Hi,
I am working on a clients computer and have not been able to get past this one hurdle:
All search engine results, when clicking on them, get redirected to 1 of a set of obvious malware/spyware related sites. Upon searching Google for the term "hello", these are some of the various redirects that are being forced upon my browser when clicking on the results:
http://www.upliftsearch.com/?keyword=hello&aid=1031&cid=268&subid=utr_2717http://www.ipl.org/div/hello/index.htmlhttp://www.esao.net/Interestingly, when I mouse over any of the google links, the true website link shows up in the status bar of IE. But the second I click down with either left or right mouse buttons, I get a strange cryptic link. When attempting to copy the link to the clipboard, the same cryptic link shows up, such as the following URL that is associated with the first of the 3 examples I've listed above:
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CAkQFjAA&url=http%3A%2F%2Fwww.hellomagazine.com%2F&ei=pLR8S5CeNoaoswO8mr3LCA&usg=AFQjCNE2TScP1sOG-TytWVe-kB0UUbWncgI would tend to think the "DNSChanger" trojan identified (and supposedly cleaned) by an MBAM scan has something to do with it.
My software environment is as follows:
Windows XP (x86) Media Center Edition SP3
Internet Explorer 8
NOD32 Antivirus v3.0
Malwarebytes 1.44
Spybot Search & Destroy 1.62
Spywareblaster 4.2
HijackThis 2.02
I am including the MBAM scan log below for your review, as well as the DDS log as per your instruction.
Thank you in advance!
=========================================
MBAM Scan Log:
=========================================
Malwarebytes' Anti-Malware 1.44
Database version: 3734
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/13/2010 4:42:33 PM
mbam-log-2010-02-13 (16-42-33).txt
Scan type: Quick Scan
Objects scanned: 167166
Time elapsed: 25 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rkelwhik (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rkelwhik (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.95,93.188.161.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{46a39352-11ea-417d-96b7-12f574451ed3}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.95,93.188.161.78 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\DADDY\Local Settings\Temp\DuXU.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000782f.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
=========================================
DDS Log:
=========================================
DDS (Ver_09-12-01.01) - NTFSx86
Run by DADDY at 22:28:39.89 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1307 [GMT -7:00]
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DADDY\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1
www.spywareinfo.com============= SERVICES / DRIVERS ===============
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-13 19160]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-13 236368]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2009-5-1 3584]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2009-5-1 32384]
=============== Created Last 30 ================
2010-02-16 04:39:08 0 d-sha-r- C:\cmdcons
2010-02-16 04:36:09 98816 ----a-w- c:\windows\sed.exe
2010-02-16 04:36:09 77312 ----a-w- c:\windows\MBR.exe
2010-02-16 04:36:09 261632 ----a-w- c:\windows\PEV.exe
2010-02-16 04:36:09 161792 ----a-w- c:\windows\SWREG.exe
2010-02-14 03:21:47 2189184 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 03:21:47 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 03:21:47 2066048 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-14 03:21:47 2023936 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 03:21:46 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-14 03:21:46 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 02:45:01 333952 -c--a-w- c:\windows\system32\dllcache\srv.sys
2010-02-14 02:45:01 333952 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-14 02:42:58 343040 ----a-w- c:\windows\system32\mspaint.exe
2010-02-14 01:06:19 0 d-----w- c:\program files\ESET
2010-02-14 00:29:07 0 d-----w- c:\program files\Trend Micro
2010-02-14 00:27:55 0 d-----w- c:\program files\SpywareBlaster
2010-02-13 23:49:45 0 d-----w- c:\program files\VS Revo Group
2010-02-13 23:41:25 0 d-----w- c:\windows\pss
2010-02-13 23:03:36 0 d-----w- c:\docume~1\daddy\applic~1\Malwarebytes
2010-02-13 23:03:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 23:03:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 23:03:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 23:03:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-13 23:01:03 0 d-----w- C:\Appz
==================== Find3M ====================
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
============= FINISH: 22:29:17.59 ===============
