ie & firefox hijacked!

Did you run all of the Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If so, continue with the below steps.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

What do you mean you cannot format? Do you have Administrator priveledges? Did you get an error message?

 

Is there a reason you did not run all the steps of the READ ME FIRST? I can see that the online scanners where not run. Did you have a problem trying to run them?

It appears as though you have two antivirus applications installed:
Symantec's and F-Secure Anti-Virus from COGECO Security

You must only use one antivirus application. You need to choose the one you prefer and uninstall the other.

 

Now download: LSP - Fix

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winsflt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Do you know what this next line is for? It is very suspicious:
O4 - HKCU\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk

It's possible you got this from something to do with Kazaa. I really do not like the looks of this.

 

Does it actually appear in Add/Remove programs?

You cannot delete the files because they are services. You must stop and disable the services and then delete the files. And then the registry entries.

Since winsflt.dll was already in the remove section, did you click finish. Is the O10 line now gone from your HJT log?

You did not answer the below question:

 

Example on how to stop and remove services:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to F-Secure Anti-Virus Firewall Daemon or FSDFWD ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

F-Secure Anti-Virus Firewall Daemon

If the above long name does not work, try the short name: FSDFWD

Repeat the above for the below:
F-Secure HTTP Server short name fshttps
F-Secure Management Agent short name FSMA
COGECO Security Services short name BackWeb Plug-in - 9867844

Now reboot and post a new HJT log.