Hijacked web browser (possible virus)

[Mestedup]

Ok here is the deal:

Last week (12-29-06) I got a message on MSN from one of my friends, that said "Is this yours? Http://somesite/myscreenname"
I clicked on it and it open, then saved some file on to my desktop with the name "screenname@hotmail.com" and it was coming up as a exe with out the exe tag at the end of the name. I closed my web browser to see what the file was and it was gone. I did a search for it and it was in the trash. so I emptied it and then scaned my computer with AVG, spybot, ad-aware, and ccleaner and found just a few things. I really didnt think that much about it till I opened my web browser again and my home page was changed. (http://www.virushelpzone.com/) so then I freaked out and tried to open Hijackthis to fix some stuff, and the program closed it self. so I went to google and tried to download the lastest one and when I did the search it closed my browser. (both Firefox and Explorer)

I'm doing another scan with everything again, right now I'm at a AVG scan and its not finding anything. I also did a search of that file again on my computer and found that it was in a prefech folder, so I got rid of it. I still cant open Hijackthis (even after renaming the file) What do I do next?!??!!?!

[jholland1964]

Do you mean you are scanning on this computer while posting here?
Unplug the computer from the internet. Boot to safe mode and do the scans that way. Fix everything found. Then reboot to normal mode and try a new HJT scan.
Follow all of the instructions here that you can READ ME Before Posting A Request For Assistance!
Post back here with the HiJackThis log, don't use it to fix anything. Just post the log. It is NOT a fix tool unless specifically told to use it as one.

[Mestedup]

no, I'm on a different computer while the other is scanning.
But AVG found a Trojan called pstord.exe in the file C:\docume~1\user\locals~1\temp

but I'll boot to save mode and see what I can do

[Mestedup]

Here is the HJT log and I ran all the programs (spybot found 36 redirects and ad-aware doesnt find anything) HJT still dosnt open in regular boot. and what I said before about everything is still happening.

[jholland1964]

Whew! Well you do have some suspect things in the log. Since "something" is working on the computer to make removals a bit difficult I would like to go about things a slightly different way here.
Now you don't say, was this HJT run in Normal or Safe Mode?

First of all I would like you to boot into SAFE MODE and then go to Add/Remove and Uninstall the following programs, if found;

Hamachi
(this program is for VPN (virtual private networking) and P2P, you need to be careful, the VPN is a security risk. If you don't need the VPN, I would recommend uninstalling it.

You can find a list of clean P2P programs at http://www.spywareinfo.com/articles/p2p/ and http://p2p.malwareremoval.com.)
That said I want to remind you that just because a P2P program is clean, doesn't mean that the files you download are. Many P2P networks are riddled with malware. Since you do have some questionable entries in the log and have stated your problem IS a hijacking then one must figure this is where the problem began. This is the real risk you take with P2P.

WinPcap (a remote packet capture program) If you don't know why this is installed on your system, you should uninstall it, if it is listed.

Even if it is NOT listed in Add/Remove you should still do a search using Windows Explorer, delete the WinPCap program folder at:
C:\Program Files\WinPcap

muBlinder (this is a Windows Genuine Advantage "work around program"). While some detest and protest the use of WGA by Microsoft, this is their way of copyright protection and to assure that the updates are being applied to legitimate copies of XP. So I question the presence of muBlinder program on the computer, especially with the other P2P entries showing. I would recommend the removal of this program, but it is your choice.

Staying in SAFE MODE and NOT rebooting;
Go to C:\WINDOWS\system32\ and look for this folder
lyllsngy and delete it.

Next
Clean your Cache and Cookies in IE:

• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Click the "Delete Cookies" button
• Next to it, Click the "Delete Files" button
• When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (since you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu on the left side of the Options window.
• Click the Clear button located to the right of each option (History, Cookies, Cache).
• Click OK to close the Options window
  Alternatively, you can clear all information stored while browsing by clicking Clear All.
  A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Run another complete system scan with AVG Anti-Spyware.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
4. If you have any infections you will prompted, then select "Apply all actions"
5. Next select the "Reports" icon at the top.
6. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
7. Close AVG Anti-Spyware

Now if you can do this next thing in Normal Mode please try to do so but if the HJT wouldn't run in Normal mode you are going to have to try it in Safe Mode...though Normal would be better;
Now you need to run HijackThis and place checkmarks next to the following entries if they are still there:

F3 - REG:win.ini: load=C:\WINDOWS\system32\lyllsngy\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\lyllsngy\winlogon.exe

O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com

O4 - HKLM\..\Run: [muBlinder] F:\Programs\Installed\muBlinder\muBlinder.exe -startup
O4 - Global Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Once you have placed all the checkmarks then click the FIX button.
Exit HJT.
Reboot the computer. Run a new HJT scan and save the log.
Post back here with both the new HJT log and the AVG log.

[Mestedup]

WinPcap was left over from a program that I installed to test our network. (Cain)

muBlinder is on here for testing only. I have a good copy of windows on this computer.

Hamachi I keep a close watch on. Only my friends and my other computers are on this network.

I'll try those things here in a min.

[Mestedup]

There was no folder in the system32 folder called lyllsngy.

I ran HJT in Save mode and got rid of all that you told me to and stopped a few things from starting up.

Then I rebooted (I dont have the AVG antispyware) and ran HJT and it removed all that crap in there. plus HJT stays open now, and I can go to those other sites (like the HJT homepage)

Here is my HJT log

[jholland1964]

Thanks for the info on the programs noted.
Your log looks much better.

Update your AVG Anti-Virus program.

Download ATF-Cleaner.exe by Atribune
You can put this on your Desktop for easier access.

Can you download the • AVG Anti-Spyware v7.5 -

RightClick the AVG Anti-Spy Icon in your system tray and do the following:

-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows

-- Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let us know. Then, exit out of AVG Anti-Spyware.

Download the Microsoft Malicious Software Removal Tool

Enable the Viewing of Hidden Files and Folders

Now run the Micorsoft Malicious Software Removal Tool.
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.

Disconnect Completely from the Internet(in other words, unplug the cable from the computer) and Close ALL Browser Windows! Now, Please Boot to Safe Mode and do the following:

Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Run your AVG Anti-virus cleaner and fix anything found.

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop. Please submit this report with your request for assistance!

Now reboot the machine to normal mode. With ALL browsers closed run a new HJT scan and post that log, along with the AVG Anti-Spy log here.

[Mestedup]

ok I'll do that.

Thanks for all your help!!