TechSpot

Help! Search engines hijacked.

By tytoalba
Jun 26, 2010
Topic Status:
Not open for further replies.
  1. I'm hoping that someone can help me out. When I search the web using Google or any other search engines, the returned pages are all advertisements. I've run through the 8 steps and the logs are attached below (Note that the DDS logs are attachments due to size constraints). Thank you in advance for you help!


    MALWARE LOG:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4244

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18904

    6/26/2010 10:33:13 AM
    mbam-log-2010-06-26 (10-33-13).txt

    Scan type: Quick scan
    Objects scanned: 156043
    Time elapsed: 7 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8bcb5337-ec01-4e38-840c-a964f174255b} (Adware.SmartShopper) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER LOG:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-26 11:21:43
    Windows 6.0.6002 Service Pack 2
    Running: 2mw2nhzh.exe; Driver: C:\Users\beyeler\AppData\Local\Temp\fxldapoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\Users\beyeler\AppData\Local\Temp\fxldapoc.sys The system cannot find the file specified. !

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7451A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744F8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7454CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please make a note to yourself to update both Java and Adobe Reader. Both have old versions and they are vulnerabilities. After updates, go to Add/remove Programs and remove the earlier versions:
    Visit this Adobe Reader site and get the most current update. Uninstall any earlier updates as they are vulnerabilities. (now v9.xx)
    Visit this site Java Updates and get the most current update. Uninstall any earlier versions in Add/Remove Programs.(now v6u20)

    I strongly advise removing this program: c:\program files\Enigma Software Group. Neither the program or the site is reliable.

    Did you run TFC and how often do you do maintenance on the system? There are temporary internet files, Cookies, History and other tmp files from 2009 on the system.
    ==============================
    This is as far as I'll go. The presence of the following work-government related programs indicates this is a work computer which should be handled by your IT person:

    LANDFIRE Data Access Tool> http://www.landfire.gov/
    Python 2.5 numpy-1.0.3
    NumPy is the fundamental package needed for scientific computing with Python

    Cisco EAP-FAST Module
    EAP-FAST is an EAP method that enables secure communication between a client and an authentication server by using Transport Layer Security (TLS) to establish a mutually authenticated tunnel.

    I also note that you have the Enterprise version of McAfee.[
  3. tytoalba

    tytoalba TS Rookie Topic Starter

    Thanks for your reply. I'll take care of the older cookies, temp internet files, etc and update Java and Adobe. This is not a work computer. I do some contract work, but the computer in question is not used directly for/by a government agency therefore I do not have access to an IT person. Any further suggestions/advice that you could offer regarding the content of the logs would be greatly appreciated! Thanks again!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry for the delay!

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Leave the logs in your next reply. I''ll see what I can do.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.