Help with "Search here"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Karynsig, Oct 14, 2012.

  1. Karynsig

    Karynsig Private E-2

    Hello Geeks,
    My very unwise 13 year old thought he would download this "super popular game", and we all know how that inevitably ends up. So now I have all this crap on my computer, some of which I got off after following previous threads, but I still haven't been able to get read of "Search here", which shows up where my default Google search used to be. He doesn't remember what page he was on that made this happen, just that he googled the game and when he downloaded it, that was when the problems started. We also can't change our default home page back to our tabs that we had before.

    Any and all help is much appreciated. Hopefully I've followed the instructions correctly and have included all the correct information.

    Nothing was found with Kaspersky TDSSKiller.

    Thanks in advance for your help.
    Karyn
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to MajorGeeks, Karyn :)

    [​IMG] Delete items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Once the scan is complete, go to the Registry tab and checkmark everything except the below items:
    • [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
    • [HJ] HKLM\[...]\System : EnableLUA (0)
    • [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[3].txt
    Attach RKreport[3].txt to your next message. (How to attach)

    __

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  3. Karynsig

    Karynsig Private E-2

    Thank you for your quick response. I also forgot to mention I run Firefox.

    I ran both of the scans recommended; the logs are attached.
     

    Attached Files:

    Last edited: Oct 14, 2012
  4. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 17 (outdated)

    __

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE:64bit: - HKLM\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
    IE - HKLM\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.genieo.com/?v=w3i8
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\..\SearchScopes\{568F1261-D116-4E54-90B8-17D0ACDE2AD7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
    IE - HKU\S-1-5-21-3939388436-2998295895-1958501398-1000\..\SearchScopes\{A8CA957B-8C3D-4AE7-8C5B-2B33A1334166}: "URL" = http://us.yhs4.search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-geneiotransfer&type=W3i_IA,206,0_0,StartPage,20120102,18482,0,0,6434&p={searchTerms}
    FF - prefs.js..browser.search.selectedEngine: "Search Here"
    FF - prefs.js..extensions.enabledAddons: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:3.15.1.0
    FF - prefs.js..extensions.enabledAddons: addon@defaulttab.com:1.4.2
    FF - prefs.js..extensions.enabledAddons: crossriderapp4639@crossrider.com:0.85.42
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.8.6
    FF - prefs.js..extensions.enabledItems: wtxpcom@mybrowserbar.com:4.5
    FF - prefs.js..extensions.enabledItems: youtubedownloader@mybrowserbar.com:4.5
    [2012/08/21 18:21:12 | 000,000,000 | ---D | M] (Zynga Community Toolbar) -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2012/10/13 15:04:07 | 000,000,000 | ---D | M] ("SavingsApp") -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\crossriderapp4639@crossrider.com
    [2012/10/13 15:04:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\nex\AppData\Roaming\mozilla\Firefox\Profiles\c7heh1w2.default\extensions\crossriderapp4639@crossrider.com\chrome\content\extensionCode
    [2012/10/12 20:32:18 | 000,022,424 | ---- | M] () (No name found) -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\extensions\addon@defaulttab.com.xpi
    [2012/10/13 10:37:05 | 000,001,301 | ---- | M] () -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\searchplugins\my-homepage.xml
    [2012/10/14 17:50:09 | 000,002,030 | ---- | M] () -- C:\Users\nex\AppData\Roaming\mozilla\firefox\profiles\c7heh1w2.default\searchplugins\search-here.xml
    CHR - Extension: DefaultTab = C:\Users\nex\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.8_0\
    O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\nex\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll File not found
    [2012/10/12 20:22:58 | 000,000,000 | ---D | C] -- C:\Users\nex\AppData\Roaming\DefaultTab
    [2012/10/12 20:22:44 | 000,000,000 | ---D | C] -- C:\Users\nex\AppData\Local\SavingsApp
    [2011/06/06 11:24:18 | 000,015,182 | -HS- | C] () -- C:\Users\nex\AppData\Local\5jg1r583qpn477kyq6grmg71
    [2011/06/06 11:24:18 | 000,015,182 | -HS- | C] () -- C:\ProgramData\5jg1r583qpn477kyq6grmg71
    [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\nex\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc /d
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
    "AvgUninstallURL"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Please save the work in your browsers before proceeding.
    • Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
    • The tool will open and start scanning your system.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Please attach JRT.txt to your next message. (How to attach)

    __

    Let me know what problems remain after you have completed these steps.
     
  5. Karynsig

    Karynsig Private E-2

    It looks like that took care of it. I really appreciate your support on this, I'm very thankful to have a trustworthy site where the members are so helpful.

    Here are the two logs from the last steps you had me do; if all looks good then I can have this matter closed.

    I wish I had the skills you do!

    Karyn
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    You're very welcome :)

    __

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • You can delete the C:\JRT folder at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     
  7. Karynsig

    Karynsig Private E-2

    Thanks for all your help. I did all that, and now there's an IP conflict and we can't get online at all. I am pretty sure they're related because it did this after I finished everything. Also, I couldn't do the system restore, it wouldn't let me click apply at the end.

    Ideas?
     
  8. thisisu

    thisisu Malware Consultant

    What was the last step that you recall performing before this issue occurred?

    __

    Have you tried rebooting your computer yet? If not, try it now.
     
  9. Karynsig

    Karynsig Private E-2

    Well, I know I was able to get on the internet when I was doing your last step about removing ComboFix and MGTools and the system restore. I got an IP error at some point during that time, but we were still on the internet until late last night. This morning when my hubby tried to get on the computer it wouldn't let him. I have rebooted it several times, to no avail. :cry
     
  10. thisisu

    thisisu Malware Consultant

    We never ran ComboFix so you should have skipped that step. Although, that command wouldn't have done any harm anyways since ComboFix wasn't present.

    __

    [​IMG] Now download the latest MGtools.exe to the root of your c: drive.
    • Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    • When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)
     
  11. Karynsig

    Karynsig Private E-2

    Hi...sorry it took me so long to get back to you, since i haven't been able to get on our regular laptop I used the kids' laptop, and I can't even tell you how horrible that experience was. I am not even going to attempt to fix that one. I did uninstall a bunch of programs so that I could actually see the window for the internet because before it was pushed down so far from the 8000 toolbars that both kids swore they didn't install...oy vey.

    anyway. i can't get on that computer to download anything. or to be able to upload logs.

    but - i did some searches for resolving ip conflicts and one of the things that i was reading said to make sure the DHCP client service was started, which it wasn't. When i tried to start it, it says "Error 1075: The dependency service does not exist or has been marked for deletion."

    I'm pretty sure DHCP client service shouldn't be deleted, that's probably my problem, right? how do I get it back??
     
  12. thisisu

    thisisu Malware Consultant

    Hi,

    Your logs were showing that DHCP was started (as well as many other internet dependencies)

    Code:
    Checking DHCP, AFD, NetBT, tdx, TCP/IP, NSI and nsiproxy Service States 
    
       Dynamic Host Control Protocol -DHCP-     is running  
       AFD Networking Support Environment -AFD- is running  
       NetBios over Tcpip -NetBT-               is running  
       NetIO Legacy TDI support driver  -tdx-   is running  
       TCP/IP Protocol Driver -TCP/IP-          is running  
       Network Store Interface Service -nsi-    is running  
       NSI Proxy Service  -nsiproxy-            is running  
    I need you to run MGtools.exe on the computer without internet access and then copy MGlogs.zip onto a flash drive or burn it to a CD.
    Then bring that flash drive / CD to a working computer, plug it in, and upload the contents for me to review so that I can see what was changed.
     
  13. Karynsig

    Karynsig Private E-2

    I tried doing what you said, I downloaded MGTools to an external drive and then put it in C:\. When I tried to run as an administrator, it says "C:\MGtools.exe is not a valid Win32 application." :/
     
  14. thisisu

    thisisu Malware Consultant

    It sounds like the copy wasn't successful (only a partial copy). Try again.
     
  15. Karynsig

    Karynsig Private E-2

    Hello - thanks for your patience, it's been a crazy week at work. I am back at it trying to get our computer fixed.

    I successfully downloaded and transfered MGtools to my other computer, executed it, and copied the MGlogs zip file back to this computer. It's attached to this.

    Ah, another weekend of trying to unscrew the computer...I can't wait for my kids to have kids who mess up their computers, ha ha ha.

    Thanks again for the ongoing assistance!
     

    Attached Files:

  16. thisisu

    thisisu Malware Consultant

    A file was altered. I'm not sure by what exactly. It could just be corrupted. We can replace with a good copy. Just follow the steps below.

    BEFORE:
    Code:
    ============= Finding copies of afd.sys                     
    2011-12-28 03:59:24           498,688 [1C7857B62DE5994A75B054A9FD4C3825] C:\Windows\System32\drivers\afd.sys
    AFTER:
    Code:
    ============= Finding copies of afd.sys                     
    2012-10-15 01:39:55            22,368 [42B7E1AA0C7EC54652A50585793F1885] C:\Windows\System32\drivers\AFD.SYS
    __

    [​IMG] Please download and run AVG Remover

    __

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:processes[/COLOR]
    killallprocesses
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\nex\AppData\Roaming\Microsoft\Windows\Templates\5jg1r583qpn477kyq6grmg71 /d
    C:\windows\system32\drivers\afd.sys|C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys /replace
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)
     
  17. Karynsig

    Karynsig Private E-2

    I'm doing your steps now (computer is rebooting). Is AVG bad for my computer?
     
  18. Karynsig

    Karynsig Private E-2

    OK - I followed your instructions and I've attached the log to this post.

    I didn't see any instruction to run a scan with OTL, is that right? I just did the custom fix as described below.
     

    Attached Files:

  19. thisisu

    thisisu Malware Consultant

    That's correct.

    Test for internet access if you haven't already.

    If you do not have internet access, post a new MGlogs.zip for me to review.
     
  20. Karynsig

    Karynsig Private E-2

    Still no access. Here is my new MGlogs.zip file.
     

    Attached Files:

  21. thisisu

    thisisu Malware Consultant

    ========WARNING========
    The below is specifically for Karynsig's computer
    Do NOT run the below if you are not Karynsig
    Doing so may damage your PC!
    ========WARNING========

    Attached is afd.zip

    Inside is:
    • afd.reg

    Extract afd.reg onto the desktop of the computer with the issue.

    First double-click afd.reg and allow it to merge into the registry. You should receive a successful message. If received a successful message. Reboot your PC and test for connectivity.
     

    Attached Files:

    • AFD.zip
      File size:
      620 bytes
      Views:
      2
  22. Karynsig

    Karynsig Private E-2

    Still no access. I figure you'd need the MGlogs.zip file again so here is the new file. I was able to successfully merge the .reg from the .zip file into the registry, it just didn't make it work when I tried get get network access.

    I'm off my computer for tonight, if there's a response I will do it first thing in the morning.
    I really appreciate all your persistence with getting to the bottom of the problem.
     

    Attached Files:

  23. thisisu

    thisisu Malware Consultant

    You did reboot after the previous merge into the registry right? If not, please reboot now.

    If you did reboot, merge the following registry patch as well (LEGACY_AFD.reg).

    Reboot afterwards.
     

    Attached Files:

  24. Karynsig

    Karynsig Private E-2

    Tried that, it says, "Cannot import C:\Users\nex\Desktop\LEGACY_AFD.reg: Error accessing the registry."
    :confused
     
  25. thisisu

    thisisu Malware Consultant

    Ok, then try this:

    • Press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below command and paste it into the Open: text-field and then press ENTER.
    %systemdrive%\MGtools\swreg.exe ACL "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root" /E /GE:F
    • A DOS prompt window should have flashed quickly. If it did, then attempt to merge LEGACY_AFD.reg once again.
    • If you did not receive an error message this time. Reboot your PC and test for internet access.
     
  26. Karynsig

    Karynsig Private E-2

    Did that, got the same error as last time. It did flash the DOS window quickly but when I tried to merge the file it said Error accessing the registry again.
     
  27. thisisu

    thisisu Malware Consultant

    Please ensure LEGACY_AFD.reg is on the desktop of the computer without internet access before proceeding with the below:

    Attached is batch.zip
    Inside is batch.bat
    Extract batch.bat to your desktop.

    Then run the batch.bat file by right-mouse clicking it, and selecting "Run as administrator".

    Let me know what the black window / DOS prompt says.
     

    Attached Files:

  28. Karynsig

    Karynsig Private E-2

    There's no attachment.

    I still have the legacy attachment on my desktop from before, and I did reboot every time i tried it; i realized i never answered when you asked if I had before. Sorry!
     
  29. Karynsig

    Karynsig Private E-2

    OK, I ran it and it says:

    Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root"
    Granting Registry rights <F access for This Key> for "Everyone"
    ERROR: Error accessing the registry.
     
  30. thisisu

    thisisu Malware Consultant

    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

    __

    Once the computer has restarted, try merging the LEGACY_AFD.reg file once again.
     
  31. Karynsig

    Karynsig Private E-2

    OK - I did that and was able to add it to my registry. Restarting now!
     
  32. Karynsig

    Karynsig Private E-2

    WIN!!! I am posting from my laptop.

    THANK YOU!!!

    Should I just delete:
    afd.reg
    legacy_afd.reg
    batch.bat
    windows repair
    OTL.exe
    avgremove.exe
    afd.zip
    ...anything else?

    Do i have to uninstall anything or just delete those things?
    Also, is AVG bad?
     
  33. thisisu

    thisisu Malware Consultant

    You're welcome :)
    Took some time but we eventually got it.

    These can be deleted.
     
  34. Karynsig

    Karynsig Private E-2

    Last question on this issue, should I not have AVG installed ever? What antivirus software should I have. I've heard bad stuff about pretty much every antivirus software there is.
     
  35. thisisu

    thisisu Malware Consultant

    AVG is OK. I only requested that you run the AVGRemover tool because there were only traces of AVG on your system. The program was not properly installed and sometimes this can cause an issue in internet connectivity.

    There isn't a bulletproof anti-virus. My recommendation is Microsoft Security Eseentials due it being very light on computer resources and it's better than nothing. You can get it from here: http://windows.microsoft.com/en-US/windows/products/security-essentials
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds