Google search results opening random websites, spyware?
- Thread starter ASpec818
- Start date
- Status
Blind Dragon
Posts: 3,774 +4
Hi ASpec818
Please have a read here-> Is your system infected? Read this before Cleaning or Formatting
If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.
1)AVG log
2)Combofix log
3)Hijackthis log (Step 15)
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Please have a read here-> Is your system infected? Read this before Cleaning or Formatting
If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.
1)AVG log
2)Combofix log
3)Hijackthis log (Step 15)
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
kritius
Posts: 2,077 +0
Hi ASpec818,
You should probably think about uninstalling Viewpoint, its called foistware, in other words its foisted on people that dont really need it.
To get rid of it,
Go to Start > Run and copy/paste or type: taskmgr
Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder
Did you set the option to lock your internet explorer homepage from changes?
And do you recognise these entries?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\Software\..\Telephony: DomainName = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You should probably think about uninstalling Viewpoint, its called foistware, in other words its foisted on people that dont really need it.
To get rid of it,
Go to Start > Run and copy/paste or type: taskmgr
- Under the Processes tab find the following tasks or processes:
ViewpointService.exe
ViewMgr.exe - Highlight and click "End Process".
- Exit Task Manager.
- Press "OK".
- Click the "Extended tab".
- Scroll down the list and find the service called "Viewpoint Manager Service"
- When you find the service, double-click on it.
- In the Properties Window > General Tab that opens, click the "Stop" button.
- From the drop-down menu next to "Startup Type", click on "Disabled".
- Now click "Apply", then "OK" and close any open windows.
Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder
Did you set the option to lock your internet explorer homepage from changes?
And do you recognise these entries?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\Software\..\Telephony: DomainName = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ent.ds.gsa.gov,gsa.gov,na.uis.unisys.com,unisys.com,uis.unisys.com,na.uis.unisys .com
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
kritius
Posts: 2,077 +0
What about this bit?
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Blind Dragon
Posts: 3,774 +4
I will take a closer look tomorrow 3:15am here, gotta be up at 7am
Upload a File to Virustotal
Please visit Virustotal found HERE
Upload a File to Virustotal
Please visit Virustotal found HERE
- Click the Browse... button
- Navigate to the file C:\WINDOWS\system32\dmutilc.dll
- Click the Open button
- Click the Send button
- Copy and paste the results back here please.
File dmutilc.dll received on 03.07.2008 16:02:41 (CET)
Current status: finished
Result: 6/32 (18.75%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - Win32/Kvol!generic
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Virus.Trojan.Win32.Pakes.cdw
Kaspersky - - -
McAfee - - -
Microsoft - - Trojan:Win32/Boaxxe.B
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 187cb4ffe26e7e1559b7dbd2db24883a
SHA1: 139de3b1002cd54b5707f6246f8be321db63582e
SHA256: f4941c3d5e36d6dbed309ecba7418db98ec969c3c7eef97d8baba8046a7fc489
SHA512: 9e34c6b36fc44e66d3b25102cf1652012de630f0d828ac633566b5d2acec8c1d b0ab33e72b9b80afb28ee310292e7408a2187fc7d038ba78238a165f5718f4d7
Current status: finished
Result: 6/32 (18.75%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - Win32/Kvol!generic
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Virus.Trojan.Win32.Pakes.cdw
Kaspersky - - -
McAfee - - -
Microsoft - - Trojan:Win32/Boaxxe.B
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 187cb4ffe26e7e1559b7dbd2db24883a
SHA1: 139de3b1002cd54b5707f6246f8be321db63582e
SHA256: f4941c3d5e36d6dbed309ecba7418db98ec969c3c7eef97d8baba8046a7fc489
SHA512: 9e34c6b36fc44e66d3b25102cf1652012de630f0d828ac633566b5d2acec8c1d b0ab33e72b9b80afb28ee310292e7408a2187fc7d038ba78238a165f5718f4d7
Blind Dragon
Posts: 3,774 +4
That's what I figured. Sorry I was too tired to give proper instructions last night
Panda Online Scan
Launch Hijackthis again and select System Scan and Save a Log
Attach both the panda log as well as fresh Hijackthis log in next reply
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Panda Online Scan
- Please visit Panda Online Scanner
- Click on "Scan your PC".
- A new browser window will open with Panda ActiveScan.
- Click the big "Check Now" button
- Enter your Country, State/Province, e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
Launch Hijackthis again and select System Scan and Save a Log
Attach both the panda log as well as fresh Hijackthis log in next reply
This thread is for the use of ASpec818 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Blind Dragon
Posts: 3,774 +4
Ok now one more doesn't look right, It's a movie clip file that is set to run at start up
Upload a File to Virustotal
Please visit Virustotal found HERE
Upload a File to Virustotal
Please visit Virustotal found HERE
- Click the Browse... button
- Navigate to the file C:\Dell\DellST.vbs
- Click the Open button
- Click the Send button
- Copy and paste the results back here please.
File DellST.vbs received on 03.14.2008 04:45:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.3.14.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.13 -
Authentium 4.93.8 2008.03.13 -
Avast 4.7.1098.0 2008.03.13 -
AVG 7.5.0.516 2008.03.13 -
BitDefender 7.2 2008.03.14 -
CAT-QuickHeal 9.50 2008.03.13 -
ClamAV 0.92.1 2008.03.14 -
DrWeb 4.44.0.09170 2008.03.13 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5613 2008.03.13 -
Ewido 4.0 2008.03.13 -
FileAdvisor 1 2008.03.14 -
Fortinet 3.14.0.0 2008.03.14 -
F-Prot 4.4.2.54 2008.03.13 -
F-Secure 6.70.13260.0 2008.03.14 -
Ikarus T3.1.1.20 2008.03.14 -
Kaspersky 7.0.0.125 2008.03.14 -
McAfee 5251 2008.03.13 -
Microsoft 1.3301 2008.03.13 -
NOD32v2 2946 2008.03.14 -
Norman 5.80.02 2008.03.13 -
Panda 9.0.0.4 2008.03.13 -
Prevx1 V2 2008.03.14 -
Rising 20.35.32.00 2008.03.13 -
Sophos 4.27.0 2008.03.14 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.14 -
TheHacker 6.2.92.245 2008.03.14 -
VBA32 3.12.6.2 2008.03.13 -
VirusBuster 4.3.26:9 2008.03.13 -
Webwasher-Gateway 6.6.2 2008.03.13 -
Additional information
File size: 1137 bytes
MD5: 247f83b311c632b694e032d08737184a
SHA1: 96f0bfac968ff4f70b60ed2ebc0f3008ada097a7
PEiD: -
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.3.14.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.13 -
Authentium 4.93.8 2008.03.13 -
Avast 4.7.1098.0 2008.03.13 -
AVG 7.5.0.516 2008.03.13 -
BitDefender 7.2 2008.03.14 -
CAT-QuickHeal 9.50 2008.03.13 -
ClamAV 0.92.1 2008.03.14 -
DrWeb 4.44.0.09170 2008.03.13 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5613 2008.03.13 -
Ewido 4.0 2008.03.13 -
FileAdvisor 1 2008.03.14 -
Fortinet 3.14.0.0 2008.03.14 -
F-Prot 4.4.2.54 2008.03.13 -
F-Secure 6.70.13260.0 2008.03.14 -
Ikarus T3.1.1.20 2008.03.14 -
Kaspersky 7.0.0.125 2008.03.14 -
McAfee 5251 2008.03.13 -
Microsoft 1.3301 2008.03.13 -
NOD32v2 2946 2008.03.14 -
Norman 5.80.02 2008.03.13 -
Panda 9.0.0.4 2008.03.13 -
Prevx1 V2 2008.03.14 -
Rising 20.35.32.00 2008.03.13 -
Sophos 4.27.0 2008.03.14 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.14 -
TheHacker 6.2.92.245 2008.03.14 -
VBA32 3.12.6.2 2008.03.13 -
VirusBuster 4.3.26:9 2008.03.13 -
Webwasher-Gateway 6.6.2 2008.03.13 -
Additional information
File size: 1137 bytes
MD5: 247f83b311c632b694e032d08737184a
SHA1: 96f0bfac968ff4f70b60ed2ebc0f3008ada097a7
PEiD: -
Blind Dragon
Posts: 3,774 +4
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
--------------------------------------------------------------------------------------------------------------------------------
Also you Java is way out of date.
Update your Java Runtime Environment
If for some reason you couldn't update through the above instructions.
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
--------------------------------------------------------------------------------------------------------------------------------
Also you Java is way out of date.
Update your Java Runtime Environment
- First try going to Start -> Control Panel -> double click Java
- Select the Update TAb at the top
- Click the Check for Updates button at the bottom
- If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
- After it installs the newest version Go back to Control Panel -> Add/remove programs
- Uninstall any older versions of Java
If for some reason you couldn't update through the above instructions.
- Click the following link
Java Runtime Environment 6 Update 5 - The 4th option down is the one you want (click Download)
- Check the box to agree to terms of service
- Check the box for your operating system and click 'Download selected'at the bottom
- After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
- Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
Blind Dragon
Posts: 3,774 +4
what can you tell me about HXXP:\\USMV
And your Java still isn't showing to be updated. Did you remove older versions after update
And your Java still isn't showing to be updated. Did you remove older versions after update
Blind Dragon
Posts: 3,774 +4
Your not done. This web address concerns me. There are a number of CWS infections that use the hxxp:
Just to be safe lets run a scan.
Download and Install CWShredder
Use this tool in Safe Mode. We'll first download and install it...
Download and Install CWShredder by Trend Micro Inc.
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder
Boot into Safe Mode by tapping F8 before windows loads and select Safe Mode
Run CWShredder
Open CWShredder that you downloaded. Close all other windows and click on the fix/next button.
Afterwards, restart into Normal mode and run combofix again attach the log here
Just to be safe lets run a scan.
Download and Install CWShredder
Use this tool in Safe Mode. We'll first download and install it...
Download and Install CWShredder by Trend Micro Inc.
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder
Boot into Safe Mode by tapping F8 before windows loads and select Safe Mode
Run CWShredder
Open CWShredder that you downloaded. Close all other windows and click on the fix/next button.
Afterwards, restart into Normal mode and run combofix again attach the log here
- Status
Similar threads
