1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with "Search here"

Discussion in 'Malware Removal' started by Karynsig, Oct 14, 2012.

  1. Karynsig

    Karynsig Private E-2

    Hello Geeks,
    My very unwise 13 year old thought he would download this "super popular game", and we all know how that inevitably ends up. So now I have all this crap on my computer, some of which I got off after following previous threads, but I still haven't been able to get read of "Search here", which shows up where my default Google search used to be. He doesn't remember what page he was on that made this happen, just that he googled the game and when he downloaded it, that was when the problems started. We also can't change our default home page back to our tabs that we had before.

    Any and all help is much appreciated. Hopefully I've followed the instructions correctly and have included all the correct information.

    Nothing was found with Kaspersky TDSSKiller.

    Thanks in advance for your help.
    Karyn
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to MajorGeeks, Karyn :)

    [​IMG] Delete items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Once the scan is complete, go to the Registry tab and checkmark everything except the below items:
    • [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
    • [HJ] HKLM\[...]\System : EnableLUA (0)
    • [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[3].txt
    Attach RKreport[3].txt to your next message. (How to attach)

    __

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  3. Karynsig

    Karynsig Private E-2

    Thank you for your quick response. I also forgot to mention I run Firefox.

    I ran both of the scans recommended; the logs are attached.
     

    Attached Files:

    Last edited: Oct 14, 2012
  4. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 17 (outdated)

    __

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE:64bit: - HKLM\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE - HKLM\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.genieo.com/?v=w3i8
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\..\SearchScopes\{A8CA957B-8C3D-4AE7-8C5B-2B33A1334166}: "URL" = http://us.yhs4.search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-geneiotransfer&type=W3i_IA,206,0_0,StartPage,20120102,18482,0,0,6434&p={searchTerms}
    FF - prefs.js..browser.search.selectedEngine: "Search Here"
    FF - prefs.js..extensions.enabledAddons: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:3.15.1.0
    FF - prefs.js..extensions.enabledAddons: addon@defaulttab.com:1.4.2
    FF - prefs.js..extensions.enabledAddons: crossriderapp4639@crossrider.com:0.85.42
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.8.6
    FF - prefs.js..extensions.enabledItems: wtxpcom@mybrowserbar.com:4.5
    FF - prefs.js..extensions.enabledItems: youtubedownloader@mybrowserbar.com:4.5
    [2012/08/21 18:21:12 | 000,000,000 | ---D | M] (Zynga Community Toolbar) -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2012/10/13 15:04:07 | 000,000,000 | ---D | M] ("SavingsApp") -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\crossriderapp4639@crossrider.com
    [2012/10/13 15:04:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\crossriderapp4639@crossrider.com\chrome\content\extensionCode
    [2012/10/12 20:32:18 | 000,022,424 | ---- | M] () (No name found) -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\extensions\addon@defaulttab.com.xpi
    [2012/10/13 10:37:05 | 000,001,301 | ---- | M] () -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\searchplugins\my-homepage.xml
    [2012/10/14 17:50:09 | 000,002,030 | ---- | M] () -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\searchplugins\search-here.xml
    CHR - Extension: DefaultTab = C:\Users\nex\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.8_0\
    O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\nex\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll File not found
    [2012/10/12 20:22:58 | 000,000,000 | ---D | C] -- C:\Users\nex\AppData\Roaming\DefaultTab
    [2012/10/12 20:22:44 | 000,000,000 | ---D | C] -- C:\Users\nex\AppData\Local\SavingsApp
    [2011/06/06 11:24:18 | 000,015,182 | -HS- | C] () -- C:\Users\nex\AppData\Local\5jg1r583qpn477kyq6grmg71
    [2011/06/06 11:24:18 | 000,015,182 | -HS- | C] () -- C:\ProgramData\5jg1r583qpn477kyq6grmg71
    [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\nex\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc /d
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
    "AvgUninstallURL"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Please save the work in your browsers before proceeding.
    • Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
    • The tool will open and start scanning your system.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Please attach JRT.txt to your next message. (How to attach)

    __

    Let me know what problems remain after you have completed these steps.
     
  5. Karynsig

    Karynsig Private E-2

    It looks like that took care of it. I really appreciate your support on this, I'm very thankful to have a trustworthy site where the members are so helpful.

    Here are the two logs from the last steps you had me do; if all looks good then I can have this matter closed.

    I wish I had the skills you do!

    Karyn
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    You're very welcome :)

    __

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • You can delete the C:\JRT folder at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     
  7. Karynsig

    Karynsig Private E-2

    Thanks for all your help. I did all that, and now there's an IP conflict and we can't get online at all. I am pretty sure they're related because it did this after I finished everything. Also, I couldn't do the system restore, it wouldn't let me click apply at the end.

    Ideas?
     
  8. thisisu

    thisisu Malware Consultant

    What was the last step that you recall performing before this issue occurred?

    __

    Have you tried rebooting your computer yet? If not, try it now.
     
  9. Karynsig

    Karynsig Private E-2

    Well, I know I was able to get on the internet when I was doing your last step about removing ComboFix and MGTools and the system restore. I got an IP error at some point during that time, but we were still on the internet until late last night. This morning when my hubby tried to get on the computer it wouldn't let him. I have rebooted it several times, to no avail. :cry
     
  10. thisisu

    thisisu Malware Consultant

    We never ran ComboFix so you should have skipped that step. Although, that command wouldn't have done any harm anyways since ComboFix wasn't present.

    __

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  11. Karynsig

    Karynsig Private E-2

    Hi...sorry it took me so long to get back to you, since i haven't been able to get on our regular laptop I used the kids' laptop, and I can't even tell you how horrible that experience was. I am not even going to attempt to fix that one. I did uninstall a bunch of programs so that I could actually see the window for the internet because before it was pushed down so far from the 8000 toolbars that both kids swore they didn't install...oy vey.

    anyway. i can't get on that computer to download anything. or to be able to upload logs.

    but - i did some searches for resolving ip conflicts and one of the things that i was reading said to make sure the DHCP client service was started, which it wasn't. When i tried to start it, it says "Error 1075: The dependency service does not exist or has been marked for deletion."

    I'm pretty sure DHCP client service shouldn't be deleted, that's probably my problem, right? how do I get it back??
     
  12. thisisu

    thisisu Malware Consultant

    Hi,

    Your logs were showing that DHCP was started (as well as many other internet dependencies)

    Code:
    Checking DHCP, AFD, NetBT, tdx, TCP/IP, NSI and nsiproxy Service States 
    
       Dynamic Host Control Protocol -DHCP-     is running  
       AFD Networking Support Environment -AFD- is running  
       NetBios over Tcpip -NetBT-               is running  
       NetIO Legacy TDI support driver  -tdx-   is running  
       TCP/IP Protocol Driver -TCP/IP-          is running  
       Network Store Interface Service -nsi-    is running  
       NSI Proxy Service  -nsiproxy-            is running  
    I need you to run MGtools.exe on the computer without internet access and then copy MGlogs.zip onto a flash drive or burn it to a CD.
    Then bring that flash drive / CD to a working computer, plug it in, and upload the contents for me to review so that I can see what was changed.
     
  13. Karynsig

    Karynsig Private E-2

    I tried doing what you said, I downloaded MGTools to an external drive and then put it in C:\. When I tried to run as an administrator, it says "C:\MGtools.exe is not a valid Win32 application." :/
     
  14. thisisu

    thisisu Malware Consultant

    It sounds like the copy wasn't successful (only a partial copy). Try again.
     
  15. Karynsig

    Karynsig Private E-2

    Hello - thanks for your patience, it's been a crazy week at work. I am back at it trying to get our computer fixed.

    I successfully downloaded and transfered MGtools to my other computer, executed it, and copied the MGlogs zip file back to this computer. It's attached to this.

    Ah, another weekend of trying to unscrew the computer...I can't wait for my kids to have kids who mess up their computers, ha ha ha.

    Thanks again for the ongoing assistance!
     

    Attached Files:

  16. thisisu

    thisisu Malware Consultant

    A file was altered. I'm not sure by what exactly. It could just be corrupted. We can replace with a good copy. Just follow the steps below.

    BEFORE:
    Code:
    ============= Finding copies of afd.sys                     
    2011-12-28 03:59:24           498,688 [1C7857B62DE5994A75B054A9FD4C3825] C:\Windows\System32\drivers\afd.sys
    AFTER:
    Code:
    ============= Finding copies of afd.sys                     
    2012-10-15 01:39:55            22,368 [42B7E1AA0C7EC54652A50585793F1885] C:\Windows\System32\drivers\AFD.SYS
    __

    [​IMG] Please download and run AVG Remover

    __

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:processes[/COLOR]
    killallprocesses
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\nex\AppData\Roaming\Microsoft\Windows\Templates\5jg1r583qpn477kyq6grmg71 /d
    C:\windows\system32\drivers\afd.sys|C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys /replace
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)
     
  17. Karynsig

    Karynsig Private E-2

    I'm doing your steps now (computer is rebooting). Is AVG bad for my computer?
     
  18. Karynsig

    Karynsig Private E-2

    OK - I followed your instructions and I've attached the log to this post.

    I didn't see any instruction to run a scan with OTL, is that right? I just did the custom fix as described below.
     

    Attached Files:

  19. thisisu

    thisisu Malware Consultant

    That's correct.

    Test for internet access if you haven't already.

    If you do not have internet access, post a new MGlogs.zip for me to review.
     
  20. Karynsig

    Karynsig Private E-2

    Still no access. Here is my new MGlogs.zip file.
     

    Attached Files:

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds