Browser Hijacked - Explorer hacked. Help please :)

Back once again. :-D

All 3 of my browsers (Chrome, FF and IE) have been hijacked. It's the Google search type of hijack wherein I get re-directed to some fake site etc if I click on a search result.

One other concern is that both explorer.exe and the windows scripting file mshta.exe have repeatedly requested access to the internet. At one time earlier this morning I had 4 versions of mshta.exe running at the same time (as seen in Process Explorer).

Both have been blocked for now with Zonealarm. The destination IP for both was 127.0.0.1.

The command line for mshta.exe was odd as well. Had a URL in it - seefunnydogs.com or something llike that. MBAM keeps finding stuff and removing and then it comes back a few hours later, however the browsers are still screwed no matter what I try. SAS came up clean on the last run earlier. I think the re-direct usually starts with go.gomeo.com etc.

Anyway, I've attached various logs for you. Many thanks in advance.

Jay

PS. I ran Combofix which found a problem with explorer.exe and something else but as it was fixing it, the PC crashed (3rd time today) so I don't know if any log was produced. Can't see one anywhere......

PPS. mshta.exe hasn't tried to run since I blocked and isn't showing in Process Explorer. Of course, doesn't mean it's ok but thought I'd mention it...

 

Sorry, forgot to mention that I couldn't get ESET working earlier but it's now finally running a scan. It's so far found 986 infected files and a lot of mentions of RAMNIT virus......*eeek*

I'll post the log when it's finished.

 

Finally finished scanning. It found A LOT to say the least.....(23618 files rolleyes). However, the resulting text file is 3.5 mb so I can't attach it. Here's a download link instead ( zipped and attached here)

Could someone let me know how things are looking now when you get chance. Many thanks

PS. Could someone explain why seemingly normal files (mainly all my web design files) and lots of general program files seem to be classed as 'infected' and how the virus works like that? I assume they've just been 'cleaned' now? Ta.

 

Thanks for getting back to me, Kestrel. I'll start the scans now. They're taking between 6-7 hours for each scan so don't think I've forgotten about you! I'll post the logs as soon as it's all done. Thanks!

 

OK, so all the scans have finally finished. Eset seemed to find the same files and same numbers every time so I don't know if it did anything, even though it said it had quarantined it all. Logs were huge so I've zipped them and uploaded them here >> http://www.megaupload.com/?d=MJ5C45MH

Problem is I'm a Web Designer so there is hundreds of html files on my PC which it lists as infected. Hope these aren't ruined otherwise I am too! :cry


I ran Combofix in Safe Mode and it worked fine. It did crash on reboot but luckily the log had already been created. It found and deleted a load of stuff so I hope it's a start. Log attached.

MGtools ran fine although I got one '.dll' error. Log attached.

One final thing, twice on reboot, as Windows was loading up, I had a window open up on the desktop. One file in it called '21.exe' (root path was C:\programfiles\windows). I deleted the folder and not seen it since. I imagine it's all related to the virus but thought I'd mention it.

Thanks

 

You're right..that's not good news

My copy of Windows was pre-installed so how would I even go about a reinstall? What exactly does this Avira Boot CD do then? I'd like to know what I'm letting myself in for as my entire business is run from this PC and I have a number of clients awaiting a response from me regards their websites

*edit* is it safe to move all my html website files to a back-up drive?

 

Somewhere I think....buried away in a box somewhere :confused

I seem to recall a friend ages ago saying that these pre-installed Windows PC's had a whole back-up of Windows saved somewhere on the hard-drive. Does that sound right?

Any tips on where or how I can use it if it is?

Thanks for your help anyway, Kestrel. It's always appreciated even if it is bad news this time