It seems like this is affecting thousands of people out there. Thank you very much for all of your help.

Attached Files

	mbam-log-2009-11-28 (22-48-16).txt (1.1 KB, 3 views)
	SUPERAntiSpyware Scan Log - 11-29-2009 - 08-30-03pope.txt (5.4 KB, 2 views)
	hijackthispope.txt (18.0 KB, 3 views)

Hi pope,

You have a couple problems. Please open up HijackThis then click on System Scan Only and check off the following to be fixed.

• C:\Program Files\DISC\DISCover.exe
• O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
• O1 - Hosts: 91.212.127.226 winshield2009.com
• O1 - Hosts: 91.212.127.226 www.winshield2009.com
• O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe

Then post if your problem consists after.

Unfortunately I am still getting redirected.....do you need any additional logs?

No we will move on to ESET. Please download that and run it for a scan. Then post if your problem consists after that.

I ran ESET.....it did not find or correct any problems; however, I am still getting redirect and popups. Thank you once again for your continued help.

Please wait for a more experienced member to help you from here on.

Thank you very much for all of your help.

I am still experiencing this problem. Is there anyone else out there that has a possibly solution? Thank you very much.

Welcome to TechSpot, pope. I'll help with the malware. We're going to start with the first logs.

Sometimes, newer members will open the Hijackthis log and attempt to read it. Many times it's not accurate.

There is nothing wrong with this entry: Leave it. C:\Program Files\DISC\DiscUpdateMgr.exe

Your host files have been hijacked. simply having HJT remove them isn't going to fix that.
Winshield2009.microsoft.com is a hijacked domain belonging to the malware known as Antivirus System PRO.

Antivirus System PRO changes your computer's HOSTS file to make redirect you to the IP of 91.212.127.226. The user will see a URL Winshield2009.microsoft.com, which is a deception as the domain has nothing to do with Microsoft.

Basically, Winshield2009.microsoft.com hijacks your internet browser by using fraudulent strategies and displaying false or exaggerated security issues on your computer rather than any legitimate ones to coerce you into purchasing their software.

Does this look familiar? Image courtesy GeekPolice.


It puts this hidden entry on the system:
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide

Malwarebytes will usually remove this, but since you are still having the problem, please do this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

When that is finished, please rescan with HijackThis and include that new log with the Combofix report.