Search engine redirect malware...

Major Geeks Team,
I have been afflicted for the last week or two with this problem. When performing a 'google' search and clicking on selected site, I get redirected to another spurious site, e.g.:

Robogold.biz
Oldhetaira.com
etc...

A second window opens with 'top ten search items'.

Have run your 7 steps with the following results:

Ccleaner - all ok.
Microsoft Windows Malicious Software removal tool - nothing found.
Ad-Aware SE - 2 tracking cookies deleted
Spybot S&D - Pipas.A found and deleted (this recurs every run of Spybot)
Microsoft Antispyware - nothing found

Bitdefender - old email dbx's found (log attached)

Panda - gets to 'registro de windows' finds 1*spyware, 1*hacking tool and hangs. cannot get to run to completion.

HijackThis - log attached

I also run AVG - nothing found

Please help!

regards

Capthowie

 

You have HijackThis installed in a location that reveals the UserName of the Account from which it is being ran. Please reinstall HijackThis to a safer location, consult the instructions for installing and running HijackThis. The link to the instructions is provided in Step 7 of the tutorial.

Empty your Norton Protected Recycle Bin.

It appears that you are not running a software firewall. This leaves your system vulnerable.

See the thread How to Protect yourself from malware!.

Windows is out-of-date, you should install SP2 and run Windows Update to get you OS current. Do this after we have determined that you system is Malware free.

You HijackThis log shows no signs of an infection. This doesn't mean that your system is clean.

Follow the Directions for Running Ewido Security Suite and Running WinPfind by OldTimer.

Post both logs when finished.

 

Thanks for the directions...

1) Have relocated HJT to its own program folder.

2) Have emptied Norton protected recycle bin as per Symantec instructions

3) Installed and ran Ewido as per directions. Ran for 9hours, cleared 13 objects, but hung when trying to save report! Search redirect symptoms still there though! Will try running again tonight.

4) Ran WinPFind, log file attached.

Cheers

Capthowie

 

Boot to Safe Mode.

Open Windows Explorer; Navigate to and delete the following:

Close Windows Explorer.

Open REGEDIT; navigate to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run locate dmqkb.exe the following and delete it.

REBOOT to Normal Mode.

Do you know what this program does? csiyn.exe

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

Post a fresh HijackThis log.

 

Now it's getting interesting SPD, my response to your post is...

"Open Windows Explorer; Navigate to and delete the following:

C:\WINDOWS\SYSTEM32\ntfsnlpa.exe - OK
C:\WINDOWS\SYSTEM32\pppcgm.exe - OK
C:\WINDOWS\System32\dmqkb.exe - NOT OK, does not exist!

Close Windows Explorer.

Open REGEDIT; navigate to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run locate dmqkb.exe the following and delete it. - NOT OK, does not exist!"

In the registry at this location is another key referring to dmint.exe, this file is in the c:\WINDOWS\SYSTEM32\ directory referred to above. I did not delete the file or registry entry, but ran HJT, the log is attached as HijackThis220106.txt and shows the reg entry for dmint.exe.

I reboot the PC.

dmint is no longer! In its place is a new file with the same size and attributes called dmeok.exe. Ran HJT, log file attached (HijackThis220106B.txt) shows new reg entry for dmeok, old entry for dmint is gone without any action on my part.

I reboot the PC.

Guess what, dmeok is no longer! In its place is a new file with the same size and attributes called dmmgo.exe. Ran HJT, log file attached (HijackThis220106C.txt) shows new reg entry for dmmgo, old entry for dmint is gone without any action on my part.

The file attributes are:

Size: 43KB
Created: 29/08/2002 10PM (this is the same as the genuine XP distribution files of my CD).

Am I barking up the wrong tree, or is this some form of self modifying malware?

Installed and ran Blacklight beta, no reported problems, file attached.

Cheers

Capthowie

 

There are many forms of malware that will mutate when a system reboots; this is one of them.

Download and install
- ExplorerXP
- SpySweeper (Install and Update the Definitions do nothing else at this time)

DO NOT REBOOT your computer until I tell you.

Print these instructions for use when offline, you will need them.

Physically diconnect your computer from the Internet, by removing the LAN Cable.

Open REGEDIT, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run locate dmmgo.exe and delete it.

Run ExplorerXP search for the following:

Delete every instance you find.

Now scan with HijackThis and fix the following if it still exists:

Now reach behind your computer and pull the plug. Yes you read that correctly "Pull the Plug;" we want to avoid a clean shut down.

Now plug your computer back in, boot to Normal Mode and run SpySweeper.

Post the SpySweeper log and a fresh HijackThis log.