complete browser hijack

[riles]

2 days ago my system was fine. Last night, not.  I have absolutely no connection from my home pc to the internet.  I can ping my Linksys router from the command line and my work laptop gets out to the internet fine.  Both Firefox and IE7 will not see the internet.  I have been trying to remove "My Web Search" from my pc with no luck.   I am running XP SP2 and Macafe virus software.  I autoscan about once a week.  I downloaded HJT last night and ran that with some suggestions from another website.  I am at wits end.
Please help.

[drmsucks]

Read this:http://www.computerhope.com/forum/index.php/topic,46313.0.html

Best of luck!

[evilfantasy]

Try running this WinSockFix utility to repair your connection.
 

• WinSockFix
  
• Winsock Repair Tutorial

.
Then do the steps here > http://www.computerhope.com/forum/index.php/topic,46313.0.html

[riles]

Mr. Evil,
I am assuming that I can download these links to a thumb drive to get them onto my home PC.  I also appreciate your quick response.  I will follow these steps when I am home and not at work.  Thank you.

[evilfantasy]

Yes you can put WinsockFix on a flash drive and transfer it to your other PC.

You may also want to transfer over ClamWin AV just in case to run it on the other PC.

Download ClamWin Portable to a portable device and make sure to update it.

Now put the flash drive in to the infected computer.
To start up ClamWin Portable, just double-click PortableClamWin.exe file where you installed Portable ClamWin on your portable drive.
Select the drive(s) you want to scan and click Scan.
Let ClamWin fix whatever it finds.

Removing Your Drive - When you're done, exit ClamWin.
Then select the Safely Remove Hardware option from the icon in the system tray.
If you remove the drive while it is writing, you may lose data.

Running From CD (ClamWin Portable Live)

ClamWin Portable supports running from a CD. To set it up, extract ClamWin Portable to a local drive and run it. Download the latest virus definitions. Then close ClamWin Portable. Move the ClamWin.conf file from the ClamWinPortable\Data\settings directory to the ClamWinPortable\App\clamwin directory. Then burn the whole ClamWinPortable directory to CD. Be sure not to move any of the files from the default locations. The ClamWinPortable.ini can not be used when running from CD.

[riles]

here are the two logs.  Mbam and superanti spyware.  Two great apps.  Please let this work....

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Everything in the MBAM log says No action taken. Did you fix the entries after copying the log?

I need the Hijackthis log also.

[riles]

Here is the mbam log.  I need to find the HJK log.

[recovering disk space -- attachment deleted by admin]

[riles]

here is the HJT log.  The first one before I registered here and one from right now.

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Everything looks OK as far as malware. Are you having any problems still?

A few things to do including completely removing Norton/Symantec.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
- O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
- O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
- O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
- O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Go to add/remove programs and uninstall anything with Norton, Symantec or LiveUpdate in the name.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

• Go to add/remove programs and uninstall all old versions.
• Be sure not to remove the new version that was just installed.
  
• Download JavaRa.zip and unzip the file to your Desktop.
  
• Open JavaRA.exe and choose Remove Older Versions
  
• Once complete exit JavaRA and delete the program.
• Run CCleaner.

.
----------

How is everything now?

[riles]

Mr. Evil.  As of last night and running everything (I need to re-run the HJT app) still not internet.  I can ping yahoo an my router.  I cannot ping CNN or AOL, I find that to be odd.  I can however surf the net on my work laptop going through my router and dsl connection.  That said, I am at work today for WWE and won't be at that PC until around 5am.... probably not until tomorrow afternoon.  I will post the revised HJT log after that.  Thank you.

[evilfantasy]

You can try this.

Manual fix:

Click Start > Run and copy and paste the following line into the run box:
regsvr32 urlmon.dll
Press OK
Once it is completed you will get this message DllRegisterServer in urlmon.dll succeeded, repeat the above steps, but replace regsvr32 urlmon.dll with the following: (enter each line one at a time selecting OK after each)

• regsvr32 actxprxy.dll
  
• regsvr32 shdocvw.dll
  
• regsvr32 mshtml.dll
  
• regsvr32 browseui.dll
  
• regsvr32 jscript.dll
  
• regsvr32 vbscript.dll
  
• regsvr32 oleaut32.dll

When finished restart your computer.

Automatic fix:

Click     Here to download IEdll.zip. Save it to your desktop.
Right click on IEdll.zip click on Extract all.
Go to the extracted files and double click on IEdll.bat
Follow the prompts.
It will tell you when it is done.
When finished restart your computer.

[riles]

I did the manual fix.  When I got to the mshtml line, I got an error message that the path could not be found and that it was invalid.

Thoughts??

[evilfantasy]

Completely uninstall Zone Alarm and then try to connect.

Also after you uninstall Zone Alarm please run a new HijackThis scan and post the log.

[riles]

in the process.  BTW, I scan on a regular basis and still seem to have been infected.  How many aps do I need to run to keep myself clean?  i just bough mcafee and thought it was good, now I am wondering.  I am still getting the message that my search default search engine is trying to be changed (yahoo, then google).  HOOOOOOOORRRRRRRRRRRRRAAAAAAAAAAAAAAYYY YYYYYYYYY!!!!!!!!!!!!!  The zone alarm was the fix!!!  I am now back online!!! You are amazing!!!! I want to be you when I grow up!!!!!  Now what about a firewall? Can I reinstall zone alarm ( I do like it) or do I need to use something else???

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

From ZA website. There is a fix with an update I think.

Workaround to Sudden Loss of Internet Access Problem

[riles]

Thank you.