Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

IE and Chrome hijacked by searching.com and search.yaho.com

This is a discussion on IE and Chrome hijacked by searching.com and search.yaho.com within the Resolved HJT Threads forums, part of the Tech Support Forum category. At first, whenever I opened a browser (Internet Explorer or Google Chrome) I got the never seen before search engine


 
 
Thread Tools Search this Thread
Old 01-03-2016, 06:07 PM   #1
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



At first, whenever I opened a browser (Internet Explorer or Google Chrome) I got the never seen before search engine with the URL searching.com. I removed Chrome using the uninstall feature in Control Panel. When I saw it made no difference, I downloaded and installed Chrome again. Now when I open Chrome I get search.yahoo.com and when I open IE I still get searching.com.

I made an Avast rescue disk and ran it. It didn't find anythiing. I changed the default browser setting to Chrome and changed the home page to newyorktimes.com. These settings remain undisturbed but the problem didn't go away. There are no suspicious listings in the uninstall page in Control Panel.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by mugerdich at 7:38:49 on 2016-01-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3543.2186 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Enabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\Fitbit Connect\FitbitConnectService.exe
C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe
C:\Program Files\REALTEK\USB Wireless LAN Utility\RtlService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\REALTEK\USB Wireless LAN Utility\RtWlan.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Fitbit Connect\Fitbit Connect.exe
C:\Program Files\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\LogonUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbdw9dUVgQQBgWeAoOTA1JRw0OIgkKVRQURwASeQoNUg5BEFcFIk0FA1ADB0VXfVBdFElXTwhwJVhKAlElTlpoLlZP
mStart Page = hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbdw9dUVgQQBgWeAoOTA1JRw0OIgkKVRQURwASeQoNUg5BEFcFIk0FA1ADB0VXfVBdFElXTwhwJVhKAlElTlpoLlZP
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorun
uRun: [CCleaner Monitoring] "c:\program files\ccleaner\CCleaner.exe" /MONITOR
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorun
mRun: [ProductUpdater] c:\program files\common files\freemake shared\productupdater\ProductUpdater.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"https://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{7B932D55-383F-4B7E-80B2-8E818BE25179} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{FE0CB924-6E89-4368-93A0-20DBC4E88523} : DHCPNameServer = 75.75.75.75 75.75.76.76
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\drivers\aswNdisFlt.sys [2015-12-30 283584]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2015-12-30 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2015-12-30 209432]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2015-12-30 26096]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2015-12-30 794952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2015-12-30 436360]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2015-12-30 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2015-12-30 81168]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2015-12-30 117712]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2015-12-30 226440]
R2 avast! Firewall;Avast Firewall;c:\program files\avast software\avast\afwServ.exe [2015-12-30 109520]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 Fitbit Connect;Fitbit Connect Service;c:\program files\fitbit connect\FitbitConnectService.exe [2015-10-28 5906088]
R2 Freemake Improver;Freemake Improver;c:\programdata\freemake\freemakeutilsservice\FreemakeUtilsService.exe [2016-1-2 108032]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\freemake\capturelib\CaptureLibService.exe [2016-1-2 9216]
R2 RealtekCU;RealtekCU;c:\program files\realtek\usb wireless lan utility\RtlService.exe [2015-12-30 36864]
R3 AX88772B;ASIX AX88772B USB2.0 to Fast Ethernet Adapter;c:\windows\system32\drivers\ax88772b.sys [2015-5-27 105480]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2009-7-13 164864]
R3 RtlWlanu;Realtek Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTWlanU.sys [2015-12-30 1345168]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2016-1-2 52224]
.
=============== File Associations ===============
.
ShellExec: AvastSZB.exe: open="c:\program files\avast software\szbrowser\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2016-01-03 03:12:01 -------- d-----w- c:\windows\system32\SPReview
2016-01-03 03:11:41 -------- d-----w- c:\windows\system32\EventProviders
2016-01-02 23:36:06 1130824 ----a-w- c:\windows\system32\dfshim.dll
2016-01-02 23:36:04 52224 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2016-01-02 23:36:04 11776 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2016-01-02 23:36:03 3215872 ----a-w- c:\windows\system32\mstscax.dll
2016-01-02 23:36:01 954752 ----a-w- c:\windows\system32\mfc40.dll
2016-01-02 23:36:01 954288 ----a-w- c:\windows\system32\mfc40u.dll
2016-01-02 23:36:01 1171456 ----a-w- c:\windows\system32\d3d10warp.dll
2016-01-02 23:36:00 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2016-01-02 23:36:00 739840 ----a-w- c:\windows\system32\d2d1.dll
2016-01-02 23:36:00 423936 ----a-w- c:\windows\system32\secproc_isv.dll
2016-01-02 23:36:00 1159168 ----a-w- c:\windows\system32\sysmain.dll
2016-01-02 23:34:52 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2016-01-02 23:34:52 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2016-01-02 18:40:48 -------- d-----w- c:\program files\WinPcap
2016-01-02 18:40:04 -------- d-----w- c:\programdata\Freemake
2016-01-02 18:40:04 -------- d-----w- c:\program files\common files\Freemake Shared
2016-01-02 18:40:03 -------- d-----w- c:\program files\Search Too Know
2016-01-02 18:39:55 -------- d-----w- c:\users\mugerdich\appdata\roaming\RPEng
2016-01-02 18:39:55 -------- d-----w- c:\program files\Freemake
2016-01-02 14:33:39 -------- d-----w- c:\program files\Windows Kits
2016-01-02 12:42:17 -------- d-----w- c:\users\mugerdich\appdata\local\Programs
2016-01-02 12:09:21 -------- d-----w- c:\program files\CCleaner
2016-01-02 02:35:40 -------- d-s---w- c:\windows\system32\CompatTel
2016-01-02 02:35:40 -------- d-----w- c:\windows\system32\appraiser
2016-01-02 02:35:40 -------- d-----w- c:\windows\Migration
2016-01-01 23:18:12 9014120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2016-01-01 23:18:09 9014120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{978dd716-44f7-4306-88c1-74112259ab73}\mpengine.dll
2016-01-01 23:11:48 -------- d-----w- c:\windows\system32\MRT
2016-01-01 23:10:26 62976 ----a-w- c:\windows\system32\acmigration.dll
2016-01-01 23:10:26 615936 ----a-w- c:\windows\system32\generaltel.dll
2016-01-01 23:10:26 587776 ----a-w- c:\windows\system32\invagent.dll
2016-01-01 23:10:26 423936 ----a-w- c:\windows\system32\devinv.dll
2016-01-01 23:10:26 23384 ----a-w- c:\windows\system32\CompatTelRunner.exe
2016-01-01 23:10:26 1167520 ----a-w- c:\windows\system32\aitstatic.exe
2016-01-01 23:10:26 1120768 ----a-w- c:\windows\system32\appraiser.dll
2016-01-01 23:10:20 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2016-01-01 23:10:20 123904 ----a-w- c:\windows\system32\poqexec.exe
2016-01-01 23:10:19 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2016-01-01 23:10:18 542208 ----a-w- c:\windows\system32\kerberos.dll
2016-01-01 23:07:25 2422272 ----a-w- c:\windows\system32\wucltux.dll
2016-01-01 23:07:20 88576 ----a-w- c:\windows\system32\wudriver.dll
2016-01-01 23:07:15 33792 ----a-w- c:\windows\system32\wuapp.exe
2016-01-01 23:07:15 171904 ----a-w- c:\windows\system32\wuwebv.dll
2015-12-31 01:43:53 -------- d-----w- c:\programdata\boost_interprocess
2015-12-31 01:43:52 -------- d-----w- c:\programdata\FitbitConnect
2015-12-31 01:43:52 -------- d-----w- c:\program files\Fitbit Connect
2015-12-30 23:10:13 -------- d-----w- c:\users\mugerdich\appdata\roaming\enchant
2015-12-30 2306 -------- d-----w- c:\users\mugerdich\AbiSuite
2015-12-30 23:05:16 -------- d-----w- c:\program files\AbiWord
2015-12-30 15:09:48 -------- d-----w- c:\program files\AVAST Software
2015-12-30 15:08:54 -------- d-----w- c:\programdata\AVAST Software
2015-12-30 15:02:53 -------- d-----w- c:\program files\Cisco
2015-12-30 15:02:23 -------- d-sh--w- c:\windows\Installer
2015-12-30 15:02:04 1345168 ----a-w- c:\windows\system32\drivers\RTWlanU.sys
2015-12-30 15:02:03 535040 ----a-w- c:\windows\system32\Rtlihvs.dll
2015-12-30 15:02:03 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2015-12-30 15:02:03 405504 ----a-w- c:\windows\SwUSB.exe
2015-12-30 15:02:03 380928 ----a-w- c:\windows\RtlUI2.exe
2015-12-30 15:02:03 36864 ----a-w- c:\windows\runSW.exe
2015-12-30 15:02:03 12981 ----a-w- c:\windows\system32\REALPKT.VXD
2015-12-30 15:02:03 100000 ----a-w- c:\windows\system32\EAPPkt9x.VXD
2015-12-30 15:01:50 -------- d-----w- c:\program files\REALTEK
2015-12-30 12:22:38 247976 ------w- c:\windows\system32\MpSigStub.exe
2015-12-30 12:17:35 -------- d-----w- c:\users\mugerdich\appdata\local\Google
2015-12-30 12:17:28 26096 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2015-12-30 12:13:27 -------- d-----w- c:\users\mugerdich\appdata\roaming\AVAST Software
2015-12-30 12:12:39 -------- d-----w- c:\program files\common files\AV
2015-12-30 12:12:31 209432 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-12-30 12:12:31 117712 ----a-w- c:\windows\system32\drivers\aswStm.sys
2015-12-30 12:12:30 81728 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2015-12-30 12:12:30 81168 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-12-30 12:12:30 49776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-12-30 12:12:30 24016 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-12-30 12:12:29 794952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-12-30 12:12:20 43112 ----a-w- c:\windows\avastSS.scr
2015-12-30 12:12:18 283584 ----a-w- c:\windows\system32\drivers\aswNdisFlt.sys
2015-12-30 05:22:05 -------- d-----w- c:\windows\system32\wbem\Performance
2015-12-30 05:12:12 -------- d-----w- c:\windows\Panther
.
==================== Find3M ====================
.
2016-01-03 03:15:51 152576 ----a-w- c:\windows\system32\msclmd.dll
.
============= FINISH: 7:39:22.46 ===============
Attached Files
File Type: txt attach.txt (4.4 KB, 25 views)
stevkaprel is offline  
Sponsored Links
Advertisement
 
Old 01-04-2016, 12:46 AM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

========================================================

I need to see in your next post:


  • AdwCleaner[C#].txt
  • FRST.txt
  • Addition.txt
__________________
tekir06 is offline  
Old 01-04-2016, 03:23 PM   #3
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



# AdwCleaner v5.028 - Logfile created 04/01/2016 at 17:56:50
# Updated 04/01/2016 by Xplode
# Database : 2016-01-04.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x86)
# Username : mugerdich - WECKSLER
# Running from : C:\Users\mugerdich\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\mugerdich\AppData\Roaming\RPEng

***** [ Files ] *****

[-] File Deleted : C:\Users\mugerdich\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
[-] File Deleted : C:\Users\mugerdich\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal

***** [ DLLs ] *****


***** [ Shortcuts ] *****

[-] Shortcut Disinfected : C:\Users\mugerdich\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[-] Shortcut Disinfected : C:\Users\mugerdich\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
[-] Shortcut Disinfected : C:\Users\mugerdich\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet-Explorer Browser.lnk
[-] Shortcut Disinfected : C:\Users\mugerdich\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{79F768ED-0B12-42EF-8257-36751A0ECF3A}]
[-] Key Deleted : HKCU\Software\OMX_Media
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www-searching.com

***** [ Web browsers ] *****

[-] [C:\Users\mugerdich\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbdw9dUVgQQBgWeAoOTA1JRw0OIgkKVRQURwASeQoNUg5BEFcFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlElTlpoLlZP
[-] [C:\Users\mugerdich\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : jlcgehabolcakkjhgmgpkagpolbjlhfa
[-] [C:\Users\mugerdich\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www-searching.com/?pid=s&s=G11zamobl10924,fcd236fb-c86e-4bd3-9d88-e508295f6db3,&vp=ch&prd=set_ch

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2995 bytes] ##########
Attached Files
File Type: txt Addition_04-01-2016_18-10-10.txt (16.4 KB, 22 views)
File Type: txt FRST_04-01-2016_18-10-10.txt (139.1 KB, 18 views)
stevkaprel is offline  
Sponsored Links
Advertisement
 
Old 01-05-2016, 04:58 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,

Thanks for the logs. Lets continue.

If you see the following folder, uninstall it via Programs and Features in your Control Panel.

Quote:
c:\program files\Search Too Know
==========================================================

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

=========================================================

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1218577709-2800860406-2388123648-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Faster Web\faster-web.xpi => not found
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbdw9dUVgQQBgWeAoOTA1JRw0OIgkKVRQURwASeQoNUg5BEFcFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlElTlpoLlZP"
CHR NewTab: Default -> "chrome-extension://jlcgehabolcakkjhgmgpkagpolbjlhfa/newtab/newtab-hp.html"
CHR HKU\S-1-5-21-1218577709-2800860406-2388123648-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlcgehabolcakkjhgmgpkagpolbjlhfa] - hxxps://clients2.google.com/service/update2/crx
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 01-06-2016, 11:26 AM   #5
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



When I tried to run FRST.exe I got a message saying an illegal instruction was encountered together with an option to close or ignore.
stevkaprel is offline  
Old 01-06-2016, 04:50 PM   #6
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



I just noticed that the problem has gone away. I am no longer getting the unwanted searching.com or search.yahoo.com. I don't know how it came about. But I guess we can consider this thread solved.
stevkaprel is offline  
Old 01-06-2016, 11:36 PM   #7
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,
Quote:
I just noticed that the problem has gone away. I am no longer getting the unwanted searching.com or search.yahoo.com.
I'm glad to hear that. But I want to be sure. Would you do the following instructions?

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 01-08-2016, 04:37 AM   #8
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



I just went through the attachment process but I don't see anything telling me it worked.

I'll post this and you can tell me if there is no attachment.
Attached Files
File Type: txt mb scan log.txt (4.7 KB, 17 views)
stevkaprel is offline  
Old 01-08-2016, 05:02 AM   #9
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello,

The MBAM log looks good. Please do the below intructions. Then tell me How is the machine behaving now? What problems do you still have?

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.
__________________
tekir06 is offline  
Old 01-10-2016, 12:31 PM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,

Still with us ? If you don't reply within 24 hours, this thread shall be closed.
__________________
tekir06 is offline  
Old 01-11-2016, 03:58 AM   #11
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



Hi. The computer is working normally now. No more highjacked browser.

Here are the scan results:

C:\Program Files\Freemake\Freemake Video Downloader\SetupUpdate.exe a variant of Win32/OpenCandy.A potentially unsafe application

C:\Users\mugerdich\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe a variant of Win32/OpenCandy.A potentially unsafe application

C:\Users\mugerdich\AppData\Local\Temp\Temp1_CCleaner Setup.zip\CCleaner.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
stevkaprel is offline  
Old 01-11-2016, 05:44 AM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Finally, follow the instructions below. Then I'm going to give final instructions.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
C:\Program Files\Freemake\Freemake Video Downloader\SetupUpdate.exe
C:\Users\mugerdich\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe
C:\Users\mugerdich\AppData\Local\Temp\Temp1_CCleaner Setup.zip\CCleaner.exe
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 01-13-2016, 02:19 PM   #13
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



I ran into a problem. I hadn't saved frst.exe from the previous time so tried to download it again. I downloaded the 64 bit version but got a message it was incompatible with my version of Windows. (My computer is 64 bit but my OS was originally supplied with a 32 bit machine.) I tried to download the 32 bit version several times but got a "threat bocked" message from Avast each time.
stevkaprel is offline  
Old 01-13-2016, 11:19 PM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Please disable the security software and try again.

https://www.techsupportforum.com/foru...ns-490111.html
__________________
tekir06 is offline  
Old 01-14-2016, 05:19 AM   #15
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



Disable of security worked. Here is fixlog.txt

Fix result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
Ran by mugerdich (2016-01-14 08:11:53) Run:1
Running from C:\Users\mugerdich\Desktop
Loaded Profiles: mugerdich (Available Profiles: mugerdich)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Program Files\Freemake\Freemake Video Downloader\SetupUpdate.exe
C:\Users\mugerdich\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe
C:\Users\mugerdich\AppData\Local\Temp\Temp1_CCleaner Setup.zip\CCleaner.exe
EmptyTemp:
*****************

Restore point was successfully created.
C:\Program Files\Freemake\Freemake Video Downloader\SetupUpdate.exe => moved successfully
"C:\Users\mugerdich\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe" => not found.
"C:\Users\mugerdich\AppData\Local\Temp\Temp1_CCleaner Setup.zip\CCleaner.exe" => not found.
EmptyTemp: => 329.5 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:12:12 ====
stevkaprel is offline  
Old 01-15-2016, 12:07 AM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,

Thanks for the log. Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 01-17-2016, 03:56 AM   #17
Registered Member
 
Join Date: Jan 2009
Location: ct/fl
Posts: 122
OS: windows xp



Done. Thanks a lot, tekir06.
stevkaprel is offline  
Old 01-17-2016, 11:22 PM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello stevkaprel,

You're welcome! Thank you for your patience and cooperation.
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:18 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts