Unable to browse sites

[pncl321]

Hi, Im posting about a problem I have regarding being able to browse the internet.

Whenever I visit my homepage google.com instead of google coming up a different site appears that seems to be from Microsoft security center.
and says

Alert : Your computer have been attacked by spyware or viruses!


Please download AntiSpyware to fix.


Then if I try to go to a lot of other websites nothing comes up besides

Bad Request (Invalid Hostname)

Please help, thank you

My hijack this and Malwarebytes anti malware logs are attached. I ran Malwarebytes and superantispyware twice.

 

[almcneil]

This is a common spyware that I've cleaned off many customers computers. Here's what you do:

1) Remove any obvious spyware programs from the Startup list in MSCONFIG

Start -> Run -> msconfig -> Startup

2) Remove any obvious spyware programs from the program list using Add/Remove Programs

Start -> Control Panel -> Add/Remove Programs

3) Download/install Spybot Search & Destroy (click here for download) Restart in Safe Mode and run a scan there first.

Repost with results. We may need to perform more removal techniques.

-- Andy

 

[kimsland]

@almcneil Read here: https://www.techspot.com/vb/showpost.php?p=680345&postcount=4

Note in these types of members threads they need their HJT log looked at
That's why they supplied it!
You are requested again not to reply to these threads unless you know how to read HJT logs (ironically)

-----------------------------

@pncl321

Please re-run HJT and place a tick next to the following, then fix it:

O20 - AppInit_DLLs: karna.dat

 

[rf6647]

Search for posts by momok using keyword = combofix. Follow instructions. Post log. I suspect that the O20 entry remanant will be detected.

Use HJT to Fix-Check all O1 entries. This may give temporary ability to access sites for obtaining malware removal tools.

 

[Bobbye]

kimsland, do you look at those Host files? Quite a variety there- from Microsoft to YouPorn!

DO NOT use System Restore. Mbam removes some entries, but R is a protected folder and malware doesn't get removed by the programs. We will have you drop the old restore point when you're clean.

One of the infections was a rootkit so I expect you ar going to be ask to run more specialized program.

Update Java:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

You need to run SuperAntispyware and include that log.

almcneil, I cannot believe you would instruct a user to do this:

2) Remove any obvious spyware programs from the program list using Add/Remove Programs

What is an "obvious spyware program"? It has become painfully clear that you do not know how to read the logs from the malware programs. Until or unless you do, you should not be advising anyone in the forum.

 

[momok]

Just a note: the user's hijackthis shows SP2. Recommended to patch to latest

 

[kimsland]

kimsland, do you look at those Host files?.

Yes. That day I posted I was very busy, which took my attention off the HJT log. I think you may appreciate that

 

[Bobbye]

pncl321, what is you source for the Host Files? It is redirecting to AKANOC Solutions. Since the files are so mixed, as mentioned, Microsoft to YouPorn, I need to know if you or a program your are using has set the Host files up. Two program that I know of offhand that set up Host files are Spybot and ZoneAlarm, however I don't see either.

The Host Files show as the 01 entries in the HijackThis log.

Okay, let get some protection on the system. I don't see any evidence of an antivirus program:

Please download and install Avast Free:http://www.avast.com/eng/download-avast-home.html

There may be a problem accessing due to the hoist files. Please do this NOW and let me know if it's on.

 

[pncl321]

Ok i updated to service pack 3
My Java was updated to the latest already.
and I installed and ran avast

This is my log after it all.

I also had spybot search and destroy before, but i uninstalled it.

 

[Bobbye]

Bad Request (Invalid Hostname)

The reason you aren't able to browse sites is because most are listed in the Host files. They need to be removed:
Please reopen HijackThis and scan> Place a CHECK by all of the following:

O1 - Hosts: 204.16.197.121 www.google.com
O1 - Hosts: 204.16.197.121 www.myspace.com
O1 - Hosts: 204.16.197.121 www.youtube.com
O1 - Hosts: 204.16.197.121 www.facebook.com
O1 - Hosts: 204.16.197.121 www.live.com
O1 - Hosts: 204.16.197.121 www.msn.com
O1 - Hosts: 204.16.197.121 www.wikipedia.org
O1 - Hosts: 204.16.197.121 www.ebay.com
O1 - Hosts: 204.16.197.121 www.aol.com
O1 - Hosts: 204.16.197.121 www.craigslist.org
O1 - Hosts: 204.16.197.121 www.blogger.com
O1 - Hosts: 204.16.197.121 www.go.com
O1 - Hosts: 204.16.197.121 www.amazon.com
O1 - Hosts: 204.16.197.121 www.cnn.com
O1 - Hosts: 204.16.197.121 espn.go.com
O1 - Hosts: 204.16.197.121 www.espn.com
O1 - Hosts: 204.16.197.121 www.photobucket.com
O1 - Hosts: 204.16.197.121 www.microsoft.com
O1 - Hosts: 204.16.197.121 www.comcast.net
O1 - Hosts: 204.16.197.121 www.imdb.com
O1 - Hosts: 204.16.197.121 www.wordpress.com
O1 - Hosts: 204.16.197.121 www.nytimes.com
O1 - Hosts: 204.16.197.121 www.weather.com
O1 - Hosts: 204.16.197.121 www.ask.com
O1 - Hosts: 204.16.197.121 www.aim.com
O1 - Hosts: 204.16.197.121 www.apple.com
O1 - Hosts: 204.16.197.121 www.mapquest.com
O1 - Hosts: 204.16.197.121 www.youporn.com
O1 - Hosts: 204.16.197.121 www.fastclick.com
O1 - Hosts: 204.16.197.121 www.rapidshare.com
O1 - Hosts: 204.16.197.121 www.pogo.com
O1 - Hosts: 204.16.197.121 www.doubleclick.com
O1 - Hosts: 204.16.197.121 www.att.com
O1 - Hosts: 204.16.197.121 www.adobe.com
O1 - Hosts: 204.16.197.121 www.vnn.com
O1 - Hosts: 204.16.197.121 www.sportsline.com
O1 - Hosts: 204.16.197.121 www.netflix.com
O1 - Hosts: 204.16.197.121 www.dell.com
O1 - Hosts: 204.16.197.121 www.google.co.uk
O1 - Hosts: 204.16.197.121 www.bbc.co.uk
O1 - Hosts: 204.16.197.121 www.ebay.co.uk
O1 - Hosts: 204.16.197.121 www.bebo.com
O1 - Hosts: 204.16.197.121 www.amazon.co.uk
O1 - Hosts: 204.16.197.121 www.sky.com
O1 - Hosts: 204.16.197.121 www.virginmedia.com
O1 - Hosts: 204.16.197.121 www.aol.co.uk
O1 - Hosts: 204.16.197.121 www.hsbc.co.uk
O1 - Hosts: 204.16.197.121 www.antispyware.com
O1 - Hosts: 204.16.197.121 www.antispy.com
O20 - AppInit_DLLs: karna.dat (Added by the Troj/FakeVir-GL Trojan).

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Download KillBox from the link here: http://www.bleepingcomputer.com/files/killbox.php

Download this file and run the killbox.exe file.
When it loads type the full path to the file you would like to delete in the field:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

Advise system status after this. There are more entries to be removed, but we may need to run additional programs if the hosts files can''t be suppressed.

 

[DelJo63]

delete it and reload from http://www.mvps.org/winhelp2002/hosts.htm

 

[pncl321]

When i ran killbox and pasted that into it it said that that file does not exist.???

 

[Bobbye]

Thanks jobeard. Looks like that handled the host files.

I have included the BitComet entries to be removed. I strongly recommend you remove them and uninstall the program. It will be a constant source of malware:

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Control Panel> Add/Remove Programs> Uninstall the following:

BitComet
Poker Stars.

Reboot into Normal Mode

If the original problem has been handled, we can clean up:
Remove the cleaning tools:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Let us know if you need more help

EDIT: I have removed this from the list of entries to remove per momok's suggestion:
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

 

[momok]

note on pokerstars program: It's not really bad per se, it's just a program from one of the online poker servers. I've personally used it before to play poker. The reason why sometimes its classified as adware is due to the splash screen on the exit of the program. I think we can leave the choice of uninstalling it to the user.

There is however a trojan which drops similarly named files on the system. So we just have to check with the user if he uses that particular poker server.

 

[Bobbye]

No problem. I usually see so many Tracking Cookies- and a few other things in SAS from these sites.

 

[pncl321]

Everything works good now.

thank you everyone for your help. much appreciated.

 

[Bobbye]

You're welcome. Let us know if you need more help.