Befuddled... Mozilla hijacks and something else

[Stasmodeus]

Hello,

I recently just recovered after getting attacked by a bunch of trojans/malware. During which I had to repair Windows XP Professional (SP3) and manually reinstall my system restore service. But for some reason I keep getting Hi-jacked and sent to other bogus websites when I'm doing searches in Mozilla Firefox and my background tends to blink if you will after doing things that normally wouldn't make changes to the desktop... None of my anti-virus\malware programs can seem to find anything, and after doing an online eset scan, there was only one tmp file found infected with Win32\kryptik.bfg. Any help would greatly nice...

Thanks
-St. Asmodeus

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Stasmodeus and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Open the Misc Tools section. Select process manager. Search for and highlight C:\DOCUME~1\STDA09~1.ASM\LOCALS~1\Temp\SSUPDATE.EXE and click kill process
click Main Menu

Select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

ComboFix

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Stasmodeus]

Thank you for the help Super Dave... I follow the instructions and am now posting the log files...

[Saving space, attachment deleted by admin]

[SuperDave]

Hi Stasmodeus. Let's try this:

GMER Rootkit Scanner
Download GMER Rootkit Scanner from here.

•Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
•If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


 
Click the image to enlarge it

•In the right panel, you will see several boxes that have been checked. Uncheck the following ...
*Sections
*IAT/EAT
*Drives/Partition other than Systemdrive (typically C:\)
*Show All (don't miss this one)
•Then click the Scan button & wait for it to finish
•Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
•Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Stasmodeus]

Hey SuperDave,

Great choice of utils, GMER is an awesome program that I've used before fixing my computer. Anyway, here's the log file that it made...

Thanks Again for the time you've been putting in on this problem.

[Saving space, attachment deleted by admin]

[SuperDave]

Well, that scan looks clean. Are you still getting the redirects?

[Stasmodeus]

Well it's really weird because the only time it tries to redirect me is when I click on links in Google, Yahoo, or Bing but lets say I use Webcrawler.com... I can click on the link listed after I do a search and doesn't redirect me... As a matter of fact it can't even do it redirect right at this point. This is the website it's trying to send me to: newserversearch.com. But Mozilla give me an error because it does not add www. to the address. So I'm a bit confused because I have also uninstalled firefox and re-installed it again only to face the same problem. Now when I use IE, Anytime I click on the same links in mentioned search sites, I receive an error saying there a problem with my internet connection. But when I click on diagnose problem, it takes me to the right site and then says it found nothing wrong with my internet connection.

So as always I'm stumped...

[evilfantasy]

Try this please.

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.

[Stasmodeus]

Thanx again for the help... Here is that log file...

[Saving space, attachment deleted by admin]

[evilfantasy]

Download GooredFix from one of the locations below and save it to your desktop

Download Mirror #1
Download Mirror #2

* Ensure all Firefox windows are closed.
* To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
* When prompted to run the scan, click Yes.
* GooredFix will check for infections, and then a log will appear.

Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[Stasmodeus]

okay here is that log...

[Saving space, attachment deleted by admin]

[evilfantasy]

I can't read that. Just copy and paste it into the reply please.

[Stasmodeus]

opps my mistake...

GooredFix by jpshortstuff (06.12.09.1)
Log created at 19:55 on 20/12/2009 (St. Asmodeus)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:00 20/12/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [00:30 16/12/2009]

C:\Documents and Settings\St. Asmodeus\Application Data\Mozilla\Firefox\Profiles\eo7e0plm.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [19:06 20/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [01:17 01/12/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:31 06/12/2009]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:29 16/12/2009]

-=E.O.F=-

[evilfantasy]

Well the scanners aren't getting us anywhere and apparently none of them are even detecting this yet.

You will need to attach this log as it will be in a .zip file.

Run a scan with MGtools and attach the log. Using MGtools

[Stasmodeus]

Sorry for late reply,

Here are those log files that were made...

[Saving space, attachment deleted by admin]

[evilfantasy]

Delete ComboFix and download a new copy.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\Tasks\YNQPXOGR.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"Uninstall Adobe Download Manager"=-


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Stasmodeus]

Okay, I let combofix do it's job... But I forgot to turn off anti-virus so it had a problem downloading at first but after realizing my mistake it didn't take log... Here is that log from combofix...

ComboFix 09-12-20.08 - St. Asmodeus 12/21/2009  15:13:37.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1902.1315 [GMT -6:00]
Running from: c:\documents and settings\St. Asmodeus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\St. Asmodeus\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Tasks\YNQPXOGR.job"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\YNQPXOGR.job
c:\windows\Temp\0218441261345893mcinst.exe

.
(((((((((((((((((((((((((   Files Created from 2009-11-21 to 2009-12-21  )))))))))))))))))))))))))))))))
.

2009-12-21 10:27 . 2009-12-21 10:29   141526   ----a-w-   C:\MGlogs.zip
2009-12-21 10:27 . 2009-12-21 10:29   --------   d-----w-   C:\MGtools
2009-12-20 14:58 . 2009-12-20 14:58   --------   d-sh--w-   c:\documents and settings\St. Asmodeus\IECompatCache
2009-12-20 01:58 . 2009-12-20 02:21   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Vso
2009-12-20 01:57 . 2009-12-20 01:57   --------   d-----w-   c:\program files\VSO
2009-12-18 02:19 . 2009-12-21 21:19   52224   ----a-w-   c:\documents and settings\St. Asmodeus\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-16 21:23 . 2009-12-16 21:23   --------   d-----w-   c:\program files\ESET
2009-12-16 01:26 . 2009-12-16 01:26   4844296   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 01:14 . 2009-12-16 01:14   --------   d-----w-   c:\program files\Trend Micro
2009-12-16 00:44 . 2009-12-16 00:44   1   ----a-w-   c:\documents and settings\St. Asmodeus\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-16 00:43 . 2009-12-16 00:43   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\OpenOffice.org
2009-12-16 00:31 . 2009-12-16 00:31   --------   d-----w-   c:\program files\JRE
2009-12-16 00:31 . 2009-12-16 00:31   --------   d-----w-   c:\program files\OpenOffice.org 3
2009-12-16 00:30 . 2009-12-16 00:29   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-16 00:29 . 2009-12-16 00:29   --------   d-----w-   c:\program files\Java
2009-12-16 00:25 . 2009-12-16 00:25   --------   d-sh--w-   c:\documents and settings\St. Asmodeus\PrivacIE
2009-12-14 21:53 . 2002-12-17 22:23   33340   ------w-   c:\windows\system32\dbmsqlgc.dll
2009-12-14 21:53 . 2002-10-20 20:05   24576   ------w-   c:\windows\system32\dbmsgnet.dll
2009-12-14 21:53 . 1998-10-29 21:45   306688   ----a-w-   c:\windows\IsUninst.exe
2009-12-14 21:53 . 2009-12-14 21:53   --------   d-----w-   c:\program files\Microsoft SQL Server
2009-12-14 21:52 . 2009-12-14 21:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sony
2009-12-14 21:09 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2009-12-14 21:08 . 2009-12-14 21:08   --------   d-----w-   c:\documents and settings\St. Asmodeus\ErrorLogs
2009-12-14 03:21 . 2009-12-21 21:18   139056   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-13 22:45 . 2009-12-13 23:07   --------   d-----w-   c:\program files\Easy CD-DA Extractor
2009-12-13 22:45 . 1998-02-07 03:37   299520   ----a-w-   c:\windows\uninst.exe
2009-12-13 22:44 . 2009-12-13 22:44   --------   d-----w-   c:\documents and settings\St. Asmodeus\WINDOWS
2009-12-13 20:19 . 2008-10-26 04:48   2651951   -c--a-w-   c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}\DriverScanner_Setup.exe
2009-12-13 20:18 . 2006-12-01 23:26   57856   -c--a-w-   c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll
2009-12-13 19:18 . 2009-12-13 19:18   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2009-12-13 19:17 . 2009-12-13 19:17   --------   d-----w-   c:\program files\ACW
2009-12-13 18:45 . 2009-12-13 18:45   --------   d-----w-   c:\documents and settings\St. Asmodeus\DoctorWeb
2009-12-13 18:17 . 2009-10-29 07:45   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2009-12-13 18:17 . 2009-10-29 07:45   594432   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2009-12-13 18:17 . 2009-10-29 07:45   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-13 18:17 . 2009-10-29 07:45   246272   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2009-12-13 18:17 . 2009-10-29 07:45   1985536   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2009-12-13 18:17 . 2009-10-29 07:45   11069952   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2009-12-13 17:59 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2009-12-13 17:55 . 2008-10-24 11:21   455296   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2009-12-13 17:53 . 2009-08-04 15:13   2145280   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-13 17:53 . 2009-08-04 14:20   2023936   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-13 17:53 . 2009-08-04 14:20   2066048   -c----w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-13 07:34 . 2009-12-13 07:34   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-13 06:24 . 2009-12-13 06:24   --------   d--h--w-   c:\windows\system32\GroupPolicy
2009-12-13 06:00 . 2009-12-13 06:00   --------   d-----w-   c:\windows\McAfee.com
2009-12-13 00:03 . 2001-08-18 04:36   38912   -c--a-w-   c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-12-13 00:02 . 2008-04-14 05:41   400384   -c--a-w-   c:\windows\system32\dllcache\fxsxp32.dll
2009-12-12 23:59 . 2001-08-23 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2009-12-12 23:51 . 2008-04-14 04:05   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2009-12-12 23:48 . 2001-08-23 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2009-12-12 23:48 . 2001-08-23 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2009-12-12 23:48 . 2001-08-23 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2009-12-12 23:48 . 2001-08-23 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2009-12-12 21:32 . 2009-12-12 21:32   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-12-12 21:31 . 2009-12-12 21:31   132096   --sha-r-   c:\windows\system32\appmgmtsr.dll
2009-12-12 21:21 . 2009-12-12 21:21   --------   d-----w-   c:\program files\DVDFab 6
2009-12-12 20:43 . 2009-12-12 20:43   368640   ----a-w-   c:\windows\system32\ReWire.dll
2009-12-12 20:43 . 2009-12-12 20:43   233472   ----a-w-   c:\windows\system32\REX Shared Library.dll
2009-12-12 20:38 . 2009-12-12 20:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-12-12 20:38 . 2009-12-12 20:45   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Propellerhead Software
2009-12-12 20:28 . 2009-12-12 20:28   --------   d-----w-   c:\program files\Propellerhead
2009-12-12 18:13 . 2009-12-14 21:55   --------   d-----w-   c:\program files\Sony Setup
2009-12-10 22:52 . 2009-12-10 22:52   --------   d-----w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\Ahead
2009-12-10 22:49 . 2009-12-10 22:53   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Ahead
2009-12-10 22:48 . 2009-12-10 22:52   --------   d-----w-   c:\program files\Common Files\Ahead
2009-12-10 22:48 . 2009-12-10 22:48   --------   d-----w-   c:\program files\Nero
2009-12-09 01:47 . 2009-12-09 01:47   --------   d-----w-   c:\program files\Common Files\Adobe
2009-12-09 01:45 . 2009-11-20 11:08   38784   ----a-w-   c:\documents and settings\St. Asmodeus\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 01:44 . 2009-11-20 11:08   38784   ----a-w-   c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 01:44 . 2009-12-09 01:44   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2009-12-09 01:44 . 2009-12-09 01:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-09 01:44 . 2009-12-09 01:50   --------   d-----w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\Adobe
2009-12-09 01:44 . 2009-12-09 01:44   --------   d-----w-   c:\program files\McAfee Security Scan
2009-12-09 01:43 . 2009-12-09 01:43   86016   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-09 01:42 . 2009-12-21 21:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-12-09 01:37 . 2009-12-09 01:37   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\U3
2009-12-06 21:16 . 2009-12-06 21:16   --------   d-----w-   c:\program files\ASIO4ALL v2
2009-12-06 21:15 . 2009-12-06 21:15   --------   d-----w-   c:\program files\Outsim
2009-12-06 21:11 . 2009-12-06 21:15   --------   d-----w-   c:\program files\Image-Line
2009-12-06 21:06 . 2009-12-21 10:29   --------   d-----w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\ApplicationHistory
2009-12-06 20:53 . 2006-08-16 15:23   21888   ----a-w-   c:\windows\system32\drivers\ma_cmidi.sys
2009-12-06 20:53 . 2006-08-16 15:23   86016   ----a-w-   c:\windows\system32\ma_cmidn.dll
2009-12-06 20:53 . 2006-08-16 15:24   82944   ----a-w-   c:\windows\system32\USBMN1X1.DLL
2009-12-06 20:53 . 2006-08-16 15:24   24128   ----a-w-   c:\windows\system32\drivers\USBMM1X1.SYS
2009-12-06 20:53 . 2006-08-16 15:24   22208   ----a-w-   c:\windows\system32\drivers\USBMN1X1.SYS
2009-12-06 20:53 . 2006-08-16 15:24   17920   ----a-w-   c:\windows\system32\USBMM1X1.DLL
2009-12-06 20:53 . 2006-08-16 15:24   13504   ----a-w-   c:\windows\system32\drivers\USB11LDR.SYS
2009-12-06 20:53 . 2006-08-16 15:24   12272   ----a-w-   c:\windows\system32\USBMM1X1.DRV
2009-12-06 20:53 . 2006-08-16 15:23   14272   ----a-w-   c:\windows\system32\MA_CMIDI.DRV
2009-12-06 20:53 . 2006-08-16 15:23   17920   ----a-w-   c:\windows\system32\MA_CMIDI.DLL
2009-12-06 20:30 . 2009-12-06 20:30   --------   d-----w-   c:\windows\system32\XPSViewer
2009-12-06 20:30 . 2009-12-06 20:30   --------   d-----w-   c:\program files\MSBuild
2009-12-06 20:30 . 2009-12-06 20:30   --------   d-----w-   c:\program files\Reference Assemblies
2009-12-06 20:29 . 2008-07-06 12:06   89088   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-12-06 20:29 . 2008-07-06 12:06   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2009-12-06 20:29 . 2008-07-06 12:06   117760   ------w-   c:\windows\system32\prntvpt.dll
2009-12-06 20:29 . 2008-07-06 10:50   597504   ------w-   c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-06 20:29 . 2008-07-06 12:06   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2009-12-06 20:03 . 2009-12-06 20:03   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\HpUpdate
2009-12-06 20:03 . 2009-12-06 20:03   --------   d-----w-   c:\windows\Hewlett-Packard
2009-12-05 18:51 . 2009-12-20 01:56   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\BitTorrent
2009-12-05 18:48 . 2009-12-05 18:48   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\NetMedia Providers
2009-12-05 18:48 . 2009-12-12 18:20   --------   d-----w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\Sony
2009-12-05 18:44 . 2009-12-05 18:44   --------   d-----w-   c:\program files\Microsoft.NET
2009-12-05 18:33 . 2009-12-06 21:15   --------   d-----w-   c:\program files\VSTplugins
2009-12-05 18:33 . 2009-12-05 18:33   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Publish Providers
2009-12-05 18:32 . 2009-12-14 21:52   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Sony
2009-12-05 18:29 . 2009-12-12 18:14   --------   d-----w-   c:\program files\Sony
2009-12-05 18:27 . 2009-12-05 18:28   --------   d-----w-   c:\windows\system32\URTTemp
2009-12-05 18:13 . 2009-12-05 18:13   --------   d-----w-   c:\program files\PowerISO
2009-12-05 01:57 . 2009-12-05 01:57   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-12-04 22:09 . 2009-12-04 22:11   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Ventrilo
2009-12-04 22:07 . 2009-12-04 22:07   --------   d-----w-   c:\program files\Ventrilo
2009-12-04 22:04 . 2009-12-20 22:35   138328   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-12-04 22:03 . 2009-12-20 22:34   214816   ----a-w-   c:\windows\system32\PnkBstrB.exe
2009-12-04 22:02 . 2009-12-04 22:02   --------   d-----w-   c:\windows\system32\LogFiles
2009-12-04 22:02 . 2009-12-04 22:02   75064   ----a-w-   c:\windows\system32\PnkBstrA.exe
2009-12-04 22:02 . 2009-12-04 22:02   --------   d-----w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\PunkBuster
2009-12-04 21:57 . 2009-12-04 22:01   --------   d-----w-   c:\program files\Wolfenstein - Enemy Territory
2009-12-04 21:46 . 2009-12-04 21:46   --------   d-sh--w-   c:\documents and settings\St. Asmodeus\IETldCache
2009-12-04 21:32 . 2009-12-04 21:32   --------   d-----w-   c:\windows\ie8updates
2009-12-04 21:30 . 2009-12-04 21:30   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2009-12-04 21:30 . 2009-12-16 01:42   --------   dc-h--w-   c:\windows\ie8
2009-12-04 21:17 . 2009-12-04 21:17   --------   d-----w-   c:\documents and settings\St. Asmodeus\Application Data\Logitech

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 14:56 . 2009-12-01 00:50   20432   ----a-w-   c:\documents and settings\St. Asmodeus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 20:26 . 2009-12-13 20:26   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-12-13 20:20 . 2009-12-13 20:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\DriverScanner
2009-12-13 20:19 . 2009-12-13 20:19   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-12-12 23:57 . 2009-12-01 00:38   23348   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-12-12 23:57 . 2009-12-01 00:38   --------   d-----w-   c:\program files\Windows Media Connect 2
2009-12-04 21:14 . 2009-12-04 21:14   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-12-04 21:14 . 2009-12-04 21:14   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-04 21:14 . 2009-12-04 21:14   0   ---ha-w-   c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-03 00:51 . 2009-12-01 00:41   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-01 00:58 . 2009-12-01 00:58   --------   d-----w-   c:\program files\BitTorrent
2009-12-01 00:57 . 2009-12-01 00:57   0   ----a-w-   c:\windows\nsreg.dat
2009-12-01 00:42 . 2009-12-01 00:42   --------   d-----w-   c:\program files\microsoft frontpage
2009-11-20 11:08 . 2009-12-13 05:54   38784   ----a-w-   c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-04 22:54 . 2009-11-04 22:54   214664   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2008-04-14 05:42   916480   ------w-   c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 05:42   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 05:41   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 05:42   270336   ----a-w-   c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 05:42   149504   ----a-w-   c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 05:42   79872   ----a-w-   c:\windows\system32\raschap.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-18 184320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-27 16120832]

c:\documents and settings\St. Asmodeus\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-9-17 2902528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-4 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [8/31/2009 5:38 AM 9096]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/30/2009 7:17 PM 93320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S0 3112Rx47;3112Rx47;c:\windows\system32\drivers\3112Rx47.sys [8/31/2009 5:39 AM 110128]
S2 0218441261345893mcinstcleanup;McAfee Application Installer Cleanup (0218441261345893);c:\windows\TEMP\021844~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\021844~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [12/1/2009 6:15 PM 132096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0218441261345893MCINSTCLEANUP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\St. Asmodeus\Application Data\Mozilla\Firefox\Profiles\eo7e0plm.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\St. Asmodeus\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\St. Asmodeus\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2009-12-21  15:27:16 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-21 21:27
ComboFix2.txt  2009-12-19 22:24

Pre-Run: 111,551,311,872 bytes free
Post-Run: 111,516,999,680 bytes free

- - End Of File - - D393E5DC0CB69BAA980CF675482C05BF


[Saving space, attachment deleted by admin]

[evilfantasy]

Are you still getting the redirects?

[Stasmodeus]

No more redirects....

Thank You so much. I could not help notice that it might have something to do with "c:\windows\Tasks\YNQPXOGR.job" I saw a file  like that before in a spyware\malware I deleted and removed right before I got this problem...

Thank you again so much is there any other scans or logs you need me to do?

[evilfantasy]

Yes it was the YNQPXOGR.job file.

Time to clean up.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Stasmodeus]

Great! Thank you so much...

I'll going through the  through the clean process in a couple hours after I have dinner... Thanks again, I'll do have super anti-spyware as my real-time protection but I do believe I will also try some of the other programs you've recommended.

Thanks Again for the help...

[evilfantasy]

Your welcome.

Safe surfing.