Google & Yahoo! Searches Returning Adware Results

Hey MajorGeeks!
I just finished removing a Virtumonde/Smitfraud-C infection which Tim W. here helped me with greatly a few days ago. Now I am presented with a new malware issue.

The computer generally runs normal, except for a slightly slower than usual startup, and Desktop icons not appearing at full capacity immediately. Accessing the internet also is normal. However, if I conduct a search on either Google or Yahoo! (I don't know about other search engines as these are the only two I use) with either Internet Explorer or Mozilla FireFox, the first page of search results contains search results that contain normal descriptions of the content in the search criteria, but contain links such as shopica.com, security-antivirus.com, nexplore.com, monstermarketplace.com, info.com, geico.com, moxiesearch.com, mit-iqexam.com, and findlinks.com. The normal sponsored ads generally found to the right of the page are also removed.

I followed the instructions in the READ & RUN ME, and then followed the Windows XP Cleaning Procedure almost entirely. All tools were updated prior to scanning, and all scans were run in Safe Mode. I'll briefly describe my results:

SUPERAntiSpyware - Scanned full system, found nothing.

SpyBot - Search & Destroy - Scanned full system, it found many FireFox tracking cookies, apparently deleted them.

Malwarebytes Anti-Malware - Quick system scan, found nothing.

combofix.exe - I did not run this. I read the instructions at the link provided, but - to me - they were very complicated, and I felt very uncomfortable attempting this.

MGtools.exe - Ran this tool, zip logs attached.

I understand all of you here are swamped because of a recent surge of malware. I will patiently await your reply. Please review the logs when you can. Your help is greatly appreciated. Thank you.

 

Running ComboFix is safe unless your malware. All jokes aside, it will not hurt anything as I've used it hundreds of times. This is a critical tool we use because it shows a lot more than just about any other tool available today.

Download the latest update from the link below, save to your desktop and double click to run. Once complete, please attach the log it produces.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Hey bjgarrick :wave

Thank you for the quick reply! I followed your instructions and ran the ComboFix scan in Safe Mode with Networking Prompt because I also had to download the Windows Recovery Console. The scan ran rather quickly, and the log is attached.

I also want to point out that last night, AVG detected and cleaned or quarantined, what appears to be, a Rootkit-Agent.CN trojan in C:\WINDOWS\system32\wdmaud.sys, and following this action and a subsequent reboot, the search engines appear to be working normally once again. I am not really sure how to attach a log from AVG as it exports in a .xml, which is currently not an accepted file type here.

One other thing. Two malware infections in as many weeks is two too many. Earlier today, I decided to uninstall and remove the Filseclab firewall that I had been using for about four months. After reviewing the recommended free Firewalls listed here on MajorGeeks.com, I decided to download and install Jetico Personal Firewall. I have also downloaded and installed the latest version of SpywareBlaster, which I have found is a very reliable spyware prevention tool.

:cool 100 Posts and Counting!

Thank you very much for helping me with this issue.

 

Can you run the scans in normal mode? If you can please do as it will show more because in normal mode everything is running. The only thing I really need is the ComboFix Log & MGTools log from normal mode.

 

Certainly. Again, the computer seems to be running quite normal, and search engine results remain uncompromised. The two scans were performed in Normal Mode. The requested logs are attached.

:cool 100 Posts and Counting!

Thank you so much again for your assistance.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Also, did you download these files to this location? If so, I would recommend relocating them or deleting them.

 

Hey bjgarrick,

Thank you again for the quick reply! I experienced no difficulty in completing the instructions and getting the logs. I was prompted to do so, but did not restart the computer after uninstalling the two programs. However, the computer was restarted following the initial ComboFix repair. A minor issue I did encounter was when I attempted to reset the Default Security Settings in IE6. The button to select Default option in Local Intranet, Trusted Sites, and Restricted Sites was "grey", so I presume this means it already is at that setting.

The computer seems to be running quite normal, and search engine results remain uncompromised

What specific malware appears to have been present to have caused this?

Also, I moved those files out of Program Files and into the Download file. Those were applications I downloaded and I most likely saved them in that location to keep all application type files in one location.

Thank you, again, for the help with this issue.

 

I would recommend upgrading to at least SP2 for many reasons, primarily security.

Download the following file, save to your desktop and install.

Windows XP Service Pack 2​

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!