"Google Redirect" Problem As Well! AH!

By tamas6349
Feb 18, 2010
Topic Status:
Not open for further replies.
  1. I have tried everything! After scans and removals, I thought the problem was finally fixed, but then it started all over again. (When all I did was check my email [none were opened] and went on facebook!)

    Here is a list of the scans that I've run:
    Avira is my virus scan
    Advanced SystemCare
    Spybot S&D
    IObit Security 360
    Malwarebytes' Anti-Malware
    Ad-Aware
    SUPERAntiSpyware
    CCleaner
    ComboFix
    RootRepeal

    I'm going crazy! Before I did anything too deep on my computer I figured I'd ask because I'm assuming every case is a little different and I didn't want to mess anything up. If there are any suggestions you may have I would appreciate it so much!
    Thanks!


    Tamara
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Tamara, you may have done it all, but you haven't given us anything to work with!

    If you followed the steps HERE, we need to see the 3 logs.

    If you kept the logs, please attach them to your next reply.

    If not, we ask that you run these programs in this order:
    Malwarebytes
    Superantispyware
    HijackThis.

    The first 2 each have a line for you to check to remove what they find. We will instruct you in removals-if any from the HijackThis log
  3. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    I attached the logs! I still have the HijackThis open, should I check everything and fix it?
    Thanks again!
    Tamara

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    No! Most of the entries in a HJT log are okay. It is different from the other 2 programs which only show malware. Close the log. After I review the logs, I will instruct you for any HJT entries.

    First thing you need to do is handle the multiple antivirus programs you have running. You have both:
    Avira
    Symantec/Norton

    and the linkscanner left from AVG.
    Please remove one of the first 2 AV programs. To uninstall Symantec, use this Norton Removal Tool
    To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.

    Please reboot the computer when you have finished.

    I have some questions for you:
    1. Are you being redirected to a site different from the one you choose- is this the main problem?
    2. Who is your ISP? That's who you pay every month to use the internet> Level 1? Road Runner?
    3. Do you have a router?

    You have some sites in the Trusted Zone that you should remove. The easiest way to do that is to use this program:

    Please download DelDomains and unzip it to your desktop. Do not run it yet.
    • Close all open browsers
    • Right click on deldomains.inf and select Install.

    Note: Note: this will remove all entries in the Trusted Zone and Restricted Zone.

    Rescan with HijackThis and give me a new log and the answers to my questions.
  5. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    I read somewhere that if you have this file:
    C:/Windows/system32/wdmaud.sys
    that deleting it then running scan may help. Is this true? I haven't done it because I'm skeptical about removing things from this folder. But I do indeed have that file in the system32 folder.
    Thanks!
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You should be skeptical and should not remove any entries unless instructed to. "I read somewhere...." is a dangerous place to go!
  7. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Ok, I got rid of symantec (I thought I completely uninstalled it years ago!) and I ran the DelDomains. Is it supposed to show anything after you click install? Because nothing popped up on my screen..
    As for your questions:
    1. Yes, I'm being redirected, and that is the main problem. It started a few days back with the Security Essentials 2010 virus. I was able to remove that, but the redirecting problem is still haunting me!
    2. We have road runner, yes. I'm not sure what level it is. I don't think it's level one because my boyfriend is an XBOXlive gamer, so our connection usually has to be pretty high.
    3. Yes, we have a router, I use wireless internet on my laptop (which is the computer infected)
    I will attatch the latest HijackThis log!

    Thank you so much for helping me!!

    Attached Files:

  8. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    As of right now google is not redirecting me to other sites. It did the yesterday as well, but after a little while started again. (I'll keep you postedif anything changes)
    Is it possible that the partials of Symantec that were on my computer caused this?
    I want to be sure my computer is safe before doing anything that contains personal information, so if there are other things I should do let me know!
    Thanks!
  9. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Like I thought, after my computer was shut down for a night, the redirect problem is here again. So what's my next step?
    Thanks!
    Tamara
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Tamara, when there are no replies following your post yet, you can use the Edit feature on the post to add, delete or change anything- instead of making a new reply.

    About the ISP question: Level One is not a gaming level. It is the name of an ISP. Right now, a site in the Netherlands appears to be hijacking the browser. But the IPs following are for Level One and RR.

    For DelDomains, no, you don't 'see' anything happening. Sorry, I should have mentioned that.

    Please print out the following directions so you can refer to them:

    You will need to do a DNS Flush:
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and Shut down your computer, and any other computer connected to your router.

    • [1]. Then reset your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • If prompted to install the Microsoft Windows Recovery Console, please allow.
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with a rescan using HijackThis. Please atach Combofix report and new HijackThis log in next reply.
  11. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Is it possible to get around the router resetting step? The router is in my Stepfathers office and I don't want to mess anything up with resetting it. If the step is crucial I will be able to do it tomorrow (when he is not in need of his computer and/or internet) If there is anything I can do in the mean time just let me know!
    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Did you do the DNS flush? Do that part and then go onto to Combofix.
  13. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Ok, I ran the DNS flush, and completed the ComboFix scan. I'll attatch the log.
    Thanks!

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Are you still being redirected? Combofix is still showing the IP in the Netherlands, plus Level 1 and RR.
    Did you run the Norton Removal Tool (Post #4) There are still entries loading.
    Please uninstall s-squared if you want to keep Avira.

    Then something is happening on the reboot that chances a setting. When you shut down for the night, do you put the system into StandBy, Hibernate or Sleep. Or do you go through the Shut Down sequence whenre you close everything> logoff> Shutdown?

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      Viewpoint Manager
      :Reg
      
      :Files  
      c:\windows\system32\UdJiYycV.exe
      C:\Program Files\Viewpoint\Common\ViewpointService.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Please rescan with HJT so I can see if the flush did anything. Attach new log.
  15. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    I am still being redirected.

    I did use the Norton removal tool and it said it successfully removed the components. How else can I remove the other components?
    I do not know what s-squared is and couldn't find it to uninstall it. (It first searched for the file, and also checked add/remove programs, I couldn't find it)

    I completely shut down my computer at night, and it is acting different, once it reboots a black screen pops up that asks how I want to start up windows. But it if I ignore it, it dissapears in a second and boots the computer up normally.

    I will attatch the new logs
    Thanks again!!!

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    This is important. It means something is interrupting the normal startup process. Please run the Error Checking as follows: Close the browser, email and any other open programs first.
    • Click on My Computer> Right click on Local Drive (C)> Tools tab
    • Choose Error Check
    • Check both boxes on the screen that comes up> OK
    • Close the nag message that comes up and reboot
    • The Error Checking will begin in a few seconds
    • Important: let the checking complete. The system will reboot when through

    If you have not been doing the Error Check in the normal maintenance of the computer, it will take a while to run. Just be aware of that and let the process finish.

    When the Error Checking has finished, please reopen HijackThis to 'do system scan only.' Check the following entries if present:

    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD8562F-9954-4D10-8801-0311779FF0EB}: NameServer = 83.149.115.157,4.2.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36D0FEC2-5A50-4686-B1CD-5C9DC72A92D5}: NameServer = 83.149.115.157,4.2.2.1,209.18.47.61 209.18.47.62
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)


    Close all Windows except HijackThis and click on "Fix Checked"

    Click on Start> Run> type in services.msc> double click on the following Service and set the Startup type to Disabled> Stop the Service if it is running.

    These should allow a marked improvement in the system performance.
    Please rescan with HJT to make sure these entries were removed.
    Let me know your status.
  17. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    All entries were removed! But I'm still having the start-up issue. It's asking to select a console for start-up, either recovery or XP

    Click on Start> Run> type in services.msc> double click on the following Service and set the Startup type to Disabled> Stop the Service if it is running.

    ^^^^I didn't unsderstand those instructions. I was able to retrieve the list of services, but I didn't know what to select. It says "double click the following" but then it's not mentioned.
    Just let me know what to do, hope I'm not being too much of a hassle!
    Thanks so much!
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    This line is in the Combofix instructions:
    If a Recovery Console is installed, this prompt doesn't display and the scan progresses. When there is no Recovery Console installed on a system which runs Combofix, it is clearly started at the top of the Combofix report with this:
    I don't see that in your Combofix report.

    You stated that the black screen displayed on boot:
    You now say:
    Asking you how you want to startup Windows is not the same as asking you to select a console.
    Please describe exactly what displays when you boot the system, what the choices are and how it eventually continues with the boot up process if you ignore the message.

    My apology for this. I forgot to put the Service in:
    Click on Start> Run> type in services.msc> double click on the following Service and set the Startup type to Disabled> Stop the Service if it is running.
    Scroll down the list and find the service called "Viewpoint Manager Service"

    Now I am going to ask you to be more specific:
    What does this mean in reference to a redirect? Describe what is happening:
    Since you question a Google Redirect, I'd like you to describe what's happening:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

    And then I need a new HJT log check for the removals.

    Please note that I would have like you to reset the router several replies back.
  19. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    -When I boot it says:
    Please select operating system to start
    MS Windows Recovery
    MS Window XP Home Edition

    -Viewpoint Manager Service was already disabled

    -(When all I did was check my email [none were opened] and went on facebook!)
    Intially after doing my scans, I went to google and was not being redirected, but after checking my email and logging on to facebook.. the next time I went to google it redirected me again.


    When I chose a site after searching in google the URL bar will say 'searchclick8' and then it will load a different site (Not the one being clicked).
    It will usually be a different site each time. Some are legit sites such as yellowpages.com, but it will also load random site I've never heard of.
    It will always load a site, I haven't seen a google page saying DNS server couldn't be contacted.

    I will send a new HJT log, and I will try to get around to resetting the router tomorrow (sorry for the delay, like stated before I don't want to mess any of my Stepfathers settings up with his computer, even the blu ray player is wirelessly connected to the router and I don't know how to set it up! But I will do my best to do it tomorrow!)

    Thanks again,
    Tamara

    Attached Files:

  20. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Update:
    Did a few google searches to test it out, and I wasn't redirected. It's weird though because I haven't done any scans since I was redirected last time. I'm sure it's temporary like it was last time, but I figured I'd keep you posted on the situation. If this changes I'll be sure to let you know!
    Thanks for hanging in there with me Bobbye!! I really appreciate your patience!

    Tamara
  21. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Still not being redirected, which is a good sign. (I hope!)
    I did the resetting of the router, and was able to secure the network and link everything! Phew!
    Ran MBAM, I'm attatching the log now!
    Thanks!

    PS-
    The boot up screen is still popping up.

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, nothing new in the Mbam log. But I need you to rescan with HijackThis to make sure we killed the 017 entries.

    Th:e startup problem appears to be more related to a system problem rather than malware. I'll check one more thing for you: Please check the time on the computer clock the next time you boot and that screen pops up. We'll be looking to see if there is any Error that corresponds to that time to help us find a cause.

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe then under Select log to query, select:
    • Application
      [*] System


      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    (Courtesy rev-Olie)
  23. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    Hi there, I believe all entries that were checked in HJT were actually removed, I'll attach the log just in case!
    As for the clock thing, the time was correct when I booted up, I don't know if that's what you wanted me to check.. if not just let me know!

    The VEW log was too large to paste, so I have to attatch it

    Thank you!!
    Tamara

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please check the CD drive and make sure the Windows CD isn't in it.
  25. tamas6349

    tamas6349 Newcomer, in training Topic Starter

    No, there's no cd in my drive.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.