XP 64bit machine infected with google search redirects - solved??

Edit - I think I've solved the problem! See my reply below. Good luck to everyone else with this issue.

Hello, recently I've found that the 1st page of Google search results are being redirected to alternate shady URLs (ad sites etc). It appears that many people are having this problem, and from what I've read it looks like Combofix is the typically recommended solution. Much to my dismay, Combofix (and a lot of other malware removal tools, it seems) won't run under Windows XP 64-bit. The hijacking problem first showed up in Opera 9.62 but also affects Firefox and IE 7.

Here's what I've run so far:

Spybot S&D - no bad results other than tracking cookies (deleted)

Kaspersky Antivirus 6 - normal boot, full system scan, no bad results

Trendmicro Housecall - no bad results

ESET online scanner - no bad results

MS Malicious Software Removal Tool - no bad results

SuperAntiSpyware - no bad results

Malwarebytes Anti-malware (run 3 times):
--1st scan (normal boot, quick scan): detected and deleted "Hijack.displayproperties "
--2nd scan (normal boot, full scan): no bad results
--3rd scan (safe mode, quick scan):

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.​

Roguefix v2.234 (safe mode):
--deleted F:\WINDOWS\system32\win***32.dll
--deleted beep.sys

Edit: Ran another scan of Kaspersky 6, full system, from Safe Mode last night:

deleted: malware Constructor.Win32.VB.hp File: E:\Downloads - Edwin\CD DVD Utils etc\Folder2Iso.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\Downloads - Edwin\CD DVD Utils etc\Folder2Iso.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\System Volume Information\_restore{C380D6B4-3750-4677-A4AD-F715340CEA9C}\RP31\A0010505.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\System Volume Information\_restore{C380D6B4-3750-4677-A4AD-F715340CEA9C}\RP61\A0013830.exe//UPX​

Don't know if those were false positives or actual threats.

Unfortunately, none of this has helped; I'm still having the google problem!

-----------------------

I can't run DDS with XP 64-bit, it seems, so all I have is a HJT log (sorry! If there's anything else I can provide, I will, of course):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:25 AM, on 1/19/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
F:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
F:\Program Files (x86)\Opera\opera.exe
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Other Adobes\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\SysWOW64\xRaidSetup.exe boot
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files (x86)\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [AVP] "F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Other Adobes\Adobe Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files (x86)\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229206298215
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files (x86)\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - F:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - F:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: TabletServiceWacom - Unknown owner - F:\WINDOWS\system32\Wacom_Tablet.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9377 bytes


-------
I posted about my issue at another forum, but I haven't received any responses yet. If I do, I will amend my post here.

Any help is super, super appreciated.

 

Update!

I think, finally, I fixed the problem by tackling it manually.
After reading this post on miekiemoes's weblog about fake wdmaud.sys files in the WINDOWS\system32 folder and its accompanying registry entry, I searched for a copy of that file where it shouldn't be. I didn't have wdmaud.sys in the incorrect WINDOWS\system32 folder miekiemoes described or the registry entry mentioned as problematic (I assume the difference is down to XP 32 vs 64 bit) but I did find it under the \WINDOWS\SysWOW64 folder. Also, in the registry in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Drivers32​

was the entry aux = wdmaud.sys. I deleted the aux entry from my registry (after backing it up elsewhere) and then deleted wdmaud.sys from the SysWOW64 folder. I'm no longer getting redirect results from Google and--perhaps I'm just imagining--system performance seems to have improved.

For anyone else running XP 64-bit whose frustrated by the incompatibility of typically prescribed solutions (Combofix etc), this might work for you. Of course, I guess it would be best for an expert to vet this solution, but I am thrilled! Hooray.

 

Good work chickenfingers!

As you've discovered, the \WINDOWS\SysWOW64 folder is where 32 bit versions of system files reside. Most malware cannot run in 64 bit mode so if it does make it into the system it will infect the 32 bit versions/location. Same goes for the registry branch affected.

I'm quite surprised none of the applications you ran picked up on that infection, as it's been around for quite some time now.