Inactive Browser redirects on both Firefox/IE--please help

[harahap]

Hello. Long-time listener, first-time caller. Thank you for any help you can give.

After clicking on links, my browser keeps redirecting to one site: [B]Redirect hyperlink deleted by Bobbye[/B] and no other site. Have tried on both Firefox and IE, and both do the same thing.


Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7955

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2011 5:25:50 AM
mbam-log-2011-10-16 (05-25-50).txt

Scan type: Quick scan
Objects scanned: 162467
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-16 18:01:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.01.0
Running: yxejrode.exe; Driver: C:\DOCUME~1\DR70BA~1.DAM\LOCALS~1\Temp\kfkcqpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7B98738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7B987DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7B98878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7B98914]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1069E349 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1069E2DB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104589A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[380] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10458F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0121FAE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001ED0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002A90] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CopyFileExW] [10001F40] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)
IAT C:\WINDOWS\Explorer.EXE[176] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002DE0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)
AttachedDevice \FileSystem\Ntfs \Ntfs mwlPSDFilter.sys (PSD Filter Driver/Egis Incorporated.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS DDS.txt log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by Dr. Damayanti at 18:07:13 on 2011-10-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.129 [GMT 7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe
C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\snuvcdsm.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG10\avgtray.exe
svchost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\PROLiNK HSPA\UIExec.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Modem AC2726i UI\bin\MonServiceUDisk.exe
C:\Program Files\PROLiNK HSPA\AssistantServices.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [EgisTecLiveUpdate] "c:\program files\egistec egis software update\EgisUpdate.exe"
mRun: [mwlDaemon] c:\program files\egistec\mywinlocker 3\x86\mwlDaemon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SNUVCDSM] c:\windows\snuvcdsm.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UIExec] "c:\program files\prolink hspa\UIExec.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
TCP: DhcpNameServer = 202.162.209.26 8.8.8.8
TCP: Interfaces\{C6D488D4-BE42-446B-A4E9-A58521C81AE4} : DhcpNameServer = 202.162.209.26 8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dr. damayanti\application data\mozilla\firefox\profiles\lewd3wpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2010-2-25 17840]
R1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2010-2-25 15280]
R1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2010-2-25 58800]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2010-2-25 109648]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2010-2-25 253952]
R2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726i ui\bin\MonServiceUDisk.exe [2010-7-19 266240]
R2 UI Assistant Service;UI Assistant Service;c:\program files\prolink hspa\AssistantServices.exe [2011-8-21 252784]
R2 Updater Service;Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2010-2-25 240160]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-2-25 45056]
R3 MWLService;MyWinLocker Service;c:\program files\egistec\mywinlocker 3\x86\MWLService.exe [2009-9-10 305448]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-25 1691480]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-2-25 112640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-6-22 100480]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-8-21 9216]
S3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\drivers\PROLiNKusbdiag.sys [2011-8-21 107904]
S3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\drivers\PROLiNKusbmodem.sys [2011-8-21 107904]
S3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\drivers\PROLiNKusbnmea.sys [2011-8-21 107904]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2010-7-19 104704]
.
=============== Created Last 30 ================
.
2011-10-16 11:05:33 607260 ------r- c:\program files\dds.scr
2011-10-16 07:35:41 302592 ----a-w- c:\program files\yxejrode.exe
2011-10-15 21:48:43 -------- d-----w- c:\documents and settings\dr. damayanti\application data\Malwarebytes
2011-10-15 21:46:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-15 21:46:31 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 21:46:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 21:43:28 9852544 ----a-w- c:\program files\mbam-setup-1.51.2.1300.exe
2011-10-15 20:05:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-15 20:05:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-22 05:25:01 -------- d-----w- c:\documents and settings\dr. damayanti\local settings\application data\Temp
2011-09-20 14:54:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-20 14:54:20 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-20 14:54:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-20 14:16:12 -------- d-----w- c:\documents and settings\all users\application data\PopCap
.
==================== Find3M ====================
.
2011-09-26 04:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 04:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 04:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-13 17:29:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 18:07:55.04 ===============


DDS Attach.txt log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 6/10/2010 8:18:12 AM
System Uptime: 10/16/2011 12:38:58 PM (6 hours ago)
.
Motherboard: Acer | | AO532h
Processor: Intel(R) Atom(TM) CPU N450 @ 1.66GHz | CPU | 1662/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 118.344 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP70: 7/30/2011 10:36:31 AM - System Checkpoint
RP71: 8/2/2011 3:22:46 PM - System Checkpoint
RP72: 8/4/2011 1:17:30 AM - System Checkpoint
RP73: 8/5/2011 5:30:07 AM - System Checkpoint
RP74: 8/6/2011 10:26:02 PM - System Checkpoint
RP75: 8/8/2011 2:15:43 PM - System Checkpoint
RP76: 8/9/2011 4:02:46 PM - System Checkpoint
RP77: 8/10/2011 10:52:13 AM - Software Distribution Service 3.0
RP78: 8/11/2011 11:39:33 AM - System Checkpoint
RP79: 8/15/2011 5:04:52 PM - System Checkpoint
RP80: 8/16/2011 8:57:14 PM - System Checkpoint
RP81: 8/18/2011 12:04:35 AM - System Checkpoint
RP82: 8/21/2011 2:51:51 AM - Installed PROLiNK HSPA Modem
RP83: 8/22/2011 8:04:11 PM - System Checkpoint
RP84: 8/23/2011 8:40:28 PM - System Checkpoint
RP85: 8/24/2011 3:16:45 PM - Software Distribution Service 3.0
RP86: 8/25/2011 3:56:52 PM - System Checkpoint
RP87: 8/26/2011 4:22:08 PM - System Checkpoint
RP88: 8/27/2011 4:52:32 PM - System Checkpoint
RP89: 8/28/2011 10:17:43 PM - System Checkpoint
RP90: 8/30/2011 9:15:24 AM - System Checkpoint
RP91: 8/31/2011 6:46:22 PM - System Checkpoint
RP92: 9/2/2011 1:31:20 PM - System Checkpoint
RP93: 9/3/2011 6:09:05 PM - System Checkpoint
RP94: 9/5/2011 3:28:27 AM - System Checkpoint
RP95: 9/6/2011 8:34:01 PM - System Checkpoint
RP96: 9/7/2011 10:44:25 PM - System Checkpoint
RP97: 9/8/2011 3:00:27 AM - Software Distribution Service 3.0
RP98: 9/9/2011 3:08:31 PM - System Checkpoint
RP99: 9/11/2011 12:15:08 AM - System Checkpoint
RP100: 9/12/2011 7:39:56 AM - System Checkpoint
RP101: 9/13/2011 8:03:58 AM - System Checkpoint
RP102: 9/14/2011 4:34:49 PM - System Checkpoint
RP103: 9/15/2011 9:20:37 PM - Restore Operation
RP104: 9/17/2011 3:00:22 AM - Software Distribution Service 3.0
RP105: 9/20/2011 9:53:43 PM - Installed Java(TM) 6 Update 27
RP106: 9/22/2011 12:04:07 PM - Restore Operation
RP107: 9/22/2011 12:21:33 PM - Restore Operation
RP108: 9/24/2011 8:07:43 AM - System Checkpoint
RP109: 9/26/2011 2:55:32 AM - System Checkpoint
RP110: 9/27/2011 3:25:00 AM - System Checkpoint
RP111: 9/28/2011 1:37:17 PM - System Checkpoint
RP112: 9/28/2011 3:34:40 PM - Software Distribution Service 3.0
RP113: 9/29/2011 4:04:50 PM - System Checkpoint
RP114: 9/30/2011 5:59:10 PM - System Checkpoint
RP115: 10/1/2011 6:18:04 PM - System Checkpoint
RP116: 10/3/2011 12:33:43 AM - System Checkpoint
RP117: 10/4/2011 2:47:13 AM - System Checkpoint
RP118: 10/5/2011 3:16:55 AM - System Checkpoint
RP119: 10/6/2011 11:28:25 AM - System Checkpoint
RP120: 10/7/2011 3:58:11 PM - System Checkpoint
RP121: 10/8/2011 5:11:29 PM - System Checkpoint
RP122: 10/11/2011 7:22:31 PM - System Checkpoint
RP123: 10/13/2011 2:21:59 AM - System Checkpoint
RP124: 10/14/2011 3:00:23 AM - Software Distribution Service 3.0
RP125: 10/15/2011 4:21:07 AM - System Checkpoint
RP126: 10/16/2011 3:02:20 AM - Restore Operation
RP127: 10/16/2011 12:00:12 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acer Crystal Eye Webcam
Acer eRecovery Management
Acer GameZone Console
Acer ScreenSaver
Acer Updater
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5 MUI
Alice Greenfingers
Amazonia
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
AVG 2011
Chicken Invaders 2
Compatibility Pack for the 2007 Office system
Dairy Dash
Dream Day First Home
ENE USB Card Reader Driver
eSobi v2
Farm Frenzy 2
First Class Flurry
Google Toolbar for Internet Explorer
Google Update Helper
Granny In Paradise
Heroes of Hellas
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Identity Card
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 27
Junk Mail filter update
Launch Manager
Malwarebytes' Anti-Malware version 1.51.2.1300
Merriam Websters Spell Jam
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mobile Partner
Modem AC2726i UI
Mozilla Firefox 7.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP3 Parser (KB973685)
MyWinLocker
Nero 6 Ultra Edition
PowerDVD
PROLiNK HSPA Modem
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2483614)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Skype™ 5.5
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebCam
WebFldrs XP
WhiteSmoke
WIDCOMM Bluetooth Software
Winamp (remove only)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
10/9/2011 11:05:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 705AB6D7211A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/16/2011 4:30:36 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\wdmaud.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! Glad you decided to stop by- I'll help with the redirect and make your experience more positive.

You will note I have deleted the link you left for the redirect. It's okay to leave the domain> like sunday.com, but leaving a link means someone else may click on it.
==========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
My compliments for keeping such a good list of restore points! Allow me to ask about this to make sure: A System Restore was done>
RP126: 10/16/2011 3:02:20 AM - Restore Operation
Shortly after, you ran the Malwarebytes scan:
mbam-log-2011-10-16 (05-25-50).txt10/16/2011 5:25:50 AM

So it appears that the scans were run right after the restore- is that right? And you were still having the redirect after the restore?
=====================================
I see few entries to be removed, but we need to look further: Combofix won't run with AVG so it needs to be uninstalled temporarily:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==============================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

Please post the entire log with heading resembling this:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==================================
Please leave these two logs in your next reply.

 

[harahap]

Thanks for your prompt and caring attention! So sorry about the link--will keep to domain names, or just not post it at all.

A System Restore was done>
RP126: 10/16/2011 3:02:20 AM - Restore Operation
Shortly after, you ran the Malwarebytes scan:
mbam-log-2011-10-16 (05-25-50).txt10/16/2011 5:25:50 AM

So it appears that the scans were run right after the restore- is that right? And you were still having the redirect after the restore?

Yes, since this is my first ever experience with redirect virus/malware, I did a restore, hoping it would magically uninstall/go to a previous state of cleanliness... but the redirects are still happening. I've so far uninstalled AVG, and am trying to install Avast, but have hit a roadblock with a pop-up called "Windows Installer" that says: "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package vc_red.msi in the box below." [OK] [Cancel] [Use source: (path)] [Browse]

I've left the installation open. I thought I should tell you this before I move on in the steps, in case it has something to do with the virus/malware.

 

[Bobbye]

You will have to be connected to the internet to install the AV.

 

[harahap]

Hi, Bobbye. Thanks for taking the time to do this. Here are the two scan logs:


ComboFix log

ComboFix 11-10-15.04 - Dr. Damayanti 10/17/2011 1:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.461 [GMT 7:00]
Running from: c:\documents and settings\Dr. Damayanti\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dr. Damayanti\Local Settings\Temporary Internet Files\cookies.sqlite
c:\program files\mbam-setup-1.51.2.1300.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-16 17:58 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-16 17:58 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-16 17:58 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-16 17:58 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-16 17:58 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-16 17:58 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-10-16 17:58 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-10-16 17:58 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-10-16 16:24 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-10-16 16:24 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-16 16:24 . 2011-10-16 16:24 -------- d-----w- c:\program files\AVAST Software
2011-10-16 16:24 . 2011-10-16 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-10-16 15:21 . 2011-10-16 15:35 59854808 ----a-w- c:\program files\setup_av_free_cnet.exe
2011-10-16 15:01 . 2011-10-16 15:03 8922408 ----a-w- c:\program files\AppRemover.exe
2011-10-16 11:05 . 2011-10-16 11:05 607260 ------r- c:\program files\dds.scr
2011-10-16 07:35 . 2011-10-16 07:35 302592 ----a-w- c:\program files\yxejrode.exe
2011-10-15 21:48 . 2011-10-15 21:48 -------- d-----w- c:\documents and settings\Dr. Damayanti\Application Data\Malwarebytes
2011-10-15 21:46 . 2011-10-15 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-15 21:46 . 2011-10-15 21:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 21:46 . 2011-08-31 10:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 20:05 . 2011-10-15 20:05 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-26 09:24 . 2011-09-26 09:24 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2011-09-22 05:25 . 2011-09-22 05:25 -------- d-----w- c:\windows\Sun
2011-09-22 05:25 . 2011-09-22 05:25 -------- d-----w- c:\documents and settings\Dr. Damayanti\Local Settings\Application Data\Temp
2011-09-22 05:24 . 2011-09-22 05:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-09-22 05:23 . 2011-09-22 05:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-09-20 14:55 . 2011-09-20 14:55 -------- d-----w- c:\program files\Common Files\Java
2011-09-20 14:54 . 2011-09-20 14:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-20 14:54 . 2011-09-20 14:53 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-20 14:54 . 2011-09-20 14:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-20 14:53 . 2011-09-20 14:53 -------- d-----w- c:\program files\Java
2011-09-20 14:16 . 2011-09-20 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 04:41 . 2010-02-25 09:22 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 04:41 . 2008-07-30 03:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 04:41 . 2010-02-25 09:22 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2010-02-25 09:22 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2010-02-25 09:22 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2010-02-25 09:22 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2010-02-25 09:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2010-02-25 09:22 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2010-02-25 09:22 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2010-02-25 09:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-13 17:29 . 2011-05-30 04:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-01 04:06 . 2011-05-08 19:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:41 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 141336]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-09 18789920]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PLFSetL"="c:\windows\PLFSetL.exe" [2010-01-13 99712]
"SNUVCDSM"="c:\windows\snuvcdsm.exe" [2010-01-13 30080]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2010-01-13 202112]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-12-11 1160272]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-23 1594664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"UIExec"="c:\program files\PROLiNK HSPA\UIExec.exe" [2010-08-16 138584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2010-2-25 708608]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-26 607584]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/17/2011 12:58 AM 320856]
R1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2/25/2010 6:30 PM 17840]
R1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2/25/2010 6:30 PM 15280]
R1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2/25/2010 6:30 PM 58800]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/17/2011 12:58 AM 20568]
R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2/25/2010 4:23 PM 109648]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2/25/2010 6:41 PM 253952]
R2 UI Assistant Service;UI Assistant Service;c:\program files\PROLiNK HSPA\AssistantServices.exe [8/21/2011 2:51 AM 252784]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2/25/2010 6:23 PM 240160]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2/25/2010 4:23 PM 45056]
R3 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe [9/10/2009 8:42 PM 305448]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/17/2011 12:58 AM 442200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/17/2011 2:56 AM 135664]
S2 UDisk Monitor;UDisk Monitor;c:\program files\Modem AC2726i UI\bin\MonServiceUDisk.exe [7/19/2010 3:34 AM 266240]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/25/2010 5:57 PM 1691480]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2/25/2010 4:22 PM 112640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/17/2011 2:56 AM 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [6/22/2010 5:40 AM 100480]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/21/2011 2:52 AM 9216]
S3 PROLiNKusbdiag;PROLiNK DataCard Diagnostic Port;c:\windows\system32\drivers\PROLiNKusbdiag.sys [8/21/2011 2:52 AM 107904]
S3 PROLiNKusbmodem;PROLiNK DataCard Proprietary USB Driver;c:\windows\system32\drivers\PROLiNKusbmodem.sys [8/21/2011 2:52 AM 107904]
S3 PROLiNKusbnmea;PROLiNK DataCard NMEA Port;c:\windows\system32\drivers\PROLiNKusbnmea.sys [8/21/2011 2:52 AM 107904]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [7/19/2010 3:34 AM 104704]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-16 19:56]
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-16 19:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=ao532h&r=0xph0610w115l04f4wu15w55m2r46p
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 202.162.209.26 8.8.8.8
FF - ProfilePath - c:\documents and settings\Dr. Damayanti\Application Data\Mozilla\Firefox\Profiles\lewd3wpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 01:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-10-17 01:46:09
ComboFix-quarantined-files.txt 2011-10-16 18:46
.
Pre-Run: 127,394,316,288 bytes free
Post-Run: 128,060,977,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C77CEE81ED4B5C3A8EF45700767FD8B0


ESET Scan log--n.b. I don't know how to get a log that looks like the one in the box you quoted. All it would give me is this list of 2 infected files.

C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe a variant of Win32/WhiteSmoke application
C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html HTML/WhiteSmoke application

 

[Bobbye]

Maybe Eset isn't coming up with the full log like it use to.

WhiteSmoke, an English translator program and/or toolbar,is usually downloaded with another program without the users permission or knowledge. In many cases, it has a TDSS rootkit with it.

So first I'll have you remove the 2 entries Eset found, then follow with the rootkit scan, then a full scan with Mbam.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe 
  C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================================
Please look in Add/Remove Programs and see if there is an entry for WhiteSmoke. If there is, please uninstall it.

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

================================================
I noticed Combofix deleted the setup for Mbam: c:\program files\mbam-setup-1.51.2.1300.exe
Did you use the link for this program in the steps? Did you download it through a file sharing/torrent site?
So you may not be able to update and run a full scan. Please uninstall the Malwarebytes you have now and run the following> the difference is that you will be running a Full Scan instead of Quick Scan.

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan option is selected and then click on the Scan button.Perform Quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please paste this log with your reply
  Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

==============================================
Question: Do you know what this program is?
2011-10-16 07:35:41 302592 ----a-w- c:\program files\yxejrode.exe
Did you run the GMER scan?

 

[harahap]

Okay, I've followed your steps exactly, and have removed Whitesmoke.

I noticed Combofix deleted the setup for Mbam: c:\program files\mbam-setup-1.51.2.1300.exe
Did you use the link for this program in the steps? Did you download it through a file sharing/torrent site?
So you may not be able to update and run a full scan. Please uninstall the Malwarebytes you have now and run the following> the difference is that you will be running a Full Scan instead of Quick Scan.

The first time I downloaded MBAM and scanned, I accidentally closed the log in Notepad. I neglected to see that it kept the log, so thought I had to download it a second time, and scanned again. Does this maybe have anything to do with that log entry? I followed everything exactly, and did not get it from a sharing/torrent site.

Question: Do you know what this program is?
2011-10-16 07:35:41 302592 ----a-w- c:\program files\yxejrode.exe
Did you run the GMER scan?

Yes, I did the GMER scan in the correct order. That .exe file is GMER, and the log is posted in my very first post in this thread.

Here are the two logs you asked for:

OTMoveIt log

All processes killed
========== FILES ==========
C:\Program Files\WhiteSmoke\WhiteSmokeRegistration.exe moved successfully.
C:\Program Files\WhiteSmoke\html\english\dictClientDic\index.html moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 122946772 bytes
->Temporary Internet Files folder emptied: 216033 bytes
->Flash cache emptied: 396 bytes

User: Dr. Damayanti
->Temp folder emptied: 5561556 bytes
->Temporary Internet Files folder emptied: 1226447 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 610935374 bytes
->Flash cache emptied: 33485 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 216301 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 707.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 10182011_232413


MBAM log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7974

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/19/2011 1:21:45 AM
mbam-log-2011-10-19 (01-21-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 215276
Time elapsed: 59 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\dr. damayanti\Desktop\writers block\writer's block 3\writer_s_blocks3\writer's blocks3_\writer's.blocks.3-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.


Is there anything else I need to do?

 

[Bobbye]

Sorry for delay! Lots of obstacles to overcome.

About this entry I asked you about:
2011-10-16 07:35 302592 ----a-w- c:\program files\yxejrode.exe
While the GMER log shows this: Running: yxejrode.exe; Driver: C:\DOCUME~1\DR70BA~1.DAM\LOCALS~1\Temp\kfkcqpog.sys
I thought it looked like to could be from GMER, but I've never seen it in Combofix running as the executable..
===================================
As for this deletion: c:\program files\mbam-setup-1.51.2.1300.exe. Combofix does not usually remove a legitimate program setup.
==================================
Eset is still not running clean.
c:\documents and settings\dr. damayanti\Desktop\writers block\writer's block 3\writer_s_blocks3\writer's blocks3_\writer's.blocks.3-patch.exe (PUP.Hacktool.Patcher)
-------------------
HackTool:Win32/Patch.A is a generic detection for a series of hacking tools intended to "patch" programs that may be evaluation copies, or unregistered versions with limited features.
-----------------
This program has been pirated: Writer's Block.3 A free trial was offered for this $150 program, but a pirated key or license was used.

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

[harahap]

Sorry for delay! Lots of obstacles to overcome.

Oh, that's fine. I'm just grateful you're willing to help.

Eset is still not running clean.
c:\documents and settings\dr. damayanti\Desktop\writers block\writer's block 3\writer_s_blocks3\writer's blocks3_\writer's.blocks.3-patch.exe (PUP.Hacktool.Patcher)
-------------------
HackTool:Win32/Patch.A is a generic detection for a series of hacking tools intended to "patch" programs that may be evaluation copies, or unregistered versions with limited features.
-----------------
This program has been pirated: Writer's Block.3 A free trial was offered for this $150 program, but a pirated key or license was used.

I got this netbook as a hand-me-down from someone, and don't really need anything beside an internet browser and MS Word. So I don't care that we had to get rid of Whitesmoke, and if we have to do the same with whatever this pirated "Writer's Block" is or any other programs to clean it up.

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Okay, this is what it came up with:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\zuma\zuma.deluxe.1.0.crack.exe
scanner sequence 3.AP.11.NLNABV
----- EOF -----

 

[Bobbye]

Zuma Deluxe offers a short free trial. The cost to buy the program is $7. Instead of paying the purchase price, a torrent site was visited to get a key or license number instead of paying. This is piracy.

I got this netbook as a hand-me-down from someone

The netbook and everything on it is now your responsibility. With piracy and file sharing, you get malware.

Please remove the pirated programs and downloads- this includes uninstalling in Add/Remove Programs, deleting Program folders, cleaning the temporary internet files and Cookies.

When that has been completed, we'll see what malware is left. The following might help you understand what you are exposed to:

P2P or 'file sharing' Warning:
Even if you are using a "safe" P2P program, it is only the program that is safe. :

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.