[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

remove searchqu

Posted on 2012-08-23
34
Medium Priority
?
3,000 Views
Last Modified: 2016-11-23
I've read another post submitted by someone else regarding searchqu, but the solution wasn't selected. I was on the phone with McAfee and they were trouble shooting a problem and during that process downloaded some software that installed searchqu. I'm not thrilled with McAfee but really don't have time for another 3 hour all with them. I want searchqu off my machine!

I'm doing the following:
Running McAfee complete scan
Running Malwarebytes Anti malware
Ran Hijack This:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:23:36 PM, on 8/23/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe
C:\Users\Harry\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Users\Harry\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
c:\PROGRA~2\mcafee\SITEAD~1\saui.exe
C:\Users\Harry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harry\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120823141800.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\BROWSE~1.DLL
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Harry\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Startup: eFax 4.4.lnk = C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Jungle Disk Workgroup.lnk = C:\Program Files\Jungle Disk Workgroup\JungleDiskWorkgroup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
O20 - AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O23 - Service: McAfee Application Installer Cleanup (0068121345740298) (0068121345740298mcinstcleanup) - McAfee, Inc. - C:\Users\Harry\AppData\Local\Temp\006812~1.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JungleDiskWorkgroupService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Workgroup\JungleDiskWorkgroup.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files (x86)\Smith Micro\StuffIt 2010\ArcNameService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 17345 bytes

Please advise! Please!!
0
Comment
Question by:joibrooks
  • 18
  • 11
  • 5
34 Comments
 
LVL 2

Accepted Solution

by:
Ben_b3n earned 1000 total points
ID: 38326776
Hi there!
Could you attach the Malwarebytes log not copy and paste it please :)

It gets a little difficult scrolling down and typing :)

HiJackThis appears to have some URL redirection going on.

=====
First Sugguestion Download and run rKill. This stops annoying processes that could be hiding things from you.

Another great tool that I would run next because I just found out about it and slayed 2 dragons with it today is Rouge Killer

Next I download and install Spybot.
Run a full scan of MalwareBytes and Spybot and remove any infections when completed.

MalwareBytes and Spybot may both want to restart your machine, wait until both are finished before restarting, if you ran them both at the same time.

For good measure I would also run a TDSSkiller scan. Make sure you click the more parameters and then the boxes under more options. Scan > Cure or Delete the things it recommends.

Post your results of any log you get in an attachment please.

=) Happy Hunting
0
 

Author Comment

by:joibrooks
ID: 38326901
I ran Rogue Killer and it found 6 registry entries. Do I delete them? I can't see a way to create a log file for your review. I screen captured and attached the jpg.

McAfee is still running at 19%.
SpyBot is running

Will allow these processes to complete and follow up with this help thread as soon as possible.

Thank you for your ultra quick response.

I still have an open ticket with McAfee (they could not resolve the initial reason for my call). So when they follow up with me, I'm going to ask for anti-virus free software for life.
mbam-log-2012-08-23--15-08-32-.txt
protection-log-2012-08-23.txt
Rkill.txt
rogue-kill-screen-capture.JPG
0
 

Author Comment

by:joibrooks
ID: 38327165
Spybot came back with 6 problems which I fixed. I'm running that again. I don't see a way to download the log or save to a text file to attach.

TDSSkiller came back with only 2 file (Akamai, which I copied to quarantine, but didn't delete).

McAfee isn't finished yet, 42%.

I have not rebooted my computer since McAfee is still running.

What next?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38327216
Hi There
Did TDSS recommend pushing it to quarantine?

In the HiJackThis log you posted it should that you had a searchqu toolbar installed. Did spybot remove that?

If not you are going to need to go to Control Panel>Programs and Features and remove it from there.

Then need to reset Internet Explorer back to default settings.-
Open Internet Explorer
Click the Gear or Settings
Internet Options
Advanced Tab
Restore Advanced Settings
Reset (button below the above)
Restart Internet Explorer and change your home page back to whatever you had it.

What happens now?
0
 

Author Comment

by:joibrooks
ID: 38327326
I use Chrome, Firefox and IE. I work for an online marketing company, so I need Chrome, Firefox and IE to function properly. It may be that I'm running my CPU to death here, I can't even open IE. Chrome is open, but opening a new tab takes me to a rogue search page. The same with Firefox. Maleware prevents the page from loading, at this point. That may be the problem that I'm having with IE... it is trying to navigate to an odd page, and Maleware won't let it load.

No, Spybot didn't remove that tool bar. I'm managing that manually.

Spybot removed everything I asked but one file, that report is attached.

McAfee is still at 42%. I've closed every app on my computer but Chrome, McAfee and RogeKiller. What about the files (sent to you in a jpeg) that Rouge Killer found. Should I delete them?

No, TDSS did not recommend that I quarantine. I did that on my own. Bad?
SpybotSD.Results.txt
0
 

Author Comment

by:joibrooks
ID: 38327336
this is what i get now in chrome when i try to open a new tab:

This webpage is not found
No webpage was found for the web address: chrome-extension://bmapjpndbiamjgnblnlpghpbjccijkbc/config/skin/new-tab.html
Error 6 (net::ERR_FILE_NOT_FOUND): The file or directory could not be found.
0
 

Author Comment

by:joibrooks
ID: 38327539
Okay. Decided to reboot (42% for McAfee for the last 2 hours appears as if it was stuck!?).

On reboot, browsers appear to be behaving.

Next?

Thank you!
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38327925
Hi Sorry
Drive time and dinner time.

First Question you asked-

Pictures of files in Rogue Killer- Run that program again and see what shows up now.

Next Question- What you quarantine was a add on that does a feel different things, but won't harm you.

Chrome is saying that because you have it in your settings to open up a specific tab. You need to reset the setting in chrome or just the page to open on new tab.

======
Click the Wrench>Settings
Under on Startup- Change that setting to New Tab. Click the blue link under that that says "specific pages" and make sure only ones you want are in there. I leave blank.

======

Restart Chrome and see if that got it fixed.

For good measure I would also use Ccleaner to clean out your temp files and so forth. I would also use the registry cleaner and scan and fix those errors also. MAKE SURE YOU BACK UP WHEN IT ASKS YOU TOO. Playing with the registry can lead to trouble. But Ccleaner hasn't failed me yet.

======

For good measure could you run another HiJackThis report and post the log?

Also do you see to have anything else acting funny on the computer or does it seem to be normal now?
0
 

Author Comment

by:joibrooks
ID: 38328756
No problem and thank you! I'm running McAfee (again) with hopes that it will finish a complete scan. Then I will run through your items and follow up on each. Yesterday was a waste of a day, between McAfee agent trying to fix the security software but downloading an infected file on my desktop instead, and then me trying to undo that damage. I've got my work cut out for me today.

Will come back with more information mid-morning (US ET).
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38329225
No worries
Everything will eventually be better :)
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 1000 total points
ID: 38329513
@joibrooks,

We won't recommend HiJackThis since it is not developed since long, further it is unable to scan the 64bit system. So I would not recommend HiJackThis rather I would prefer to run OTL.

OTL by OldTimer is a flexible, multipurpose, diagnostic, and malware removal tool. It's useful for identifying changes made to a system by spyware, malware and other unwanted programs. It creates detailed reports of registry and file settings, and also includes advanced tools and scripting ability for manual removing malware.

Download:
http://oldtimer.geekstogo.com/OTL/OTL.exe

Alternate downloads and locations:

Sometimes malware will block OTL.exe by name, or all executables. In that case try one of these alternatives.
OTL.com: http://oldtimer.geekstogo.com/OTL.com
OTL.scr: http://oldtimer.geekstogo.com/OTL.scr

Mirrors:
OTL.com: http://www.itxassociates.com/OT-Tools/OTL.com
OTL.scr: http://www.itxassociates.com/OT-Tools/OTL.scr
OTL.exe: http://www.itxassociates.com/OT-Tools/OTL.exe

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
0
 

Author Comment

by:joibrooks
ID: 38330363
Ran CCleaner.

I'm a little nervous about "fixing" the registry. It found a fair number of issues. The last thing I want is to lose my apps and data.

I did a registry "export" by main keys. Is that what you consider a backup? CCleaner didn't prompt me to backup the registry, but I didn't ask it to fix the registry, only to analyze it.

Let me know if I'm being conservative or foolish.

Ran roge killer, malewarebit and hijack this. Log files are attached.

Look and feel... the system is back to where it was before yesterday. However, as far as maleware and virus infection... I've seen this type of thing rear it's nasty head when you least expect it, month's and years down the line.

If I keep saying the same thing over and again, it is because I'm very thankful for your services. So, thank you again!
Rkill-24aug12.txt
mbam-log-2012-08-24--12-25-27-.txt
hijackthis-24aug12.txt
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38330488
Hi Again
 As Ssharma mentioned- It's a good idea to run OTL in his link. That's a amazing program.

Could you run that and post the log, please?

HiJackThis has 2 things you can remove-
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O3 - Toolbar: (no name) - !{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)

But need that OTL scan for your 64bit, I forgot that HiJackThis doesn't do 64bit super well.

As for Registry Fix in Ccleaner- I understand you are neverous about it. I was also when I first did it. After you analyze and click the fix errors button it will ask you if you want to back up the registry then that is where I click yes.

Viruses, if cured completely, don't rear their head again. Now a new virus can get itself attached to your computer and you could be reinfected, thats why it is always good to keep your antivirus up to date and be careful at where you browse.

Depending on the OTL scan, I think you are good to go.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38330493
I say the above and then I re-read the rkill report about the process it terminated.

Did you run a full malwarebytes scan 16minutes seems pretty short for a full scan?
0
 

Author Comment

by:joibrooks
ID: 38330543
running OTL now.
did a quick scan with maleware. i'll fun a full one after OTL.
will run CCleaner against the registry and then run a fix as well.
i'll get back with the newer logs.

thanking ssharma and ben... i appreciate your help...
0
 

Author Comment

by:joibrooks
ID: 38330663
when you say

"you can remove-
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O3 - Toolbar: (no name) - !{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)"

how do i remove?

otl files are attached.

malewarebite full scan running now...
Extras.Txt
OTL.Txt
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38331081
To remove on hijackthis-
Check mark the box beside each one of those items I listed then at the bottom press- Fix Checked.

We need to reset your FireFox back to default settings-
===
http://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

Firefox button at top- or settings>Help>Troubleshooting Information>Reset Firefox (on the right side)

===

Have you updated McAfee?

My eyes may have failed me, but that OTL should look clean after you clicked that button in HiJackThis.

In OTL also Click the RunFix and CleanUp.

===
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38332365
Hello joibrooks,

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

    Double-click OTL.exe to start the program.
    Copy and Paste the following code into the Custom Scans/Fixes textbox.
==========================================
:otl
O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - !{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5Se File not found
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe File not found
O4 - HKCU..\Run: [AdobeBridge]  File not found
O4 - Startup: C:\Users\Harry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files (x86)\Dell\DellDock\DellDock.exe File not found
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - Reg Error: Key error. - C:\Program Files (x86)\Citrix\GoToAssist\615\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
:Files
C:\TDSSKiller_Quarantine
C:\Windows\tasks\SA.DAT
ipconfig /flushdns /c
:Commands
[PURITY]
[EMPTYTEMP]
[emptyjava]
[EMPTYFLASH]
[RESETHOSTS]
===========================================
Then click the Run Fix button at the top.
Click OK
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
0
 

Author Comment

by:joibrooks
ID: 38336413
Hello, ssharma. I ran the script through the OTL app. Report is attached.
08272012-091751.log
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38336735
Great, now please run the ESET online scan on your computer and when finished let us know how your system is working.

ESET online scan
http://www.eset.com/us/online-scanner

Sudeep
0
 

Author Comment

by:joibrooks
ID: 38336809
ESET is running now.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38337229
Thank you for jumping in and assisting Ssharma
0
 

Author Comment

by:joibrooks
ID: 38337270
You've both been priceless, and that's for the record.

ESET is still scanning (18%). I'll follow up when it completes the scan.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38340837
No problem.

Just make sure that when ESET is done, you would need to remove all the tools and there quarantines, which were used to remove the infection.

Also make sure you are able to do Windows Update, and also that you are running latest versions of Adobe Flash, Adobe Acrobat Reader and Java.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38341475
Also I would run another Ccleaner to clean out all temp files and recycle bin stuff. We don't want this causing any stragglers.
0
 

Author Comment

by:joibrooks
ID: 38342241
I ran ESET last night and it found 3 files. I'm running it again. I'll also run CCleaner, as Ben_b3n recommends.

SSharma, What do you mean: "when ESET is done, you would need to remove all the tools and there quarantines, which were used to remove the infection."
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38342259
Tools like TDSSKiller, Combofix, RogueKiller, Rkill etc. Even OTL.

From OTL you could cleanup most of them. Just click on "Cleanup" button. Once that done remove the OTL as well.
0
 

Author Comment

by:joibrooks
ID: 38342288
okay, thank you. that's clear enough!
0
 

Author Comment

by:joibrooks
ID: 38343144
i ran cclean and fixed everything (files and registry). i uninstalled the programs through the control panel's programs and features. then i removed apps on my desktop. i can't seem to get rid of the maleware software, it keeps telling me that it is running even though I've uninstalled it. i removed as many of the files in the folder that i could, rebooted, and now i don't see it running in my processes any more, but it will won't allow me to delete the folder, either.

i haven't removed cclean yet.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38343184
Maleware software? Do you mean Malwarebytes?

Or do you mean seachqu is still there?

Here is a link for Malwarebytes uninstall process- HERE
0
 

Author Comment

by:joibrooks
ID: 38343335
yes i meant malwarebytes, sorry for that confusion.

i used windows programs and features to uninstall all the apps noted in the previous thread, so the damage is done. there is no malewarebyes application in the apps list to option to uninstall, just remnants of a folder with a few files that can't be deleted.

ugh! any other recommendations? start the computer in safe mode and try deleting that way?
0
 

Author Comment

by:joibrooks
ID: 38343381
safe mode and a delete worked.

any last recommendations before  i sign off?

would you mind if i accepted both your solutions, as you were both very helpful?
0
 

Author Closing Comment

by:joibrooks
ID: 38345135
Thank you again for responsive and thorough solutions, Ben_b3n and SSharma.
0
 
LVL 2

Expert Comment

by:Ben_b3n
ID: 38345257
Hi Joi!

Sorry- I have come down with a sickness and didn't have laptop.

I was going to suggest- Revo Uninstaller to fully delete the hard stuff.

Last recommendation- Keep Anti Virus up to date and let us know if you need any more help :)

I don't mind at all- I'm just happy everything worked smoothly for you.

Take Care
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month20 days, 9 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question