Odd website amongst homepages

[Scilly_guy]

My current version of Avast! is 5.0.677
Engine and definitions:110202-1  (02/02/2011 14:50:57)

I have run a Quick Scan, Full Scan and a Boot Scan.
The boot scan picked up 5 instances of PUP:Win32:Mirc-Z which I moved to chest.

My problem is that when I open Firefox to my many homepages an extra site opens up and brings itself to the front, the address starts:
http://91.216.122.161
This site pretends to look like something official from windows, it has the IE logo as a FavIcon, and the page looks like windows explorer of a computer similar to mine, except the drives had the wrong letters and names. It was suggesting that my computer had suspicious applications running and it could fix them, it was also trying to download an .exe . I couldn't close the page and had to kill Firefox from the task manager. If I open Chrome or IE it doesn't open this page. Do you require any other information? What should I do?

[essexboy]

It could eithere be a proxy or a BHO running on start

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[DavidR]

The IP is for Moldova, so given your location, I rather doubt it is legit.

[Scilly_guy]

I might have to split Extras.Txt into two... it said ti was too large :s

oops forgot to add the files this time

[Scilly_guy]

Here we go

[Scilly_guy]

And the Extras one...

[essexboy]

You will need to reset your firefox home page after this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com|http://groups.yahoo.com/group/scilly-freecycle/pending|https://login.yahoo.com/config/login_verify2?.intl=uk&rand=78448921&i=IWZkZHNKf2h7YmBgIXRzZnNydEpidXV4dSF0ZEqOZHh4fH5iU356YmNYcnM%3d&.src=ym|http://forums.civfanatics.com/forumdisplay.php?f=119|http://www.yankodesign.com/|http://www.facebook.com/friends/?status=&ref=hp|http://magicseaweed.com/UK-Ireland-MSW-Surf-Charts/1/|http://magicseaweed.com/UK-Ireland-MSW-Surf-Charts/1/pressure/in/|http://aswarmofangels.com/thenineorders/index.php?act=idx|http://www.radioscilly.com/index.php|http://www.stagnesgigclub.co.uk|www.stagnesscilly.co.uk|http://forum.stagnesscilly.co.uk|http://toseainasieve.wordpress.com/|http://www.xkcd.com/|http://www.onemorelevel.com/|http://www.penny-arcade.com/comic/|http://www.ctrlaltdel-online.com/comic.php|https://www.national-lottery.co.uk/player/p/home/home.do"
[2010/05/16 17:29:08 | 000,000,000 | ---D | M] (Vyprázdnit vyrovnávací pamÄ›Å?) -- C:\Documents and Settings\Harry\Application Data\Mozilla\Firefox\Profiles\kf444uiv.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
O4 - HKLM..\Run: [SW20] File not found
O4 - HKLM..\Run: [SW24] File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Update and re-run Malwarebytes posting the resultant log

[Scilly_guy]

Heres my OTL log:

[Scilly_guy]

And heres the Malwarebytes log:

[Scilly_guy]

I'm so sorry for wasting everyones time, I have fixed the problem, one of my homepages (one that I don't usually actually look at much was forwarding me to the dodgy one, I have removed hxxp://aswarmofangels.com/thenineorders/index.php?act=idx from my homepages. Thankyou so much for the help though, and sorry again.

[DavidR]

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

The last thing you want is this to happen to others.

[essexboy]

No problem at all - better safe than sorry 

Run OTL again and hit the cleanup button that will remove it