TechSpot

Google search results opening random websites, spyware?

By ASpec818
Mar 8, 2008
  1. Whenever I make a search on Google and click on a link, I would get redirected to a random website. My Norton Antivirus and Spyremover are not picking anything related to this problem. How can I fix this?
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi ASpec818

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ASpec818

    ASpec818 TS Rookie Topic Starter

    Here are the 3 logs I came up with.
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Hi ASpec818,
    You should probably think about uninstalling Viewpoint, its called foistware, in other words its foisted on people that dont really need it.

    To get rid of it,

    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    Did you set the option to lock your internet explorer homepage from changes?

    And do you recognise these entries?
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
    O17 - HKLM\Software\..\Telephony: DomainName = na.uis.unisys.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com


    This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. ASpec818

    ASpec818 TS Rookie Topic Starter

    I removed Viewpoint. I'm still having some problems. Any ideas?
     
  6. kritius

    kritius TS Guru Posts: 2,084

    What about this bit?

    This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. ASpec818

    ASpec818 TS Rookie Topic Starter

    Those entries look like they pertain to my work. I don't think those are it. Any other suggestions?
     
  8. ASpec818

    ASpec818 TS Rookie Topic Starter

    Anybody have any other suggestions?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I will take a closer look tomorrow 3:15am here, gotta be up at 7am

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\dmutilc.dll
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
     
  10. suby007

    suby007 TS Rookie Posts: 16

    Or you know what...get a decent anti virus get Bit Defender or Kaspersky 7. And also Spyware Doctor....It'll work just fine.
     
  11. ASpec818

    ASpec818 TS Rookie Topic Starter

    File dmutilc.dll received on 03.07.2008 16:02:41 (CET)
    Current status: finished

    Result: 6/32 (18.75%)
    Compact Print results
    Antivirus Version Last Update Result
    AhnLab-V3 - - -
    AntiVir - - -
    Authentium - - -
    Avast - - -
    AVG - - -
    BitDefender - - -
    CAT-QuickHeal - - -
    ClamAV - - -
    DrWeb - - -
    eSafe - - suspicious Trojan/Worm
    eTrust-Vet - - Win32/Kvol!generic
    Ewido - - -
    FileAdvisor - - -
    Fortinet - - -
    F-Prot - - -
    F-Secure - - -
    Ikarus - - Virus.Trojan.Win32.Pakes.cdw
    Kaspersky - - -
    McAfee - - -
    Microsoft - - Trojan:Win32/Boaxxe.B
    NOD32v2 - - -
    Norman - - -
    Panda - - Suspicious file
    Prevx1 - - Generic.Malware
    Rising - - -
    Sophos - - -
    Sunbelt - - -
    Symantec - - -
    TheHacker - - -
    VBA32 - - -
    VirusBuster - - -
    Webwasher-Gateway - - -
    Additional information
    MD5: 187cb4ffe26e7e1559b7dbd2db24883a
    SHA1: 139de3b1002cd54b5707f6246f8be321db63582e
    SHA256: f4941c3d5e36d6dbed309ecba7418db98ec969c3c7eef97d8baba8046a7fc489
    SHA512: 9e34c6b36fc44e66d3b25102cf1652012de630f0d828ac633566b5d2acec8c1d b0ab33e72b9b80afb28ee310292e7408a2187fc7d038ba78238a165f5718f4d7
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That's what I figured. Sorry I was too tired to give proper instructions last night

    Panda Online Scan
    • Please visit Panda Online Scanner
    • Click on "Scan your PC".
    • A new browser window will open with Panda ActiveScan.
    • Click the big "Check Now" button
    • Enter your Country, State/Province, e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    Note: If this is the first time you scanned your PC, you´ll have to download the ActiveX controls (8 MB). The time it takes to download these can vary depending on your connection
    • Click on "Local Disks" to start the scan
    • Save the log file to your desktop

    Launch Hijackthis again and select System Scan and Save a Log

    Attach both the panda log as well as fresh Hijackthis log in next reply

    This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. ASpec818

    ASpec818 TS Rookie Topic Starter

    The Panda Scan didn't give me an option to save the log, but it didn't detect anythin in the Local Disks. Here is the Hijackthis log.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok now one more doesn't look right, It's a movie clip file that is set to run at start up

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\Dell\DellST.vbs
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
     
  15. ASpec818

    ASpec818 TS Rookie Topic Starter

    File DellST.vbs received on 03.14.2008 04:45:47 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 0/32 (0%)
    Loading server information...
    Your file is queued in position: 2.
    Estimated start time is between 42 and 60 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2008.3.14.0 2008.03.14 -
    AntiVir 7.6.0.73 2008.03.13 -
    Authentium 4.93.8 2008.03.13 -
    Avast 4.7.1098.0 2008.03.13 -
    AVG 7.5.0.516 2008.03.13 -
    BitDefender 7.2 2008.03.14 -
    CAT-QuickHeal 9.50 2008.03.13 -
    ClamAV 0.92.1 2008.03.14 -
    DrWeb 4.44.0.09170 2008.03.13 -
    eSafe 7.0.15.0 2008.03.09 -
    eTrust-Vet 31.3.5613 2008.03.13 -
    Ewido 4.0 2008.03.13 -
    FileAdvisor 1 2008.03.14 -
    Fortinet 3.14.0.0 2008.03.14 -
    F-Prot 4.4.2.54 2008.03.13 -
    F-Secure 6.70.13260.0 2008.03.14 -
    Ikarus T3.1.1.20 2008.03.14 -
    Kaspersky 7.0.0.125 2008.03.14 -
    McAfee 5251 2008.03.13 -
    Microsoft 1.3301 2008.03.13 -
    NOD32v2 2946 2008.03.14 -
    Norman 5.80.02 2008.03.13 -
    Panda 9.0.0.4 2008.03.13 -
    Prevx1 V2 2008.03.14 -
    Rising 20.35.32.00 2008.03.13 -
    Sophos 4.27.0 2008.03.14 -
    Sunbelt 3.0.930.0 2008.03.05 -
    Symantec 10 2008.03.14 -
    TheHacker 6.2.92.245 2008.03.14 -
    VBA32 3.12.6.2 2008.03.13 -
    VirusBuster 4.3.26:9 2008.03.13 -
    Webwasher-Gateway 6.6.2 2008.03.13 -
    Additional information
    File size: 1137 bytes
    MD5: 247f83b311c632b694e032d08737184a
    SHA1: 96f0bfac968ff4f70b60ed2ebc0f3008ada097a7
    PEiD: -
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
    --------------------------------------------------------------------------------------------------------------------------------

    Also you Java is way out of date.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
     
  17. ASpec818

    ASpec818 TS Rookie Topic Starter

    Here are the two logs
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    what can you tell me about HXXP:\\USMV

    And your Java still isn't showing to be updated. Did you remove older versions after update
     
  19. ASpec818

    ASpec818 TS Rookie Topic Starter

    I just updated my Java and removed the old version. I'm not sure what HXXP:\\USMV is. It *seems* my google is working fine now. But I'll have to see because the problem occurs intermittently.

    In the meantime, thanks a lot for your help!
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Your not done. This web address concerns me. There are a number of CWS infections that use the hxxp:

    Just to be safe lets run a scan.

    Download and Install CWShredder
    Use this tool in Safe Mode. We'll first download and install it...
    Download and Install CWShredder by Trend Micro Inc.
    Open CWShredder and click I AGREE
    Click Check For Update
    Close CWShredder

    Boot into Safe Mode by tapping F8 before windows loads and select Safe Mode

    Run CWShredder
    Open CWShredder that you downloaded. Close all other windows and click on the fix/next button.


    Afterwards, restart into Normal mode and run combofix again attach the log here
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...