Google search redirect virus

[hws8179]

I'm being randomly redirected on a google search when I click the links. It says "jump redirect" on the toolbar right when it does it. I have NOrton AntiVirus, and it didn't stop or detect it. No surprise there.
I've read the threads that others posted who were having the same issue, and have attached my HJT file to this thread. Any help would be greatly appreciated. Thanks. - H

 

[rf6647]

Welcome to TS.

Your HJT log has one exceptional finding. As the user, only you can decide if it is appropriate. HJT actons tick/fix drops item from autostart. User deletes file/folder.

O21 - SSODL: uimnt - {72767BF0-A48F-355F-71F1-0AD4E3E55BCA} - C:\Program Files\jddfscb\uimnt.dll


I suggest following the 8-step malware removal guide

Post 3 logs. This gives us a common view of your complaint. Please share progress & restate symptoms, since things do change.

Google redirection covers a wide spectrum of infections or just a simple reset of IE settings.

Failure to access sites for tools from the guide, may require access via this site:
download dot com (phonectic wording to avoid hyperlink creation; protect identity of site)

 

[hws8179]

Thanks. I'm in the process of going through the 8-step removal guide. I've disabled Spy Sweeper, but do I also need to disable my virus protection? I have Norton AntiVirus 2009.

Also, in reference to what you spoke of as an 'exceptional finding' in my HJT log...I'm not sure I understand what is good or bad about it. It says "user deletes file/folder" but I didn't knowing delete anything. I'm not tech-saavy enough to understand the implications of what it means.
Sorry, I feel like a derelict.

Thanks for your help. -H

 

[rf6647]

Call me a code-talker. I use 'express' style to keep things brief. Then I wait for you to ask clarification. This helps us move toward the middle. I am still trying to develop a style that sets us up for success.

If you do not recognize the path (Program Files\jddfscb) to the file (uimnt.dll), chances are you did not install the application.

Notation: HJT tick/fix means scan with HJT > tick the box for the O21 entry > select Fix > ......... > exit ;
A restart is needed for the changes to take effect.

For O21 entries, this removes the registry key(s) that enable this to run @ startup.

If this is malware, then delete the file & folder.

If not completely sure,
HJT tick/fix the O21 entry.
Rename file: uimnt.dll ---> uimnt.dlx

Restart the computer

Check Events logs for errors. Discus findings.


A cursory survey of threads complaining about Google re-direction, it is divided nearly 50-50 for solutions: Resetting IE settings (RIES) versus malware removal.

There is no perfect first choice. RIES may be a complete solution or a temporary hobble to the infection.

Clean logs from the scan, sends you back to RIES.
Instructions for RIES courtesy of kimsland

Oops - I just reverted back to my verbose style.

[edit]
Recommended Actions:
HJT tick/fix the O21 entry.
Rename file: uimnt.dll ---> uimnt.dlx
[/edit]

 

[hws8179]

just finished the 8 steps

ok, i think i understand the 021 line thing you were talking about, but I also just finished the 8 step removal, so I guess I'll first see what you think of those. I will attach them to this reply, and please let me know what you recommend. You've been a great help, thanks. -H

 

[hws8179]

one last thing

i forgot to attach the super anti spyware log with my other logs. so, here it is.

 

[rf6647]

Ooops. Your reply slipped by me.

HJT Scan, Tick & Fix

O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.streamingfaith.com/common/mbrowser/MINIBrowser.CAB <<-- Rfc-ignorant (meaning this is a security risk due to poor practices)

O18 - Filter hijack: text/html - {ab890f06-cd1f-4bdd-a219-7c747a7448ef} - C:\WINDOWS\system32\mst120.dll <<--Parasite

Restart the Computer

Run MBAM - do not scan
> More Tools > Run Tool (FileAssassin)

Copy and paste the line from the code box to "File Name" and click open.

C:\WINDOWS\system32\mst120.dll

Update MBAM

MBAM Scan, quick mode.

Restart if log indicates 'reboot'

Repeat MBAM scans until logs report 0 infections or no further progress is made.

Scan MBAM complete mode (covers files/folders)

Update SAS

SAS scans until log reports 0 infections or no further progress is made.

Restart the computer

HJT Scan

Post logs. Report progress and state what symptoms are still present.

 

[hws8179]

an update on my progress

Ok. As you suggested, I did the tick and fix of those two lines on the HJT scan. Then I scanned again just to make sure and the 018 one was still there after I had clicked fix( the c:\windows\system32\mst120.dll). I thought maybe it was because I had yet to restart the computer. So I restarted it, and went on to the MBAM run tool (assassin), and tried to paste the line from the code box to file name, but when I did a box came up that said "this file does not exist. would you like to create it?" or something like that. So, I clicked cancel, and went on to the next on the list which was to update MBAM and then scan in quick mode. Which I have just finished doing, and it says no malicious items were found. I have attached the log from that scan to this message, and in the mean time will continue to work my way through the rest of the list you provided. But I just thought I would give you an update on everything that I've run into. Also, I thought I should mention that yesterday, before I was able to fix those to things in HJT, the computer was being very sluggish...which, up until then, hadn't been a problem. It does, however, seem to be improving slightly, now. Thanks.

 

[rf6647]

Cover

This response ‘covers’ your post. A reply from you indicates that an infection remains or some aspect was not addressed. The last MBAM log indicates that the threat has been cleaned.

Your descriptions were helpful and clear. Please visit these forums frequently and participate in the knowledge exhange that takes place.