Google Search Results redirected -Hijacked?

Dear members of Majorgeeks,

I recently met your site, and I want to congratulate you for your efforts to keep the Web cleaner.

It seems that I also need your support and I hope that this thread will be of help to other users as well.

I have done my homework according to your instructions in your “READ AND RUN ME FIRST” post and since I have a number of findings. I ‘ll try to present them in a structured way in order to make them easier to read.

Hardware specs
- Acer 1700 Laptop
- Pentium 4 2,6 MHz
- 512 MB RAM
- 80 HDD

Software specs
- Windows XP Home SP2 with 1 normal Account, plus the Administrator Account that shows in Safe mode
- Avast Antivirus
- Spybot Search and Destroy
- Pest Patrol
- Windows Firewall

Symptoms
A. Google Results Redirect: Since a few days, whenever I run a Google search, I get a normal Results page, but as soon as I click on one of them, I am redirected to a number of other (commercial) sites, 3-4 in total.
B. Spybot hangs: At the same time, Spybot hangs at “422/45699: Baciani”. It may resume after 20-30 minutes, but hangs again a little later.

First Aid
After running my above-mentioned anti-malware arsenal, I downloaded and ran:
- Ad-Aware SE Personal anti-spy
- BitDefender 8 Free anti-virus
but the problem remains.

Majorgeeks method:
Then I followed the steps described in your “READ AND RUN ME FIRST” post in the following order:

1. Uninstalled Kazaa-Lite through Add/Remove programs.
2. Set MSconfig to Normal Start-up.
3. Emptied all quarantine folders and ran Ccleaner in both Accounts in Safe mode.
4. Uninstalled Bitdefender 8 Antivirus, and kept only Avast.
5. Downloaded GetRunKey and ShowNew OK.
6. Reset default settings in Spybot and disabled Tea-timer. Fixed bug.
7. Installed CounterSpy 15-days shareware. Although I run a legitimate copy of Windows (pre-installed at purchase), I have not validated it, because I have a natural dislike for Microsoft’s practices to control world software, so when Windows Defender asked me to validate my copy, I preferred to turn to CounterSpy. Only if you think it’s critical, I’ll proceed with Windows Defender.
8. Just after installation CounterSpy (with Active Protection active by default), the program detected csowm.exe attempting to run as I rebooted in Safe mode. I blocked it successfully.
9. Tried to run Spybot, but it kept hanging.
10. At reboot, CounterSpy detected nwiz.nwiz.exe/install which I could not block as it kept coming up. I finally allowed it.
11. Uninstalled Spybot and reinstalled it.
12. CounterSpy detected C:\Windows\system32\dmarc.exe attempting to add in Registry Start-up. I tried to block it, but it kept coming up, so I finally allowed it.
13. Spybot ran OK. It found Pippas.A and fixed it.
14. At reboot, CounterSpy detected C:\Windows\system32\dmwhq.exe attempting to add in Registry Start-up. I tried to block it, but it kept coming up, so I finally allowed it.
15. Ran CounterSpy full scan. It found MyWaySpeedbar and 3 objects in Registry (win32Qhost.trf). I quarantined them all.
16. Downloaded Java 5 and had to reboot at Normal mode to install it. CounterSpy detected C:\Windows\system32\dmjvh.exe attempting to add in Registry Start-up. I tried to block it, but it kept coming up, so I finally allowed it.
17. I installed Java. CounterSpy detected C:\Windows\system32\jusced.exe attempting to add in Registry Start-up, which I allowed, as it comes from the Java installation. The same with:
CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA
CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA
and a BHO.
18. Rebooted in Normal mode and CounterSpy detects C:\Windows\system32\dmqod.exe attempting to add in Registry Start-up. I tried to block it, but it kept coming up, so I finally allowed it.
19. Rebooted in Safe mode and ran BitDefender On-line scan and it found Mohbpork.A infections in Restore, which could not fix.
20. Panda On-line scan found Ruins.DP and fixed it.
21. Ran GetRunKey and ShowNew.
22. Steps 9 to 20 - when in Safe mode - were performed in the one user Account I have. At this point I repeated them in the Administrator Account.
23. As Spybot started, CounterSpy detected a new IE toolbar button CmdMapping, which I blocked.
24. Spybot run found Pippas.A again (!) and fixed it.
25. CounterSpy run without any findings
26. BitDefender On-line scan found Mohbpork.A at A0128988
27. Panda On-line scan found:
- 20 viruses (!), of which it disinfected 19
- 46 spyware (!) of which it disinfected 0,
- and 1 findings in each of the other 2 categories, which I missed.
28. Ran GetRunKey and ShowNew again.
29. After all that, I installed and ran HijackThis.
30. Toggled System Restore.

So, what happened to my system after all the above:

Well, it seems that Spybot runs smoothly and a couple of tries to browse through Google Search were successful. However, since all of my scans found something (especially the last Panda scan is terrifying) I doubt that I run any of the above tools now and it finds all clear!
So, could you please take a look at my reports and advise if there is something more I have to do?

In the next 4 posts I attach my 5 reports for the User Account, 5 reports named _Admin for the Administrator Account and HijackThis report.

Thanks in advance
(had to repost it due to the Majorgeeks Restore)

 

Here are my scan reports for the normal User Account:

 

Here are my .bat text reports for the normal User Account:

 

Here are my scan reports for the Administrator Account:

 

Here are my .bat text reports for the Administrator Account and the HijackThis report:

 

Dear chaslang, hi and thank you for your prompt response.

Let me tell you what I did (numbering continues):

31. Uninstalled both old Javas and FF 1.0
32. Installed current version of Mozilla FF.
33. Ran FixWareOut.
34. Changed TCP/IP properties. Indeed my DNS addresses where “captured” by these strange IP addresses: 85.255.114.82 and 85.255.112.168 (By the way I checked those sites through my PC at work and they indeed refer to those commercial pages I was being redirected after a Google search
35. CounterSpy detected attempts to change my IE URL to http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch, which I allow all the time.
36. CounterSpy detected an attempt to add a Registry start-up c:\windows\system32\sti_ci.dll, which I allowed (I thought it comes from FixWareOut).
37. Ran HJT and the mentioned lines were still there, so I fixed them (no browsers open). By the way, the other suspicious line {2048B51E-8D74-4762-82CE-B48CF545EEEA} is still there.
38. At this point the instructions in your post and in your e-mail were different, so first I saved the report Hijackthis_2.txt here in Normal mode.
39. Then I rebooted in Safe mode – Administrator Account. Program SunServAlert.exe could not close normally, so I “ended the task”.
40. CounterSpy detected an attempt to change Windows host file from localhost:127.0.0.1 to 127.0.0.1Ilocalhost. I blocked it.
40. Searched for dmawq.exe in C:\Windows\system32, but it was not there. The same with dmarc.exe, dmwhq.exe, dmjvh.exe and dmqod.exe.
41. I checked into the Registry and in the HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces I found the 2 suspicious IPs (85.255.114.82 and 85.255.112.168) in the DhcpNameServer of:
{6606D519-67B7-4F76-BA7D-D9127301DC9E}
{F4DB2C27-8ECA-462B-B6D1-62B102676A7A}
{FFA8EE06-8EB3-4727-BD37-749FAC35A329}42. I ran a 2nd HJT (Hijackthis_2_Admin) and ShowNew (newfiles_2_Admin)
43. Rebooted in Normal mode and CounterSpy detected an attempt of csgqa.exe to start at Windows Logon. I blocked it.

So, here are my logs. I really don’t know what to do with all those alerts I receive. Most of the times I block, (a few I allow), but they keep coming back, and I don’t know if I have to block them permanently.

Thanks again for your time. I hope I respond appropriately.

 

Here is my 2nd run of HijackThis reports in Normal and Safe mode and the Newfiles report in Safe mode:

 

Sorry for the delayed reply! I had increased the privacy settings of IE in an effort to make my browsing "safer" and as a consequence I could not log in the forum, although it said I did! Anyway, here it is:

I don’t have a webcam, so the st_ci.dll is not from that. I don’t know if the following helps, but my only peripherals to my ACER 1700 notebook are:

- HP Scanjet 2400 scanner
- Genius Netmouse Pro cable / wheel mouse
- Cannon i250 printer, which no longer works

I also occasionally connect the following:

- HP Photosmart 945 camera
- Logitech Rumblepad cable gamepad
- MobileAction MA-8620E USB connector to NOKIA cellphone
- MobileAction MA-660 USB Infrared device

Pest Partrol is not a paid version, but a legitimate free version, which was part of an offer on a pack of Imation CDs I bought. It was supposed to expire a couple of months ago, but I didn’t receive any relevant message, and it updates normally. I have no problem uninstalling it, if you think it creates problems.

O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} – Fixed.

The change in Host files alert didn’t show up again, and it does not show in HJT log file that I created after the above fix, either.

Then I rebooted in Administrator Safe Mode, and the alert about the Host files came up. I allowed it. Then point 43 above (about csgqa.exe) came up. I blocked it, but it keeps coming up at every Safe or Normal reboot. What should I do about it?

No other signs of malware are there, either in Normal or Safe Mode, both Accounts.

I think we are close to finalizing this.

Thanks again.

 

Forgot the HJT log. Here it is:
(I attach also a log from Administrator Account in Safe Mode, just for consistency).

 

You are right Chaslang, I did not attach FixWareOut report, so here it is.

I looked for csgqa.exe file both in Safe and Normal modes, but there are no findings. However CounterSpy issues the following warning every time I boot in Safe Mode and back in Normal Mode again:

Active Protection has blocked a change to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System .

From:

To: csgqa.exe​

which I block. That probably means that another program is trying to install csgqa.exe at Windows Logon, I guess. Should I look for another file then? At the moment I block it, but I’m afraid that as soon as I uninstall CounterSpy, csgqa.exe will find its way to my System32 folder.

What is your advice?

 

I ‘ve already done all that the last time.

I searched in Normal as well as in Safe modes (both the Administrator and my Normal User Account).
I searched for csgqa (not csgqa.exe) as all or part of a file name, and later as a word or phrase in a file and I included subfolders, hidden and system files in all my searches.

Unfortunately (or maybe fortunately?), there are no results to display.

The relevant CounterSpy alert does not show the last 3 days. From what you’ve seen in my log files, do you think we’re over?

Thanks again.

 

Thank you Chaslang one more time.

Hope this thread can be helpful to other users as well.

Cheers