??Browser Hijack??

[steamwiz]

HI

Please do this as well...

Download and install the 30 day trial of AVG Anti-Spyware from HERE :-

http://www.ewido.net/en/download/

1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the ewido setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.

Boot your computer into Safemode

1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process

1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post

steam

[JimB]

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 22:28:57, on 08/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Garmin\gStart.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120898893390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

and fixware................

Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdllj.exe will be moved to C:\WINDOWS\temp\kdllj.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

[JimB]

................all was going very well and back to normal, but now on a random basis, my PC is sending dozens of emails to an uknown source without any prompting from me. The only way to stop these multiple emails from bein created is to turn off the PC manually. Not good!

can anyone shed any light on this please?

[Basementgeek]

Still need to see the AVG Anti-Spyware report.

BG

[steamwiz]

HI

Please run AVG anti-spyware & post the log as we have requested ...

Also ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

steam

[Basementgeek]

Also, you really need to keep a very close eye on any on line banking/ebay/payall/etc. I suggest that you change all passwords/sign in names.

Check them daily !!

BG

[steamwiz]

HI JimB

still with us ?

this is part of your problem :-

O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll

don't try & fix it with hijackthis...

& you probably have a file similar to this in your root directory...

C:\3611010322512673937.exe

Have seen & fixed a key similar to this in hijackthis :-

O4 - HKCU\..\Run: [Winstj] C:\3611010322512673937.exe

We know how to resolve your problem

But if you remove it wrongly, you WILL lose your internet connection ... guaranteed.

We need you to run those programs and post the logs, then we can set about removing it.

steam

[JimB]

Hi, I'm still here. Just trying to follow instructions to the word.

Here is my AVG Anti-Spyware report: What next please? - thanks again to everyone

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:08:52 10/01/2007

+ Scan result:



C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP580\A0103793.exe -> Adware.EZula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WildMedia -> Adware.MidAddle : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WildMedia\LicenseStores -> Adware.MidAddle : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP580\A0103790.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP580\A0103791.exe -> Adware.Winad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP503\A0094260.exe -> Downloader.Small.cxz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP503\A0094280.exe -> Downloader.Small.dcj : Cleaned with backup (quarantined).
C:\msupd0111088796.exe -> Downloader.Small.dcj : Cleaned with backup (quarantined).
C:\msupd01552562.exe -> Downloader.Small.dcj : Cleaned with backup (quarantined).
C:\36110103225.exe -> Downloader.Small.dya : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP503\A0094259.exe -> Downloader.Small.dya : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP506\A0095660.exe -> Downloader.Small.nfp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP580\A0103712.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP580\A0103787.exe -> Dropper.WinAD.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0107712.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0108712.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0108721.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0112313.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0112967.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP619\A0112989.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\WINDOWS\61125237116.exe -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\WINDOWS\ctfmon32.dll -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\WINDOWS\service32.exe -> Hijacker.Small.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP506\A0095658.exe -> Hijacker.Small.lt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP506\A0095659.exe -> Hijacker.Small.lt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP506\A0094637.exe/Sniffer.dll -> Logger.Agent.pa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP622\A0115459.dll -> Logger.Agent.pa : Cleaned with backup (quarantined).
C:\msupd0111120765.exe/Sniffer.dll -> Logger.Agent.pa : Cleaned with backup (quarantined).
C:\msupd01554015.exe/Sniffer.dll -> Logger.Agent.pa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP503\A0094263.dll -> Logger.Goldun.lm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP506\A0095661.dll -> Logger.Goldun.lm : Cleaned with backup (quarantined).
C:\msupd02.exe -> Logger.Goldun.lm : Cleaned with backup (quarantined).


::Report end

[JimB]

...........having problems with combofix - downloaded to desktop, double clicked on it , and nothing seems to happen?????

[steamwiz]

HI

Please delete your combofix.exe file & re-download it & try again (you may have a corrupt download.)

I see AVG anti-spyware found the file I asked you about ...

C:\36110103225.exe -> Downloader.Small.dya : Cleaned with backup (quarantined).


It removed about a dozen files relating to that particular malware...

-
If combofix still doesn't work ... please do this :-

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

-
So I either want to see the combofix log (preferably) or the C:\rapport.txt

-
Please download the following for later use:-

Killbox:
http://www.downloads.subratam.org/KillBox.zip
Place it in a folder on the Desktop.
Extract KillBox from the zip file

LSPFix:
http://cexx.org/lspfix.htm.
Unzip LSPFix

WinsockFix:
http://www.majorgeeks.com/download4372.html
Unzip the program to the Desktop

--
When you've done this ... let me know

steam