TechSpot

Google search redirect virus

By hws8179
Nov 18, 2008
Topic Status:
Not open for further replies.
  1. I'm being randomly redirected on a google search when I click the links. It says "jump redirect" on the toolbar right when it does it. I have NOrton AntiVirus, and it didn't stop or detect it. No surprise there.
    I've read the threads that others posted who were having the same issue, and have attached my HJT file to this thread. Any help would be greatly appreciated. Thanks. - H
     
  2. rf6647

    rf6647 TS Maniac Posts: 931

    Welcome to TS.

    Your HJT log has one exceptional finding. As the user, only you can decide if it is appropriate. HJT actons tick/fix drops item from autostart. User deletes file/folder.

    O21 - SSODL: uimnt - {72767BF0-A48F-355F-71F1-0AD4E3E55BCA} - C:\Program Files\jddfscb\uimnt.dll


    I suggest following the 8-step malware removal guide

    Post 3 logs. This gives us a common view of your complaint. Please share progress & restate symptoms, since things do change.

    Google redirection covers a wide spectrum of infections or just a simple reset of IE settings.

    Failure to access sites for tools from the guide, may require access via this site:
    download dot com (phonectic wording to avoid hyperlink creation; protect identity of site)
     
  3. hws8179

    hws8179 TS Rookie Topic Starter

    Thanks. I'm in the process of going through the 8-step removal guide. I've disabled Spy Sweeper, but do I also need to disable my virus protection? I have Norton AntiVirus 2009.

    Also, in reference to what you spoke of as an 'exceptional finding' in my HJT log...I'm not sure I understand what is good or bad about it. It says "user deletes file/folder" but I didn't knowing delete anything. I'm not tech-saavy enough to understand the implications of what it means.
    Sorry, I feel like a derelict.

    Thanks for your help. -H
     
  4. rf6647

    rf6647 TS Maniac Posts: 931

    Call me a code-talker. I use 'express' style to keep things brief. Then I wait for you to ask clarification. This helps us move toward the middle. I am still trying to develop a style that sets us up for success.

    If you do not recognize the path (Program Files\jddfscb) to the file (uimnt.dll), chances are you did not install the application.

    Notation: HJT tick/fix means scan with HJT > tick the box for the O21 entry > select Fix > ......... > exit ;
    A restart is needed for the changes to take effect.

    For O21 entries, this removes the registry key(s) that enable this to run @ startup.

    If this is malware, then delete the file & folder.

    If not completely sure,
    HJT tick/fix the O21 entry.
    Rename file: uimnt.dll ---> uimnt.dlx

    Restart the computer

    Check Events logs for errors. Discus findings.


    A cursory survey of threads complaining about Google re-direction, it is divided nearly 50-50 for solutions: Resetting IE settings (RIES) versus malware removal.

    There is no perfect first choice. RIES may be a complete solution or a temporary hobble to the infection.

    Clean logs from the scan, sends you back to RIES.
    Instructions for RIES courtesy of kimsland

    Oops - I just reverted back to my verbose style.

    [edit]
    Recommended Actions:
    HJT tick/fix the O21 entry.
    Rename file: uimnt.dll ---> uimnt.dlx
    [/edit]
     
  5. hws8179

    hws8179 TS Rookie Topic Starter

    just finished the 8 steps

    ok, i think i understand the 021 line thing you were talking about, but I also just finished the 8 step removal, so I guess I'll first see what you think of those. I will attach them to this reply, and please let me know what you recommend. You've been a great help, thanks. -H
     
  6. hws8179

    hws8179 TS Rookie Topic Starter

    one last thing

    i forgot to attach the super anti spyware log with my other logs. so, here it is.
     
  7. rf6647

    rf6647 TS Maniac Posts: 931

    Ooops. Your reply slipped by me.

    HJT Scan, Tick & Fix
    Restart the Computer

    Run MBAM - do not scan
    > More Tools > Run Tool (FileAssassin)

    Copy and paste the line from the code box to "File Name" and click open.
    Code:
    C:\WINDOWS\system32\mst120.dll 
    Update MBAM

    MBAM Scan, quick mode.

    Restart if log indicates 'reboot'

    Repeat MBAM scans until logs report 0 infections or no further progress is made.

    Scan MBAM complete mode (covers files/folders)

    Update SAS

    SAS scans until log reports 0 infections or no further progress is made.

    Restart the computer

    HJT Scan

    Post logs. Report progress and state what symptoms are still present.
     
  8. hws8179

    hws8179 TS Rookie Topic Starter

    an update on my progress

    Ok. As you suggested, I did the tick and fix of those two lines on the HJT scan. Then I scanned again just to make sure and the 018 one was still there after I had clicked fix( the c:\windows\system32\mst120.dll). I thought maybe it was because I had yet to restart the computer. So I restarted it, and went on to the MBAM run tool (assassin), and tried to paste the line from the code box to file name, but when I did a box came up that said "this file does not exist. would you like to create it?" or something like that. So, I clicked cancel, and went on to the next on the list which was to update MBAM and then scan in quick mode. Which I have just finished doing, and it says no malicious items were found. I have attached the log from that scan to this message, and in the mean time will continue to work my way through the rest of the list you provided. But I just thought I would give you an update on everything that I've run into. Also, I thought I should mention that yesterday, before I was able to fix those to things in HJT, the computer was being very sluggish...which, up until then, hadn't been a problem. It does, however, seem to be improving slightly, now. Thanks.
     
  9. rf6647

    rf6647 TS Maniac Posts: 931

    Cover

    This response ‘covers’ your post. A reply from you indicates that an infection remains or some aspect was not addressed. The last MBAM log indicates that the threat has been cleaned.

    Your descriptions were helpful and clear. Please visit these forums frequently and participate in the knowledge exhange that takes place.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.