[myproblem36]

private

[Advertisements]

We don't use HJT much anymore but I can see that you have a DNS hijack and a malware proxy.

You are also running two anti-viruses: Norton/Symantec and Microsoft Security Essentials. Uninstall one.


To fix the DNS hijack:
1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 4.2.2.1 in the Preferred DNS server and nothing in the Alternate DNS server boxes.

5. Click "OK"

Reboot.

To fix the proxy:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.



Now follow the guidelines in the top post of the Malware Removal forum
http://www.geekstogo...uide-t2852.html
and post your logs.

Ron

[RKinner]

We don't use HJT much anymore but I can see that you have a DNS hijack and a malware proxy.

You are also running two anti-viruses: Norton/Symantec and Microsoft Security Essentials. Uninstall one.


To fix the DNS hijack:
1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 4.2.2.1 in the Preferred DNS server and nothing in the Alternate DNS server boxes.

5. Click "OK"

Reboot.

To fix the proxy:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.



Now follow the guidelines in the top post of the Malware Removal forum
http://www.geekstogo...uide-t2852.html
and post your logs.

Ron

[myproblem36]

Ron,

I have removed Microsoft Security Essentials. Below are my logs for your review. Looking at the logs, it looks like the malware/virus/hijack has directed me to websites like 1001namen.com, www.0scan.com, etc. I am not sure what these sites are, and I do not recall ever going to them.

Thanks again for your help.

[RKinner]

Please do not attach your logs. Open them then copy and paste them into your replies.

First disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Copy the text in the code box by highlighting and Ctrl + c

:OTL
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Common Files\FreeCause\DCA\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Shop to Win 8) - {DAC028C6-2A41-4730-B91F-DFBCB26C82B3} - C:\Program Files\Shop to Win 8\ShoppingBHO.dll (Freecause Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O9 - Extra Button: Go to PlaySushi web site - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - Reg Error: Key error. File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
   
:Commands
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

• Download RootRepeal from the following location and save it to your desktop.
  
• Zip Mirrors (Recommended)
  
• Secondary Mirror
  
• Secondary Mirror

[*]Extract RootRepeal.exe from the archive.
[*]Open on your desktop.
[*]Before you run the scan go into Settings, Options, General and move the slider to Middle Level then close the Settings box!
[*]Click the button.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list]
Note: If you lose connectivity after running a program:

Start, Run, devmgmt.msc, OK to bring up Device Manager. Find Network Adapters and click on the + in front of it. For each network Adapter, right click and uninstall then close device manager and

Start, Run, cmd, OK

netsh  winsock  reset  catalog

netsh  int  ip  reset  reset.log

proxycfg  -d

exit

Now restart.

Ron

PS the sites you mention are not places you have visited. They are put in the hosts file - probably by Spybot S&D's immunize function - to keep you from going to them.

[myproblem36]

private

[RKinner]

You need to run the Norton/Symantec removal tool.

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Symantec's uninstaller just doesn't do a good job.

Also still waiting for the Combofix log.

Ron

[myproblem36]

private

[RKinner]

Log looks pretty clean. Are you still getting redirected or seeing any signs of peak protection 2010?

Ron

[myproblem36]

The only thing I see now is about:blank will show up for about 1 second before I am redirected to certain sites like geeks to go. Other than that, everything looks good.

Thanks again for all your help.

[RKinner]

You have several BHO's and Toolbars. It's possible one of them is causing the about:blank to show up. In IE, Tools, Manage Add-Ons, then for every Toolbar and Extension, highlight it and Disable. Then close IE and restart. Any change?

Ron

[myproblem36]

made

Edited by myproblem36, 24 October 2010 - 10:05 PM.

[RKinner]

In Chrome, the wrench in the top right corner then Tools, then Extensions. See if you can disable all of them.

We still have some housekeeping to do:

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You have the latest Java (Java™ 6 Update 22). but go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://oldmcdonald.w...orun-eater-v25/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. (Also available for Chrome) WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!



Ron

[myproblem36]

Ron,

Thanks again for all your help

Edited by myproblem36, 24 October 2010 - 10:06 PM.

[RKinner]

Were you able to clear up Chrome?

Ron

[myproblem36]

thanks

Edited by myproblem36, 24 October 2010 - 10:05 PM.