Google search results being redirected to unrelated websites

[sc00768]

Hi, I'm having big trouble with Google Search. The search results are being redirected to some unrelated websites. It's getting so frustrating as I'm afraid my computer might be hacked.

I've run the HijackThis and have enclosed the log. Please help!!!!!

Thanks in advance!

 

[touch]

Hello

Please run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[Bobbye]

touch will review the logs for you. But I want to mention that your AVG v7 is outdated. Since it is, note Step 1 in the referred site and consider removing AVG and changing to Avira or Avast. Links are on the site.

 

[sc00768]

Thank you for your reply.
Attached please find my log.

I'll change my antivirus to Avast later.

 

[touch]

Thanks Bobbye

I recommend you remove AVG7 now, from add/remove programs in controlpanel, as Bobbye suggest.

Reboot

Install Avira:
http://www.avira.com/en/download/

Update it, run a complete system.

A quick question ? It looks like you are using East asiain language, and some Asian programs such as -> WebThunder translation and Tudou.

Also please tell what - PKu6SpeedUpper.exe - is ?

When Avira have completed the scan.
Reboot.

Attach new hijackthis log.

 

[sc00768]

Never mind. I've formatted my computer and it's back on working now. Thanks for your help anyway.

 

[Bobbye]

I wasn't familiar with some of the programs you had, so I checked them out. I would like to pass the information (Warning) on to you:

Web Thunder:

This is not a virus or a trojan. It is detected as a "potentially unwanted program" "PUP". It is an download program. It gets installed Browser Helper Object.
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll
http://vil.nai.com/vil/content/v_142372.htm

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature detects an attempted attack against Internet Explorer caused by a maliciously crafted website using a vulnerable Xunlei Web Thunder ActiveX Control.
Additional Information
Xunlei Web ThunderThunderServer.WebThunder.1 ActiveX control is prone to an arbitary-file-download vulnerability.
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50050
C:\Program Files\Thunder Network\WebThunder\WebThunder.exe
Potentially unwanted tool:Application/WebThunder Not disinfected G:\Program Files\Thunder Network\WebThunder\historyinfo_manage.dll
Potentially unwanted tool:Application/WebThunder Not disinfected G:\Program Files\Thunder Network\WebThunder\setup.exe[historyinfo_manage.dll]
Potentially unwanted tool:Application/WebThunder Not disinfected G:\Program Files\Thunder Network\WebThunder\WebThunderBHO_016.dll

Tudou: P2P Program> See Step 3 on the Virun and Malware Removal thread: Uninstall File Sharing/P2P Programs

Tudou (simplified Chinese: 土豆网; traditional Chinese: 土豆網; pinyin: Tǔdòu Wǎng) is one of the largest video sharing websites in China, where users can upload, view and share video clips.
Tudou has come under criticism for its disregard of international copyright standards. Countless American and European television shows and movies can be found on Tudou without the permission of the copyright owners in what amounts to internet piracy. In May 2008, the Chinese government found the company guilty of copyright infringement and fined it RMB 50,000.
C:\Program Files\Tudou\TudouVa.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:9415/tudouva.pac
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll

You have three translation programs running:

O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Do you already know all this? And accept the responsibilities that you will get malware when you use P2P or File Sharing programs?

A couple of questions:
1. You are auto configured to go to:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:9415/tudouva.pac
Are you aware of this?

2. Do you have a homepage set to come up blank when you launch IE?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Malware is in the System Restore points. Do NOT use System Restore. at the end of the cleaning, you will drop the old restore points and create a new clean one.

 

[Bobbye]

Damn! I wasted all that time assembling the information! Your post wasn't up yet when I started.

PLEASE READ through what I left. You will probably load the same programs on again- then you'll be back with the same problems! Better you learn how to troubleshoot. you can't reformat/reinstall every time there is a problem!