Browser Hijack Problem

[Mempho]

Hi,

I've had a problem with one of my computers for quite a while now. The browser has been hijacked and it does not let me go anywhere now. I have run adaware, antivirus, and spyware. These programs find the hijack application and supposedly remove it. The program just reappears, however. I have tried to delete it manually, but, once again, it reappears. Does anyone have any advice or am I just SOL on this one and have to reformat?

[FouTight]

Perhaps try running the revmoval programs in safe mode if you haven't done so.

also, have you tried cwshredder? if it's cool web search, this may help where others have failed.

[Mr Gee]

Sounds like a trojan I had awhile back that kept recreating itself every time I deleted it.

Have a look at these two Symantec virus descriptions and see if it rings a bell. They have manual removal instructions down at the bottom.

Poldo.b trojan
Dasmin trojan

[mbraudel]

What hijacker is it?

[icepick]

Get Highjack This!.

Use with caution.

[testaaja]

[ QUOTE ]
Get Highjack This!.

Use with caution.

[/ QUOTE ]
Yes hijack this is the shiz. And right after removing the piece of crap out of your web browser, get better browser! Opera or mozilla firefox.

[Mempho]

I ran it and I got a logfile but I'm not quite sure what I'm looking at as I'm a true fish in this regard. I know just enough to get me in trouble if you know what I mean [img]/images/graemlins/tongue.gif[/img]. Logfile looks like this:


Logfile of HijackThis v1.99.1
Scan saved at 2:03:18 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Jeremy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https://
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CD73065-FAAC-8523-D2E7-830A7A08F299} - C:\WINDOWS\System32\acwptxg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [Spa] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Ooli] C:\Documents and Settings\Jeremy\Application Data\etel.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02a1d15a...p/RdxIE601.cab
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EE} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/xsext01....aInstaller.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mp...CX/FlashAX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Does anyone know what this means. BTW, I really appreciate the help...and I just downloaded Firefox.

[Mr Gee]

What I tend to do is go through all the running processes and programs that are run at startup (entries with HKLM\..\Run. I'm looking for programs I don't recognise. Do a search for those on google. If you find any that are bad, look for removal instructions.

A quick google showed that l?ass.exe and snim.dll and nasties.

Hope that helps.

[BluffTHIS!]

C:\WINDOWS\System32\l?ass.exe

That one looks suspicious, as it has a ? mark in the middle of the legit system module above it. Did you run the Hijack This program yet? What about Spybot or Adaware which you can also download free. You might have to run them more than once to get it done. And like the other poster said, dump IE and get Firefox or another browser.

Also note that if you just try to manually delete a hijacker module there is often another one in memory which immediately restores it, so you really need to run those programs.