RemovinSearchnu.com/406

Discussion in 'Malware Help (A Specialist Will Reply)' started by lcoluccio, Oct 21, 2012.

  1. lcoluccio

    lcoluccio Private E-2

    Hello, I have been following the General Housecleaning Advice on t=230267. I have Windows Vista 64-bit.

    I flushed the Java Cache, Firefox & Internet Explorer Cache. Unable to flush DNS cache as requires elevation, not sure what that means. I turned comcast routers on & off to reset.

    Ran Gooredfix, see attached text. Ran TDSSkiller, nothing found. Ran MBRCheck, see attached text.

    Await reply; thanks.
     

    Attached Files:

    lcoluccio, Oct 21, 2012
    #1
  2. lcoluccio

    lcoluccio Private E-2

    OK...followed malware removal/cleaning procedure; ran roquekiller, malwarebytes, and hitmanpro.

    I'm so sorry, I was trying to follow instructions exactly, and thought I was ignoring all for hitman pro, but after getting a temporarily license to run, it just automatically deleted all. I have attached the logs.

    I still have searchnu problems; please advise.

    Lori
     
    lcoluccio, Oct 21, 2012
    #2
  3. lcoluccio

    lcoluccio Private E-2

    sorry, here's the attachment for RoqueKiller; the Hitmanpro file is too large to attach. Apologize for any errors; I'm a real beginner, my computer guy is on vacation, but gave me your site to try and fix. Spent so many hours so far, would really appreciate if you can help
     
    lcoluccio, Oct 21, 2012
    #3
  4. lcoluccio

    lcoluccio Private E-2

    Here's the MGLog; thanks. Lori
     

    Attached Files:

    lcoluccio, Oct 21, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please attach the requested logs from the below scans:
    • RogueKiller
    • Hitman Pro
    • Malwarebytes
    • TDSSKiller
    Also run the below.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note that JRT will reset your home page to a google default so you will need to restore your home page setting.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    chaslang, Oct 22, 2012
    #5
  6. lcoluccio

    lcoluccio Private E-2

    Thank You for Replying! Here's the logs; however, this program would not let me upload MBR, as I already did; also will try to upload HitmanPro separately, as file is too large apparently to upload here:wave
     

    Attached Files:

    lcoluccio, Oct 23, 2012
    #6
  7. lcoluccio

    lcoluccio Private E-2


    Hello,

    Still getting an upload error when trying to upload the HitmanPro log, as it is 489.9 KB and allowed is 375 KB; please advise.
     
    lcoluccio, Oct 23, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Compress it into a ZIP file and attach the ZIP. ;) Not sure why the log would be so large.
     
    chaslang, Oct 23, 2012
    #8
  9. lcoluccio

    lcoluccio Private E-2

    Zipped original Hitman Pro scan from 10/21, but denied upload, so I ran it again and Here's file...thanks!
     

    Attached Files:

    lcoluccio, Oct 23, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Redownload the Junkware Removal Tool from the same link previously given. Follow the same instructions to run it and attach the new log.

    Afterwards, reboot your PC and then run another new scan with Hitman Pro and attach this new log too which should hopefully be smaller.
     
    chaslang, Oct 23, 2012
    #10
  11. lcoluccio

    lcoluccio Private E-2



    This is kinda fun, feel like Tim the Tool Man. You were right, file is smaller.
     

    Attached Files:

    lcoluccio, Oct 24, 2012
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay go to Add/Remove Programs and uninstall the below:
    Searchqu Toolbar

    If you have trouble uninstalling it, try using the below to remove it.

    Revo Uninstaller

    Shutdown all protection software before running the below.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\Program Files (x86)\Searchqu Toolbar
C:\Program Files (x86)\Searchqu Toolbar\Datamngr
C:\Program Files (x86)\Searchqu Toolbar
C:\Program Files (x86)\MapsGalaxy_39
C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ihbxdg8z.default\searchqutoolbar
C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\v6oqc3ty.default\searchqutoolbar
C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ihbxdg8z.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"DATAMNGR"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"DATAMNGR"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{364ea597-e728-4ce4-bb4a-ed846ef47970}"=-
"{99079a25-328f-4bd4-be04-00955acaa0a7}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{66F68601-0E0C-42D4-82B7-190449980FA2}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0A2EA0A6-500B-43AC-83DB-176C72C2E6EF}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{66F68601-0E0C-42D4-82B7-190449980FA2}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0A2EA0A6-500B-43AC-83DB-176C72C2E6EF}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{55F01585-DF24-4298-8F13-88E99FC3632B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
[-HKEY_USERS\S-1-5-21-2020196862-1690506499-254722715-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{9D717F81-9148-4F12-8568-69135F087DB0}]
[-HKEY_USERS\S-1-5-21-2020196862-1690506499-254722715-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 25, 2012
    #12
  13. lcoluccio

    lcoluccio Private E-2

    :wave It appears searchqu Toolbar is gone and everythings working:) It wasn't showing up to uninstall but I completed the other tasks and here's the logs; I'm amazed; how'd you learn all this?
     

    Attached Files:

    lcoluccio, Oct 25, 2012
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Self taught. Years of using PCs.

    Just to be safe, let's run another scan with Hitman and see it anything shows up in a new log.
     
    chaslang, Oct 26, 2012
    #14
  15. lcoluccio

    lcoluccio Private E-2

    OK, ran Hitman again, here's the log:)
     

    Attached Files:

    lcoluccio, Oct 27, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay getting smaller and smaller with that log but still there because you had multiple user accounts infected.

    Shutdown Firefox and your protection software and see if you can manually delete the below folders:
    C:\Users\Angela\AppData\Roaming\Mozilla\Firefox\Profiles\9f1cb36u.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}

    C:\Users\Angela\AppData\Roaming\Mozilla\Firefox\Profiles\9f1cb36u.default\searchqutoolbar


    Then do the below.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now let's run another scan with Hitman and see it anything still shows up in a new log.
     
    chaslang, Oct 27, 2012
    #16
  17. lcoluccio

    lcoluccio Private E-2

    Yes, was able to add to registry; here's the latest Hitman log. I am ok with totaling deleting the user Angela, as she no longer uses this computer, if that is an issue.
     

    Attached Files:

    lcoluccio, Oct 27, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not necessary since we remove all the bad stuff except two items that don't want to go away and they are for the Rich user account. But you should remove user accounts that are not used.

    Run Hitman and see if you can get it to remove the below that it is finding.
    HKU\S-1-5-21-2020196862-1690506499-254722715-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{9D717F81-9148-4F12-8568-69135F087DB0} (SearchQU)
    HKU\S-1-5-21-2020196862-1690506499-254722715-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},\ (SearchQU)
     
    chaslang, Oct 27, 2012
    #18
  19. lcoluccio

    lcoluccio Private E-2

    success? Deleted as you recommended, ran Hitman again and here's the file. Do I need to do anything with quarantined files?
     

    Attached Files:

    lcoluccio, Oct 27, 2012
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Anything that the below final instructions do not cleanup, you can remove yourself.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 28, 2012
    #20
  21. lcoluccio

    lcoluccio Private E-2

    Have followed all your advice and do not see any problems. You're awesome; thank you!:major
     
    lcoluccio, Oct 28, 2012
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Oct 29, 2012
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds