Jump to content

New User with a search engine, hijacker virus/trojan/malware...

Recommended Posts

I seem to have been infected with some sort of malware that hijacks my search engine searches. I'm not entirely tech savy so I purchased the full version of Malwarebytes in hopes of ridding my computer of this problem. After I run a scan, Malwarebytes does in fact discover a trojan, but after my computer restarts, and I open any Internet program (firefox, chrome, IE) the trojan is back as is confirmed by an additional scan with Malwarebytes.

I followed the instructions from the "I'm infected - What do I do now?" topic and attached is the requested info:

Please advise on what I could/should do next.



Link to post
Share on other sites

Hello Wayne760 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall the following applications:

Conduit Engine

WinZipBar Toolbar

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log

Link to post
Share on other sites

I followed your directions and attached is the two files you requested.

Malwarebytes Anti-Malware (PRO)


Database version: v2012.07.30.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Twaddell :: TWADDELL-PC [administrator]

Protection: Enabled

7/30/2012 7:58:33 AM

mbam-log-2012-07-30 (07-58-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 197158

Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\Installer\{cb3e6b12-5653-e901-2e17-28ed00402f87}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.


aswMBR version Copyright© 2011 AVAST Software

Run date: 2012-07-30 08:32:26


08:32:26.029 OS Version: Windows x64 6.1.7601 Service Pack 1

08:32:26.029 Number of processors: 2 586 0x2505

08:32:26.030 ComputerName: TWADDELL-PC UserName: Twaddell

08:32:27.773 Initialize success

08:33:19.207 AVAST engine defs: 12073000

08:33:26.948 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

08:33:26.948 Disk 0 Vendor: ST950056 SD22 Size: 476940MB BusType: 3

08:33:26.958 Disk 0 MBR read successfully

08:33:26.958 Disk 0 MBR scan

08:33:26.968 Disk 0 Windows 7 default MBR code

08:33:26.978 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048

08:33:26.978 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 204800 MB offset 52430848

08:33:26.988 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 246539 MB offset 471861248

08:33:26.998 Disk 0 scanning C:\Windows\system32\drivers

08:33:34.011 Service scanning

08:33:48.685 Modules scanning

08:33:48.699 Disk 0 trace - called modules:


08:33:51.577 AVAST engine scan C:\Windows

08:33:53.681 AVAST engine scan C:\Windows\system32

08:35:08.961 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]

08:35:10.166 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]

08:36:18.228 AVAST engine scan C:\Windows\system32\drivers

08:36:25.943 AVAST engine scan C:\Users\Twaddell

08:37:03.184 Disk 0 MBR has been saved successfully to "C:\Users\Twaddell\Desktop\MBR.dat"

08:37:03.191 The log file has been saved successfully to "C:\Users\Twaddell\Desktop\aswMBR.txt"


mbam-log-2012-07-30 (07-58-33).txt

Link to post
Share on other sites


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites

OK so I've decided to just go ahead and reload my computer.

Can I keep my files? (pictures and school papers etc.)

Do I need to purchase a copy of windows or is there a way to get what I need without purchasing? (windows was loaded on my computer when I bought it from Best Buy)

Link to post
Share on other sites

Can I keep my files? (pictures and school papers etc.)

Yes, you can.

Do I need to purchase a copy of windows or is there a way to get what I need without purchasing? (windows was loaded on my computer when I bought it from Best Buy)

Don't you have a CD or certificate that which indicates that Windows is genuine? Ask them about that. If not, you should buy a new one.

Link to post
Share on other sites

They don't give a cd when you buy a new computer at best buy anymore, instead you get the option to buy a cd. I chose not to buy the cd since nothing bad was ever going to happen to my computer. But let's just say I go to Bestbuy and they give me a certificate that says my copy of windows 7 is genuine. What would I do with the certificate?

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.