For over a week now, I've had intermittent redirects when I do a search using Yahoo or Google. I'll click a link and it will take me to a different site then the one the search engine mentioned. If I go back and click it again it at that time goes to the correct URL.

I have the paid version of McAfee on my computer.
I usually use the Mozilla Firefox browser.
As far as I know I don't have any file sharing programs on my computer now or in the past.

All 8 steps have been completed and the log are attached. I appreciate any help.

Attached Files

	hijackthis.log (12.4 KB, 3 views)
	mbam-log-2010-02-05 (19-14-44).txt (867 Bytes, 3 views)
	SUPERAntiSpyware Scan Log - 02-05-2010 - 20-53-58.log (822 Bytes, 3 views)

You have 2 threads going, both started 1 day ago. As far as I can tell, there are for the same machine. If that is correct, the problem will be handled on this thread since it includes the logs.

This can be ignored:

That's correct, they are both for the same machine and I did edit the original message before starting the second thread to say this:

"Sorry, just noticed I didn't do your 8 steps first, I'll go ahead with that. If you want to delete this message please do so and I'll post a new one after I have competed the 8 steps."

Unfortunately I should have just added the 3 logs to the original thread instead. Sorry about that.

This problem is still going on even after the 8 steps, any ideas on what I should do next?

Thanks!

Broni seems to be fighting this on three fronts.......aka threads

http://www.techspot.com/vb/topic142625.html

Follow his lead and see where it takes you.

Please reopen HijackThis to 'do system scan only.' Check the following entries if present: Note: Optional Removals are in green:

C:\Program Files\Viewpoint\Common\ViewpointService.exe>> See Optional 1
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tvuhi] rundll32.exe "C:\WINDOWS\ayawicoz.dll",Startup
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe>> See Option 2
O4 - Startup: PowerReg SchedulerV2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe>> See Option 1

Optional 1: Foistware
Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. I will give full removal instructions if needed.
Option 2: ProxyWay anonymous proxy surfing software
this appears to be a legitimate download. But I wondered if the redirects could be related to it. Did you have the problem before you installed this software? If you did, leave it. If it is new and the redirects started after the install, it should be removed. (http://www.proxyway.com/www/downloads/)

Close all Windows except HijackThis and click on "Fix Checked."
Full Viewpoint removal will be given separately.

If the redirects have continued, please run this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please follow with Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the Combofix report and the Eset log to your next reply.

Reminder: need to update Adobe Reader from v7 to v9.xx.

I need to go on to the step of combofix as it is still not fixed, but when I rename it and try to download it given the link you gave, McAfee gives me a warning about the Artemis something virus. Is this normal and should I go ahead and down load it?

Also it looks like I will have to disable McAfee first in order to download Combofix from Bleeping.com. I notice you have that as your step after I download the program, and disable the internet connection.

Follow the instructions please. Be sure to do this:

Important! Save the renamed download to your desktop.

We find that usually when McAee gives a warning it's because the user is attempting to run Combofix from the site itself instead of saving it first.

I've been following about three of these threads to fix redirect problems, including this one.
My question is if you know when this started occurring (week, few days) why can't you just do a "system restore" to a date prior to the infection? Is the restore function not available?

I was not attempting to run Combofix instead of saving it. As I mentioned I renamed it and started to download it to my desktop when the virus alert message came on and at that time the download even though at almost 99 percent failed, likely due to McAfee. I will try to download it again.

Same problem, I attempt to rename combofix to Combo-fix and save to desktop, the download starts get to about 99 percent, McAfee pops up message about artemis virus, asks me if I trust the site I'm downloading combofix from and I say allow. However, the download fails with this message.

Cannot copy combofix [1] access denied make sure disk is no full or write protected and that file is not currently in use.

Ideas?

To pepsi1 re:
1. Most people cannot tell exactly when a malware problem began.
2. Malware can damage or corrupt files- system restore won't fix them.
3. Most commonly, there is multiple malware. One problem might be resolved- such as the redirect- but that does not mean the malware has all been found and removed.
4. Doing a System Restore could actually reinfect a system with malware that might have been removed by the AV scan.
5. In the case of a DNS Changer malware infection, the IP will have been changed a flush and probable router reset ill have to be done.

Choose any one reason.

Evoni, the more this goed on with Combofix, the more I suspect a Virut infection. I'd like you to do a scan as follows:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Give me these results and we'll go from there.

Thanks for the explanation.....I assumed it was more of a problem than could be handled with one action like restore, but I did not see the extent of damage.


Evoni:

I tried those two download sites for Combofix and the downloads were inoperable exe files, three out of four times. I put a folder on the desktop (Combofix), changed the download file name to Combo-Fix(.exe). My downloads said they completed but they did not....rectangular icon instead of the red lion's head. Try to download multiple times until you get the right icon--ForoSpyware.com work 2 out of 5 times. Each time the download screwed up I deleted the file and slightly changed the folder name so it would be a fresh install to get it to work correctly.


* BleepingComputer.com
* ForoSpyware.com

The fourth time on ForoSpyware a complete exe file loaded

Pepsi1, thanks for the help but I'm going to wait for instructions from Bobbye.

Bobbye, do you want me to try what Pepsi1 suggested?

I sent to VirSCAN.org and you can't do a copy paste there, or even type in your files, only a browse. Just mentioning that because if it's not just me that is getting that result you might want to edit your cut/paste instructions to reflect that.

This is the scan for system32/userinit.ext

VirSCAN.org Scanned Report :
Scanned time : 2010/02/11 13:50:11 (PST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/report/659b60da7f...be69d6c06.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100212010812 2010-02-12 4.25 -
AhnLab V3 2010.02.12.00 2010.02.12 2010-02-12 1.00 -
AntiVir 8.2.1.160 7.10.4.41 2010-02-11 0.22 -
Antiy 2.0.18 20100211.3837291 2010-02-11 0.12 -
Arcavir 2009 201002101845 2010-02-10 0.03 -
Authentium 5.1.1 201002112035 2010-02-11 1.25 -
AVAST! 4.7.4 100211-0 2010-02-11 0.01 -
AVG 8.5.720 271.1.1/2660 2010-02-01 0.22 -
BitDefender 7.81008.5035082 7.30333 2010-02-12 5.08 -
ClamAV 0.95.3 10380 2010-02-11 0.01 -
Comodo 3.13.579 3409 2010-02-11 0.89 -
CP Secure 1.3.0.5 2010.02.11 2010-02-11 0.04 -
Dr.Web 5.0.1.12222 2010.02.12 2010-02-12 5.33 -
F-Prot 4.4.4.56 20100211 2010-02-11 1.25 -
F-Secure 7.02.73807 2010.02.11.11 2010-02-11 9.67 -
Fortinet 11.485- 11.485 2010-02-11 0.24 -
GData 19.10448/19.744 20100211 2010-02-11 5.93 -
ViRobot 20100211 2010.02.11 2010-02-11 0.41 -
Ikarus T3.1.01.80 2010.02.11.75166 2010-02-11 4.46 -
JiangMin 13.0.900 2010.02.08 2010-02-08 4.67 -
Kaspersky 5.5.10 2010.02.11 2010-02-11 0.11 -
KingSoft 2009.2.5.15 2010.2.11.7 2010-02-11 0.54 -
McAfee 5.3.00 5889 2010-02-11 3.50 -
Microsoft 1.5406 2010.02.11 2010-02-11 6.46 -
Norman 6.01.09 6.01.00 2010-02-10 6.00 -
Panda 9.05.01 2010.02.09 2010-02-09 1.80 -
Trend Micro 9.120-1004 6.842.04 2010-02-11 0.03 -
Quick Heal 10.00 2010.02.11 2010-02-11 1.33 -
Rising 20.0 22.34.01.03 2010-02-09 0.99 -
Sophos 3.04.1 4.50 2010-02-12 3.18 -
Sunbelt 3.9.2398.2 5671 2010-02-11 2.61 -
Symantec 1.3.0.24 20100211.002 2010-02-11 0.05 -
nProtect 20100212.01 7200620 2010-02-12 4.39 -
The Hacker 6.5.1.1 v00189 2010-02-11 0.38 -
VBA32 3.12.12.2 20100210.2233 2010-02-10 2.66 -
VirusBuster 4.5.11.10 10.119.51/2011380 2010-02-11 2.37 -

Other 2 scans to follow in another message.

Did you ever run the Eset online scan? If not, please do that now and leave the log on the next reply:

Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

* Tick the box next to YES, I accept the Terms of Use.
* Click Start
* When asked, allow the Active X control to install
* Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
* Click Start
* Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
* Click Scan
* Wait for the scan to finish
* Re-enable your Antivirus software.
* A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.


Am I correct in saying that you can't get Combofix to download at all?

I downloaded from both of the sites-.Bleeping Computer and Forospy. Both sites paused toward the end> BC at 98%, Foro at 99%. I did nothing except wait and each d/l continued to completion. Name of file in each case was Combofix.exe.

Just in case there are partial downloaded messing you up, do the following:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Then try again.

Bobbye, I posted a total of 3 messages yesterday with the 3 logs you requested be scanned by VirScan.org. Only one seems to have been allowed to post by the moderator. Also, I'm not sure why my replies are not being posted immediately as they did previously. Any idea why we have to wait for a moderator to release them?

I had a message that Combofix failed. I will follow your latest instructionson trying to download Combofix but if you recall you had me rename the file to Combo-Fix(.exe) before downloading it. Do you now not want me to change the name of Combofix before downloading it?

Here is the logfile I got from using Eset for the first time per your instructions. It says that 2 files are infected.

C:\WINDOWS\ayawicoz.dll a variant of Win32/Cimag.BO trojan
Operating memory a variant of Win32/Cimag.BO trojan


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=650b330009093647b64b41685dc4720a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-12 07:06:56
# local_time=2010-02-12 11:06:56 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776613 100 96 7265463 18831533 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109665
# found=2
# cleaned=0
# scan_time=3206
C:\WINDOWS\ayawicoz.dll a variant of Win32/Cimag.BO trojan 00000000000000000000000000000000 I
${Memory} a variant of Win32/Cimag.BO trojan 00000000000000000000000000000000 I

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes	
  C:\WINDOWS\ayawicoz.dll
  :Services
  
  :Reg
  
  :Files  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Let me see the log after. I'm not sure this will handle the process in memory.

Bobby, whenever I try to click on any links posted here, before it takes me to the link if it even does that, I'm getting a screen popping up saying Bookmark & Share and on the right the name Juliofrano and then a long list of links. Do you know why that is happening with links posted here? Doesn't happen elsewhere. Looks like it's coming from www.addthis.com/bookmark

Here's the latest log per your instructions from otmovit by old timer.

All processes killed
========== PROCESSES ==========
No active process named C:\WINDOWS\ayawicoz.dll was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Diana
->Temp folder emptied: 8672096 bytes
->Temporary Internet Files folder emptied: 37961019 bytes
->Java cache emptied: 13930 bytes
->FireFox cache emptied: 104513472 bytes
->Apple Safari cache emptied: 1295472 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 2899935 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: evoni
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4358033 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 564766 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23944570 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 996657 bytes
RecycleBin emptied: 31342 bytes

Total Files Cleaned = 177.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02132010_112215

Files moved on Reboot...

Registry entries deleted on Reboot...

Evoni, I just posted about a site problem. I think work is being done and it should only be temporary. I'm being logged out after every post and have to log back in to open each log. Be patient. it will be resolved soon. I don't think it's your system since I am also having a problem.

I should have put that entry in File instead of Process- sorry:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\WINDOWS\ayawicoz.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.