Help! Search engines hijacked.

[tytoalba]

I'm hoping that someone can help me out. When I search the web using Google or any other search engines, the returned pages are all advertisements. I've run through the 8 steps and the logs are attached below (Note that the DDS logs are attachments due to size constraints). Thank you in advance for you help!


MALWARE LOG:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4244

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

6/26/2010 10:33:13 AM
mbam-log-2010-06-26 (10-33-13).txt

Scan type: Quick scan
Objects scanned: 156043
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8bcb5337-ec01-4e38-840c-a964f174255b} (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




GMER LOG:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-26 11:21:43
Windows 6.0.6002 Service Pack 2
Running: 2mw2nhzh.exe; Driver: C:\Users\beyeler\AppData\Local\Temp\fxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\beyeler\AppData\Local\Temp\fxldapoc.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7451A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744F8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7454CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

[Bobbye]

Please make a note to yourself to update both Java and Adobe Reader. Both have old versions and they are vulnerabilities. After updates, go to Add/remove Programs and remove the earlier versions:
Visit this Adobe Reader site and get the most current update. Uninstall any earlier updates as they are vulnerabilities. (now v9.xx)
Visit this site Java Updates and get the most current update. Uninstall any earlier versions in Add/Remove Programs.(now v6u20)

I strongly advise removing this program: c:\program files\Enigma Software Group. Neither the program or the site is reliable.

Did you run TFC and how often do you do maintenance on the system? There are temporary internet files, Cookies, History and other tmp files from 2009 on the system.
==============================
This is as far as I'll go. The presence of the following work-government related programs indicates this is a work computer which should be handled by your IT person:

LANDFIRE Data Access Tool> http://www.landfire.gov/

LANDFIRE, also known as the Landscape Fire and Resource Management Planning Tools Project, is a five-year, multi-partner project producing consistent and comprehensive maps and data describing vegetation, wildland fuel, and fire regimes across the United States. It is a shared project between the wildland fire management programs of the U.S. Department of Agriculture Forest Service and U.S. Department of the Interior. The project has four components: the LANDFIRE Prototype, LANDFIRE Rapid Assessment, LANDFIRE National, and Training/Technology Transfer.

Python 2.5 numpy-1.0.3
NumPy is the fundamental package needed for scientific computing with Python

Cisco EAP-FAST Module
EAP-FAST is an EAP method that enables secure communication between a client and an authentication server by using Transport Layer Security (TLS) to establish a mutually authenticated tunnel.

I also note that you have the Enterprise version of McAfee.[

 

[tytoalba]

Thanks for your reply. I'll take care of the older cookies, temp internet files, etc and update Java and Adobe. This is not a work computer. I do some contract work, but the computer in question is not used directly for/by a government agency therefore I do not have access to an IT person. Any further suggestions/advice that you could offer regarding the content of the logs would be greatly appreciated! Thanks again!

 

[Bobbye]

Sorry for the delay!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Leave the logs in your next reply. I''ll see what I can do.