Befuddled... Mozilla hijacks and something else

[Stasmodeus]

Hello,

I recently just recovered after getting attacked by a bunch of trojans/malware. During which I had to repair Windows XP Professional (SP3) and manually reinstall my system restore service. But for some reason I keep getting Hi-jacked and sent to other bogus websites when I'm doing searches in Mozilla Firefox and my background tends to blink if you will after doing things that normally wouldn't make changes to the desktop... None of my anti-virus\malware programs can seem to find anything, and after doing an online eset scan, there was only one tmp file found infected with Win32\kryptik.bfg. Any help would greatly nice...

Thanks
-St. Asmodeus

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Stasmodeus and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Open the Misc Tools section. Select process manager. Search for and highlight C:\DOCUME~1\STDA09~1.ASM\LOCALS~1\Temp\SSUPDATE.EXE and click kill process
click Main Menu

Select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

ComboFix

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Stasmodeus]

Thank you for the help Super Dave... I follow the instructions and am now posting the log files...

[Saving space, attachment deleted by admin]

[SuperDave]

Hi Stasmodeus. Let's try this:

GMER Rootkit Scanner
Download GMER Rootkit Scanner from here.

•Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
•If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


 
Click the image to enlarge it

•In the right panel, you will see several boxes that have been checked. Uncheck the following ...
*Sections
*IAT/EAT
*Drives/Partition other than Systemdrive (typically C:\)
*Show All (don't miss this one)
•Then click the Scan button & wait for it to finish
•Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
•Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Stasmodeus]

Hey SuperDave,

Great choice of utils, GMER is an awesome program that I've used before fixing my computer. Anyway, here's the log file that it made...

Thanks Again for the time you've been putting in on this problem.

[Saving space, attachment deleted by admin]

[SuperDave]

Well, that scan looks clean. Are you still getting the redirects?

[Stasmodeus]

Well it's really weird because the only time it tries to redirect me is when I click on links in Google, Yahoo, or Bing but lets say I use Webcrawler.com... I can click on the link listed after I do a search and doesn't redirect me... As a matter of fact it can't even do it redirect right at this point. This is the website it's trying to send me to: newserversearch.com. But Mozilla give me an error because it does not add www. to the address. So I'm a bit confused because I have also uninstalled firefox and re-installed it again only to face the same problem. Now when I use IE, Anytime I click on the same links in mentioned search sites, I receive an error saying there a problem with my internet connection. But when I click on diagnose problem, it takes me to the right site and then says it found nothing wrong with my internet connection.

So as always I'm stumped...

[evilfantasy]

Try this please.

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.

[Stasmodeus]

Thanx again for the help... Here is that log file...

[Saving space, attachment deleted by admin]

[evilfantasy]

Download GooredFix from one of the locations below and save it to your desktop

Download Mirror #1
Download Mirror #2

* Ensure all Firefox windows are closed.
* To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
* When prompted to run the scan, click Yes.
* GooredFix will check for infections, and then a log will appear.

Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[Stasmodeus]

okay here is that log...

[Saving space, attachment deleted by admin]

[evilfantasy]

I can't read that. Just copy and paste it into the reply please.

[Stasmodeus]

opps my mistake...

GooredFix by jpshortstuff (06.12.09.1)
Log created at 19:55 on 20/12/2009 (St. Asmodeus)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:00 20/12/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [00:30 16/12/2009]

C:\Documents and Settings\St. Asmodeus\Application Data\Mozilla\Firefox\Profiles\eo7e0plm.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [19:06 20/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [01:17 01/12/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:31 06/12/2009]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:29 16/12/2009]

-=E.O.F=-

[evilfantasy]

Well the scanners aren't getting us anywhere and apparently none of them are even detecting this yet.

You will need to attach this log as it will be in a .zip file.

Run a scan with MGtools and attach the log. Using MGtools

[Stasmodeus]

Sorry for late reply,

Here are those log files that were made...

[Saving space, attachment deleted by admin]