12:28:39.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3070.2166 [GMT 8:00]
    Running from: c:\users\duckieblues\Desktop\OOOO\ComboFix.exe
    Command switches used :: c:\users\duckieblues\Desktop\OOOO\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-08 04:33 . 2011-04-08 04:33 -------- d-----w- c:\users\duckieblues\AppData\Local\temp
    2011-04-08 04:33 . 2011-04-08 04:33 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-07 15:46 . 2011-04-07 15:46 -------- d-----w- c:\users\duckieblues\AppData\Local\{E6BD6E30-C610-42CF-9BF8-595EA7D400A7}
    2011-04-06 19:01 . 2011-04-06 19:01 -------- d-----w- c:\users\duckieblues\AppData\Local\{752D5958-BFD5-4B38-AC05-772F4C976055}
    2011-04-03 16:40 . 2011-04-03 16:40 -------- d-----w- c:\users\duckieblues\AppData\Local\{20658AE3-F25C-4D80-8B61-D31D676B7EA3}
    2011-04-02 15:41 . 2011-04-02 15:41 -------- d-----w- c:\users\duckieblues\AppData\Local\{F54FDD64-A9A2-40D1-85DD-156CF02B88EB}
    2011-03-31 16:20 . 2011-03-31 16:20 -------- d-----w- c:\users\duckieblues\AppData\Local\{308359CA-7AE4-4FD3-BFB9-484C150C5CF6}
    2011-03-30 20:56 . 2011-03-30 20:56 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Avira
    2011-03-30 18:15 . 2011-03-04 08:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-30 18:15 . 2011-03-04 06:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\programdata\Avira
    2011-03-30 18:15 . 2011-03-30 18:15 -------- d-----w- c:\program files\Avira
    2011-03-30 17:56 . 2011-03-30 17:56 -------- d-----w- c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}
    2011-03-28 18:57 . 2011-03-28 18:57 -------- d-----w- C:\_OTM
    2011-03-26 17:19 . 2011-03-26 17:19 -------- d-----w- c:\program files\ESET
    2011-03-26 05:28 . 2011-03-27 04:25 -------- d-----w- c:\users\duckieblues\AppData\Roaming\StoryView
    2011-03-26 05:28 . 2011-03-26 05:28 -------- d-----w- c:\program files\StoryViewSE
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\users\duckieblues\AppData\Roaming\Malwarebytes
    2011-03-24 18:01 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-24 18:01 . 2011-03-24 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 18:01 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 21:50 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-23 21:50 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-23 21:50 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-23 21:50 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-23 21:50 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-23 21:50 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-23 19:51 . 2011-03-23 20:15 -------- d-----w- c:\users\duckieblues\AppData\Roaming\AVG
    2011-03-23 17:31 . 2011-03-23 17:31 -------- d-----w- c:\program files\Common Files\Java
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-23 17:30 . 2011-02-02 13:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-03-12 04:28 . 2011-03-12 04:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-02 15:40 . 2009-09-21 08:01 45056 ----a-w- c:\windows\system32\acovcnt.exe
    2011-03-27 12:57 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-02-09 14:26 . 2011-02-09 14:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-02-09 14:26 . 2011-02-09 14:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-20 16:37 . 2011-02-09 17:01 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 17:01 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 17:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 17:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 17:01 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-09 17:01 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-09 17:01 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 17:01 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 17:01 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 17:01 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 17:01 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 17:01 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 17:01 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 17:01 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 17:01 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 17:01 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 17:01 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 17:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 17:01 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 17:01 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 17:01 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 17:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 17:01 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 17:01 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47 . 2011-02-09 16:51 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 16:51 292352 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
    2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
    "SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-04-07 3405048]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-04-21 540576]
    "ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-14 7416352]
    "Wireless Console 3"="c:\program files\ASUS\Wireless Console 3\wcourier.exe" [2009-04-17 1593344]
    "ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
    "ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-04-01 266240]
    "ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-10-01 851968]
    "ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-23 3054136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-09 273544]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 752168]
    FancyStart daemon.lnk - c:\windows\Installer\{A9FEB6D7-9C52-49FC-B956-7AB275B78890}\_5598CE641C54B66A23693F.exe [2009-8-23 12862]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer5"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3804174097-2789128879-451939437-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
    R3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\DRIVERS\CRFILTER.sys [2008-04-07 6656]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
    S2 SRS_VolSync_Service;SRS Volume Sync Service;c:\program files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe [2009-04-07 70880]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-04-21 90112]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\srs_PremiumSound_i386.sys [2009-04-01 233128]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.sg/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\duckieblues\AppData\Roaming\Mozilla\Firefox\Profiles\b9b3x8yr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/advanced_search?hl=en
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-08 12:33
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sidebar = c:\program files\Windows Sidebar\sidebar.exe /autoRun?????????????????????????????????4???????????????????????????4?????????#?????
    .
    scanning hidden files ...
    .
    .
    C:\ADSM_PData_0150
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(696)
    c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
    .
    - - - - - - - > 'Explorer.exe'(5688)
    c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt.dll
    c:\program files\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    c:\windows\system32\btmmhook.dll
    .
    Completion time: 2011-04-08 12:35:10
    ComboFix-quarantined-files.txt 2011-04-08 04:35
    ComboFix2.txt 2011-03-30 20:55
    ComboFix3.txt 2011-03-26 20:00
    .
    Pre-Run: 103,485,280,256 bytes free
    Post-Run: 103,493,308,416 bytes free
    .
    - - End Of File - - F35D07B91ED68E27E158A9E4ABFF85DB
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Have you done this:
    1. Go to the site you want for your homepage first
    2. Open Tools in Firefox> Options> Main> Startup section> "When Firefox starts"> click on the arrow to the right of the dialog box: There are 3 choices here:
      [o]. Use my homepage<< Choose this. The URL for the site you went to will be here.
      [o]. Use a blank page>>> this is what you see now
      [o]. Show my Windows & tabs from last time.>>> I have never used this because I set my home page up with the tabs I wanted all the time. I don't recommend choosing this option.
    3. There are 3 choices in the Homepage dialog box.
      [o] Use Current pages<< Choose this
      [o] Use Bookmark>> Don't use now
      [o] Restore to Default>> Do not use.

    Don't be concerned with any other tabs at this point- you can set them later. You need to get the homepage set, but you have to choose the site and tell the system "this is what I want for my home page>" Open to this page when I launch Firefox".

    Don't put any search engine as your homepage. All browsers have a place for the search engine. You can choose any site on the internet for your home page. But be sure it's a good, reputable site.

    If you don't have a Site Advisor, use The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected. Choose only the Green lights!

    Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

    I have a feeling that you haven't been setting the homepage up correctly. Let me know if this gets set up.
     
  17. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    Thanks for the detailed explaination.

    Update:
    - WOT is up and running.
    - homepage is now http://www.straitstimes.com/

    However, even when the *.2345.com is still in the exceptions list, the webpage contuinues popping up.

    So what do I need to do next?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Glad you put WOT on the system! You may be amazed at how many of the site have the 'red light'! When I am trying to identify a process, most of the site have this, so I have to be very careful to choose green wisely!

    As for the homepage, you can use the same process anytime you decide you'd like something different. Just be sure to choose a good site

    The site you're still seeing is connected to what made the homepage change. I'd like for you to update and do Full Scan with Malwarebytes. We've missed something. Originally you were asked to just do the Quick Scan, but this needs to be more in depth.
     
  19. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    Thanks for the great recommendation! After installing WOT, realized that some of the innocuous-looking sites were actually in the "red" category. Guess I have to learn to be more discerning on the links I click. :eek:


    Malwarebytes's log:


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6333

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    12/4/2011 12:25:08 AM
    mbam-log-2011-04-12 (00-25-08).txt

    Scan type: Full scan (C:\|D:\|G:\|)
    Objects scanned: 498284
    Time elapsed: 1 hour(s), 42 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Thanks for your help!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I was just as surprised as you about all the 'red lights'! I have to be so careful when I need to identify a process- Vendor reliability is part of their rating, as is their privacy policy.

    Okay, the Mbam scan is clean. You will surely have rebooted the system by now- did the homepage remain? Are you still getting the 2345 site? If you are, now that you have WOT on the system, see if the 2345 appears for any specific web site you click on.
    =======================================
    I'd like for you to see if you can identify any of the repeating AppData. Here is a screen shot for Vista:
    [​IMG]
    Image courtesy ComputerPerformance UK. This replaces the Documents & Settings we had in Windows XP. and renamed to Users

    So here is your path:
    1. Under Users[/b> Choose duckieblues
    2. Under duckieblues> Choose AppData
    3. Under AppData> Choose Local (this is one of the 3 sub-folders under AppData)
    Once you are in Local, you should see entries like this:
    c:\users\duckieblues\AppData\Local\{0038B2DE-80CA-4041-94E7-FF82E80A5546}

    Do a Right click> Properties and see if you can ID the source for any of them.

    If you used Windows XP, this will help you understand this placement:
    Most users have founf these filders empty, so okay to delete. But some are also suppose to hold program daya within. But I have yet to learn how to identify what is adding this 'data'!
     
  21. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    A few questions for you:

    Am I supposed to click on all the links in my favorite folders or...?
    Because currently, 2345 only pops out upon start-up of FF. As of right now, it hasn't appeared due to any links that I click.

    Edit: Excess images deleted

    Not sure why but user duckieblues does not have any AppData folder.

    So I went to "search for files and folders" but could only find it under "public" user and the "local" folder was empty. (Ok to delete right?)
    Spotted something that looks like what you were asking me to look out for...
    But unable to access it.

    So I think I have to trouble you again... :blush:
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, you do not need to click on all your Favorites.
    The offender show in the images you left. I don't know if you put this together:

    This file that you listed, shows in 2 places in the image:
    (C:\Users\duckieblues\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5)

    The first line is:
    Name: 2736628[1]
    Date Modified: 29/11/2009 8:50
    Type: Firefox Document
    Folder: VX4CQUHU (C:\Users
    Author: None
    Tags: Asian symbols

    The second line> the one where you showed the full path is:
    Name: p1_120580[1]
    Date Modified: 29/11/2009 8:50
    Type: Firefox Document
    Folder: VX4CQUHU (C:\Users\duckieblues\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5)

    I went to the 2345 site to see if I could match up the symbols- not an easy ting to do! It also had a redirect that I didn't allow. But I do think this is the offending entry that is coming up when you launch Firefox. It isn't going to let you delete it if it's in Firefox and you have Firefox open.

    I have been scratching my head trying to figure out how to do this. You need to have Firefox closed, then go in to Windows Explorer. I did some searching trying to identify the folder above- no luck. But I did find p1_120580[1] here: http://travel.webshots.com/photo/2868048140045422942IxJQll

    These are webshots uploaded by someone in Thailand and they are showing on several of the imaging sites and there is also a YouTube video of same name here: http://www.youtube.com/watch?v=cYxtAJoKld4
    Also Asian.

    I think that somewhere in your adventures, you either got the video or an embedded ad from one of the site you surfed with Firefox. So when you're in Windows Explorer, go to Programs> Click on Mozilla Firefox> Look on the right screen and see if you have a folder VX4CQUHU. Make sure you're in 'duckieblues' account.

    One other unknown is the following:
    FF - Ext: Embedded Objects: firefox@red-cog.com - %profile%\extensions\firefox@red-cog.com
    It should be in the extensions, but I don't know what 'Embedded Objects are.

    Fish around and see what you come up with- let me know.
     
  23. ayumist

    ayumist TS Rookie Topic Starter

    Hi Bobbye,

    I'm kind of lost so just bear with me here...

    Edit: Excess images deleted

    So I went to PROGRAM FILES -> MOZILLA FF but didn't find it
    Checked again just in case I missed anything...

    Edit: Excess images deleted
    Btw, the chrome folder has another 2 folders in it- CONTENT & LOCALE

    I'm really not sure if this's what you are asking me to look for.
    Pls correct me if I'm veering in the wrong direction.

    Thanks!
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, while I realize " a picture is worth a thousand words", I think you need to stop the images- they are very space consuming!

    You found the file- I'm not sure why you didn't just delete it. Delete these 2 folders:VX4CQUHU
    [​IMG]

    No more images pasted in. If you do find it absolutely necessary to use an image, leave it as an attachment instead of pasting it in.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...