Search results hijacked/redirected

When I run a search and click one of the results, the first attempt for each result is re-directed to another search engine or software page.

I've run my anit-virus and anti-adware programs and clean all infections found.

I've run Hijack This and the log is attached. I've also run Trend Micro's Rootkit Buster but that log is too large to attach. It found no hidden items, but a bunch of file streams, which I deleted.
No hidden files found (from log file below):

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.

--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

I'm running Windows XP Home SP3 with all updates.

I'm getting worried that a re-format may be necessary but want to do all I can to prevent that if possible.

I appreciate the help! Thanks!

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by Animal, 14 January 2010 - 08:37 PM.

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
• Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thank you miekiemoes!

I did as directed and attached the new HJT log. MB-AM log is below.

Malwarebytes' Anti-Malware 1.44
Database version: 3568
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/15/2010 8:15:38 AM
mbam-log-2010-01-15 (08-15-38).txt

Scan type: Quick Scan
Objects scanned: 135413
Time elapsed: 16 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 14
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\p2psys64\p2psys64.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p2psys64 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\p2psys64 (Trojan.Downloader) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\39.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\p2psys64\p2psys64.dll (Trojan.Downloader) -> Delete on reboot.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MSA\w2_0.exe (Rogue.MSAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


What's the diagnosis? Am I clean now!

Hi,

We are not finished yet...

A next update in Malwarebytes should deal with the leftovers, but that update is not available yet, so that's why we'll deal with it manually for now...

To do this,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [mscj.exe] C:\Documents and Settings\Owner\Application Data\MSA\mscj.exe
O4 - HKCU\..\Run: [oupdate2.exe] C:\Documents and Settings\Owner\Application Data\MSA\oupdate2.exe
O4 - HKCU\..\Run: [sysinfo] C:\Documents and Settings\Owner\Application Data\MSA\sysinfo.exe /autorun
O4 - HKCU\..\Run: [cja128013] C:\Documents and Settings\Owner\Application Data\MSA\cja128013.exe /autorun
O4 - Global Startup: hpoddt01.exe.lnk = ?

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Then, navigate to and delete the following folder:

C:\Documents and Settings\Owner\Application Data\MSA <== folder

Reboot.

Rescan with HijackThis and post the log in your next reply.

Okey dokey!

Hi,

This looks OK again. Do you still have problems?

Hi,

Well, my search results don't appear to be getting hi-jacked anymore! Which is a good thing!

I think everything looks OK. Thanks a bunch for the assistance!!!

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.