Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Can't get rid of Bueno Search browser hijacker

Posted on 2014-07-15
55
Medium Priority
?
1,562 Views
Last Modified: 2014-07-22
A colleague has given me their laptop to try and put right and the problem would appear to be with a browser hijacker called Bueno Search. Chrome is on the laptop but (thankfully) that seems OK - it's IE 11 that is having the problem. Every time IE is opened it hijacks the defined home page and goes to Bueno Search.

I have followed umpteen procedures I've found on the web but with no luck. Malwarebytes seems to detect all/some of it which I quarantine but after a reboot it's back again. I've also used Hitman Pro, Spybot S&D, JRS, Advanced Systemcare and a few others - same story.  I even uninstalled IE, went through a procedure to clean the registry, rebooted and reinstalled and the ******* thing is still there.  It seems to create a key called DOMStorage under HKCU/Software/Microsoft/Internet Explorer as well as one or two other entries and they keep coming back.

There are no add-ons, extensions or installed programs that have 'bueno' in the title, unlike a lot of the solution guides demonstrate.  Can anyone advise on how I can find out what process keeps creating the registry keys or some sure fire way of nuking this thing - avoiding a full Windows reinstall if possible!

Thanks
0
Comment
Question by:funasset
  • 23
  • 14
  • 10
  • +4
55 Comments
 
LVL 2

Assisted Solution

by:Tyler Verkade
Tyler Verkade earned 500 total points
ID: 40197598
Have you tried using McAfee Stinger? (http://www.mcafee.com/us/downloads/free-tools/stinger.aspx). I've had really good luck with that in regards to removing unwanted changes to web browser settings.

Also, if you go into IE and then Tools > Internet Options > Connections > LAN Settings, does it have some sort of a proxy defined, or is "Automatically Detect Settings" unchecked? And, have you reset all of the personal settings in IE? I know that you uninstalled and reinstalled it, but in many cases that doesn't remove personal preferences and options, and that may have something to do with why it's still in your system.
0
 

Author Comment

by:funasset
ID: 40197619
No I missed that one so will give it a try, thanks.

No proxy is being used, everything set to autodetect. Yes I've been in to Reset IE quite a few times but it hasn't helped unfortunately.
0
 
LVL 2

Expert Comment

by:Tyler Verkade
ID: 40197624
I'm sorry! I've personally not had to deal with Bueno Search before, so I don't know exactly how to remove it, but I'll do whatever I can to help! Please let me know if McAfee Stinger makes a difference. Good luck!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:funasset
ID: 40197634
The AV on the laptop (Panda) neutralised the Stinger download claiming it was bad?
0
 
LVL 2

Expert Comment

by:Tyler Verkade
ID: 40197651
Really? I've never had an issue like that before. I've used it on machines with Microsoft Security Essentials, Symantec Endpoint Protection, AVG, Avast, GFI Managed Antivirus, etc., and I've never had one of them flag it as dangerous software... You downloaded it from McAfee, right? Not a third-party download site that claimed to have it?
0
 

Author Comment

by:funasset
ID: 40197656
Yup.  I'll try again tomorrow. Thanks in the mean time.
0
 
LVL 3

Expert Comment

by:Sid6_7
ID: 40197710
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You may want to try this program also, if stinger does not work. Used this many of times and cleaned a bunch of them. Nasty ones too. Make sure to backup when it does tells you to backup.
0
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 500 total points
ID: 40197774
Combofix is not the proper Tool here. You need to be carefull  when using combofix as it is very powerful! This is also not a tool to get into the hands of end users.

More info:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

AdwCleaner is the best Tool to clean Bueno Search.
After run Malwarebytes and HitmanPro free.

Best removal Guide:
http://malwaretips.com/blogs/remove-bueno-search/

The AV on the laptop (Panda) neutralised the Stinger download claiming it was bad?

No. The reason is because Stinger has Malware signatures. This is a normal behavior of an Antivirus Software.
0
 
LVL 30

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 40198083
try spyBHOremover from securityxploded.  If there is a problem with that use a rootkit remover.  Here is an excerpt from my article on rootkit removers (currently updating it - sorry that the links didn't paste):

F-Secure has an excellent program called Blacklight.  It is very easy to use, just accept the caveats and click scan.  You should know in advance that, at least in my experience, Blacklight is the LEAST likely to find any infection.  This is partially due to the way in which it scans and partially because it throttles down the sensitivity to prevent false positives.  I still run it and use it regularly.  It should be noted that F-Secure is an extremely reputable security firm and therefore its products, such as Blacklight, are well thought of and well maintained.  Using a known quantity is always good practice.

Sophos also makes a great application.  Their anti-rootkit program does require you to supply some basic information before downloading here, but it is worth it.  The sophos software is relatively easy to use just choose what to scan (check all) and click "Start Scan".  Like F-Secure, Sophos is well known and reliable.  The Sophos software is more sensitive scanning for rootkits than the F-Secure software.  But as I mentioned earlier, both are better when scanning the infected drive if it is not the boot drive.

Panda Anti Virus Anti RootKit, Run Pavark.exe.  Accept the first screen, check deep scan, click scan, this will schedule a scan the next time your system restarts (you can restart right away or later).  Generally the quick scan is similar to the Blacklight scan - it doesn't pick up rootkits even if you know they are there (assuming you are scanning the infected drive while it is still the bootdrive).  The Panda startup scan is fairly good, but is no substitute for booting from CD.  The Panda scan will actually start after windows has almost finished loading, so the term "startup scan" may be a misnomer.

Gmer is a more complicated application.  It is extremely good, but is aimed at the information Technology professional or at least someone more conversant with computers.  The GUI (Graphical User Interface) is not as easy to use as the other programs.  It is truly more of a scanner than anything else.  If you want to find out if there are rootkits on your computer, GMER will do the job, but if you want to clean them off, you will either need to do it by hand (no mean task), or use another tool.

RootkitRevealer  Originally by Mark Russinovich at Sysinternals now part of Microsoft Technet, is the rootkit scanner I spoke about in the second paragraph that runs as a random executable name each time it is invoked to prevent rootkits from detecting that it is running.  The way RootkitRevealer works is it compares What the registry actually says and what is returned through the Windows API (Application Programming Interface).  If there is a difference Rootkitrevealer assumes that a rootkit is interfering with the Windows API (which is how rootkits hide themselves) and reports this as a rootkit.  Although it is best to run this, like any rootkit detection tool, from a CD booted computer, no matter what you do no other applications should be running at the same time and no interaction should be started once you start the scan (any interaction may change values which will initiate rootkitrevealer seeing the change as a rootkit).

Radix is another tool to scan and remove rootkits.  Radix is a powerful tool that can be used by both beginners and advanced users.  It has a number of capabilities best summarized by their own website:


• Detects and repairs drivers that have been modified by Rootkits.

• Detects and repairs computer processes modified by Rootkits.

• Detects and reveals hidden processes and files, including Alternate Data Streams (ADS).

• Allows the removal of "locked" or "unremovable" processes and files.

• Provides to dump memory areas from processes.

• Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities.

• Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities.

• Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities.

• Shows hidden Registry Keys.

• Operates in both command line mode for power users, or as a graphical tool for regular users.

 Radix is another tool you should only use by itself (nothing else running).  There is a lot there to understand, but if you use the 1click tab (first tab) and the default settings you should be okay.


 With anti-rootkits you should run at least 3 before feeling safe.  Some of these applications will identify false positives - things that seem like rootkits but are not - so be careful.  After running your anti-rootkit programs, if you found something, once you have gotten rid of it be sure to run an antivirus /malware application with up to date virus definition file to be sure to get rid of any vestiges that were left behind.

I've cleaned my system, am I done?

 Once you have a clean system, it is essential to protect yourself from another infection and to take precautions in case you are infected.  To protect yourself be sure you have installed a reputable piece of anti-malware software with  updated virus/malware definitions.  You can see a comparisons of AV programs here and here.  My personal recommendation is the professional version of Malwarebytes or NOD32.  It really depends on your usage, how comfortable you are with the software, your computer, and how careful you are.  I also recommend running these antirootkit tools every so often just to check.  But my biggest recommendation is don't ever click on anything that tells you there is malware on your computer.  Exit the dialog by clicking the "X" in the upper right hand corner of the dialog, not any button in the dialog itself, then do a scan of your computer using software you trust.

 If you don't want to be infected again, make sure you know how it happened this time.  If you were infected from another computer, the next step is to follow the same directions on that system.  If, on the other hand, the infection came from an external drive or USB stick you should disable Autorun and  then look at the autorun.inf file on the infected drive.  See where it is pointing (e.g., \player32\player32.exe) and delete the offending file(s) then delete the autorun.inf file on that drive.  Finally, scan that drive using your anti-malware software (if your software doesn't scan external or network drives, try using the free versions of Avast! or Avira).  

 Don't forget your backup files, there is a good chance they are infected as well.  If they are in a format you can scan, then do so, otherwise it would not be a good idea to depend on them.  If your backups are essential and you cannot scan them directly, you may wish to try restoring them to another machine and then running the above procedures on those files.  Also note that your System Restore points may be infected.  Even if you feel that your computer is okay now, read this first.  Follow those instructions to delete your System Restore points and create a new one.

IMPORTANT: If you are unsure how to detect or eradicate any form of malware make sure you seek the advice of a professional/expert if you suspect you may be infected before you take any action.
0
 
LVL 93

Expert Comment

by:nobus
ID: 40198683
i suppose you uninstalled it, and removed it from the add-ins in IE , as said here :   http://malwaretips.com/blogs/remove-bueno-search/     

if it survives, you can have a rootkit -  i use roguekiller for this : http://majorgeeks.com/RogueKiller_d6983.html
0
 

Author Comment

by:funasset
ID: 40198977
Thank you all for your advice - much appreciated.  I'll try and answer a few things -

I have already followed the malwaretips.com removal guide and hit it with Adwcleaner, Malwarebytes and Hitman Pro. Despite each finding various things and dealing with them the problem returns after a reboot.

I'm a SysAdmin for a living (if you can call it a living!) so I'm OK with trying something like Combofix and the other utilities mentioned. The laptop in question is someone's home machine and the owner's kids get to use it - bad bad bad. She gave it to me to fix as Windows Explorer keeps crashing out randomly. I read somewhere that this malware does weird things like that as well as hijacking the browser so I'm hoping to kill 2 birds with one flamethrower.

I will download and try Combofix and the others (a very helpful and comprehensive article by the way) after I have had a go with McAfee's software.

Thanks again to everyone - I'll report back later!
0
 
LVL 93

Expert Comment

by:nobus
ID: 40199605
did you try roguekiller yet?
0
 

Author Comment

by:funasset
ID: 40199645
Sorry - haven't had the chance. Stinger took 4 hours to scan and came back clean. I'm gradually working my way through all the tools suggested.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40199779
Chameleon from MBAM has what amounts to a version of Roguekiller built into it.  Roguekiller is probably better, but I always try chameleon first (usually by running the svchst file).
0
 

Author Comment

by:funasset
ID: 40200129
Just a quick update before I head home. Today I tried -

Stinger - reported no problems
TDSSKiller - no problems
Combofix - no obvious problems in the log file that I could see
Panda - not supported on this OS (Win7 x64). Maybe it's part of Panda Free AV these days?
RogueKiller - no problems
SpyBHORemover - no problems
Sophos - will leave scanning overnight.

I'd like to get hold of the muppet who wrote this and nail their ears to a fence................ Maybe I'm running these things in the wrong way - should I boot in to Safe mode or something before running these utilities? I did boot in to Safe Mode a couple days ago, followed one of the removal guides, reset IE, chopped the offending bits from the registry etc then restarted - you can guess the rest :-)
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 500 total points
ID: 40200994
I'd also look in the start-up programs, open run type in msconfig press enter
cleanout the temps in  C:\Users\Yourname\AppData
Look in uninstall a program see if it listed in there
Look in Internet Explorer start page
I have mine set to about tabs this way no internet page is opened just the IE page with my history
about Tabs start pageLook in your hosts file
C:\Windows\System32\drivers\etc
Hosts fileAnd finally I use hijackthis it just seems very good and so simple and fast just detect browser baddies.
Guide to hijackthis very detailed, if you want go do deep stuff use it otherwise the simple version of  doing a scan and save a log is shown here
http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/
Download
http://sourceforge.net/projects/hjt/, this pages opens to a second with a countdown to download, I just downloaded it to ensure it works and mine is up to date, works perfectly.
 so download it and then left click on it it runs
 you are offered options>select do a system scan and save a log, it takes 10 secs then opens a new text, go to edit select all and then edit copy and paste back the results here
Alternatively post your log file here at hijackthis de site for a quick analyses your self. just paste it into the panel and click analyse below then wait a sec it will turn to a page that has your results with lots of green ticks all green I hope, these are based on users feedback.
Red X's should be removed by going back to the original scan which should be open still  on your desktop and put a tick next to any nasties reported.
Yellow questions if I know I remove them otherwise I leave them.
That my methods and it seems to work.
If all else fails I use Eset online scanner
http://www.eset.com/au/home/products/online-scanner/
with malware bytes
Good Luck
0
 

Author Comment

by:funasset
ID: 40201613
Many thanks for the extra advice. I need all I can get with this pesky thing!

Just to completed the last post I made yesterday, the Sophos scanner came up Clean as well.
0
 
LVL 70

Expert Comment

by:Merete
ID: 40201674
has anyone touched on this>
disconnect from internet doing these things, cut them off
Maybe it is not malicious like a virus or trojan.
After reading this I understand what this is about.
Kind of like using you for adds.
With some very good free tools I find I have to click decline up to three times maybe 4 to stop these and then finally I will see the promised your program will install now, maybe a lot of folks don't realise you can decline over and over until you see the right next step.
When a decline is offered use it what can you lose. Most times you will discover it continues. Learn by them ;)
Source
http://www.pcthreat.com/parasitebyid-34192en.html
Quote>
Should you install the full version of Bueno Search, your home page and default search engine will be change to buenosearch.com. It affects all main browsers including Internet Explorer, Google Chrome and Mozilla Firefox. Granted, the search engine does provide you with relevant results, but you can never be sure about what other links might be embedded in the search results.
It is easy to see that Bueno Search is not a malicious infection, because its website even provides you with removal instructions customized for each browser.
 However, its Privacy Statement is a little bit worrying, because it claims that Bueno Search makes use of cookies to gather certain information related to your web browsing habits automatically
Bueno Search Removal
Windows 8
Move mouse cursor to the bottom right of the screen.
Click Settings and go to Control Panel.
Select Uninstall a program and remove Bueno Search.
Windows Vista & Windows 7
Open Start menu and click Control Panel.
Go to Uninstall a program and remove Bueno Search.
Windows XP
Open Start menu and go to Control Panel.
Select Add or remove programs and uninstall Bueno Search.
How to remove Bueno Search from browser
Mozilla Firefox
Click Firefox button and go to Options.
Under General tab, click Restore to Default button and click OK.
Click the search engine icon on the left of search box (top right corner).
Select Manage search engines and remove Bueno Search from the list. Click OK.
Press Ctrl+Shift+A and Add-ons manager tab will open.
Disable and remove Bueno Search from Extensions.
Internet Explorer
Press Alt+X and click Internet options.
Under General tab, click Use Default and click OK.
Press Alt+X again and to go Manage add-ons.
Remove Bueno Search from Toolbars and Extensions.
Click Search providers on the left.
Set a new default search engine, remove Bueno Search.
Google Chrome
Press Alt+F and go to Tools.
Click Extensions and remove Bueno Search.
Click Settings on the left and mark Open a specific page or set of pages.
Click Set pages and change your home page address. Click OK.
Select Manage search engines under Search.
Set a new default search engine, delete Bueno Search and click Done.
It would be a good idea to scan your computer with SpyHunter free scanner once you are down with manual Bueno Search removal. This way you will be able to check for possibly unwanted applications in your computer. Do invest in a computer safeguard application if need be.
-------------------------------------
Another
How to Remove Bueno Search and Buenosearch.com Redirect from Your PC?
This section is committed to offer guide on how to remove Google redirect virus.
http://forums.anvisoft.com/viewtopic-53-6683-0.html
So use this combined with my new steps.
Good Luck again
0
 

Author Comment

by:funasset
ID: 40201790
Thanks for the extra tips.  I followed the steps in the first post. All seemed well although the Hosts file looked a little odd. I'm used to seeing one as per your example but this one just had "127.0.0.1  Localhost" in it and no other text.  Also I noticed that if I go in to Control Panel/Internet Settings and change the Home Page from the malware search address to about:tabs, click Apply then Close, if I open the settings again straight away the home page has been reset to bueno search.

I've attached the HijackThis log file.
hijackthis.log
0
 
LVL 70

Expert Comment

by:Merete
ID: 40201835
Delete these first then we'll try again
address to about:Tabs ,  or even make Google a new home page to drop the other
https://www.google.com 

Ah you've got a Garmin lol so do I.

Mark to delete>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buenosearch.com/?babsrc=HP_ss&mntrId=C0A900FF09DF704F&affID=127909&tsp=5199

Mark to delete >O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Consider using the system file checker after its gone.
0
 

Author Comment

by:funasset
ID: 40201938
I think I have done most of that in the course of testing yesterday. No matter what webpage I set Home to, it is reverted back to Bueno Search as soon as I hit Apply and Close.  I have also been in to Regedit myself and removed that key several times but it just comes back.

Why remove the Apple service?
0
 

Author Comment

by:funasset
ID: 40202374
It pains me to report that none of the helpful suggestions have worked.  The home page is still being reset - where is this thing hiding?! I'm doing a SFC /SCANNOW at the moment before trying to narrow down startup services using msconfig.

I can't think of anything else - except a big hammer!

Thanks all
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40202393
It is unclear to me which of the rootkit scanners I recommended  in this post you tried.

You can read the whole article on rootkits and the reviews with links to the software - all free - here.
0
 

Author Comment

by:funasset
ID: 40202475
Thomas - many thanks. I've been trying to find quiet time to read your article but people keep giving me work to do - very inconsiderate!

Thus far I've been doing all the scans in Windows. I think I'll create a Windows USB stick, load it up with the scanners and try again.  In answer to your question I have used -

spyBHORemover - no errors
Sophos - no errors
Panda - I couldn't seem to find this one and what I did find wouldn't run on my OS. I'm now looking in to the Panda AV that's already installed as it seems to have some additional useful options - including creating a bootable USB stick.
Radix - couldn't find a version for Win 7 x64

I haven't got around to trying these yet -
F-Secure Blacklight
Gmer
RootkitRevealer

Many thanks
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40202887
I generally find that a stick created with the SARDU utility will tackle just about anything.  Some like YUMI better and my next step is to do an article comparing them.  YUMI is Universal USB installer revved up.  You can check out my article on SARDU here.

In terms of Rootkit detectors, try the free version of MBAM and check the rootkit detection option on the settings page.
0
 
LVL 70

Expert Comment

by:Merete
ID: 40203474
Why remove the Apple service?<< sorry my mistake it looked the same as the buenosearch
What does the Bonjour application does in the computer? Is it safe to remove it?
Did you delete this one?
>>>Mark to delete>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buenosearch.com/?babsrc=HP_ss&mntrId=C0A900FF09DF704F&affID=127909&tsp=5199

I don't believe scanners will find this as it is not marked a security risk it is basically add ware
and the owner of this computer gave it permission to install along with some sort of free player or free program he installed.
If you could find out what that program was maybe it has a hook.
I understand you have a lot of experts helping you.
Please confirm you have delete that line in hijackthis.
Otherwise consider perform a repair re-install.
0
 

Author Comment

by:funasset
ID: 40204222
I've got a boot CD (Hiren's) which I think has some sort of XP-lite on it and I've also created a stick that will boot Windows (allegedly) instead of booting in to a Windows installer, which is what a lot of the related articles seemed to be interested in.

Just to confirm, I did opt to remove that buenosearch entry  mentioned by Merete but to no avail. The extra tools in Panda (Panda Cloud) detected the same nasty things that Malwarebytes does but despite selecting 'Clean' and rebooting, the damned thing is still there so the booting from an external source is the next way to go I feel.

I'll update this later - hopefully with something positive!

Thanks all
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40204383
The boot Cd that rhymes with sirens contains pirated software and is therefore verboten on e-e.  You can get everything you need by using UBCD4WIN and installing the necessary programs into that environment.  I believe I said previously that I use a SARDU created boot device that contains MANY bootable images including UBCD4WIN.
0
 

Author Comment

by:funasset
ID: 40204390
Thank for the tip - I had no idea!
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40204403
0
 

Author Comment

by:funasset
ID: 40204478
Thanks again. There are so many options that it's hard to keep track of them isn't it?! I'm also doing this whilst doing my normal work which doesn't help.

Since I had no luck with using scanners in Windows I'm now building the, ahem, 'approved' boot CD and will give that a try. At the moment I've also got the laptop in Safe mode and undergoing a scan by Vipre AV. Panda will also let me create a bootable USB to run so that's another option on the list. As I mentioned previously, overnight I created a USB stick which should actually boot in to Windows and give me options to run some of the scanners I already tried within the 'live' Windows. Under the CD-not-to-be-named's XP Lite I tried to run a couple of the portable versions of scanners but with mixed results. Either nothing was found, the app wouldn't start/install or problems that were found had no effect once cleaned off.

So glad it's Friday......
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40204511
Just a heads up, we used Vipre for about a year (Business edition).  It has one problem that made me give it up, the scan is too fast.  I was led to the conclusion that it was scanning either too little of the destination computers or the algorithm was not that good.  When I tested comodo endpoint security, it identified and cleaned hundreds of items that Vipre had missed.
0
 

Author Comment

by:funasset
ID: 40204699
It seems to do the opposite in Safe Mode. So much so that I'll have to stop it otherwise I'll get nothing else done today. It's going through the folders on the laptop in A to Z order at about 2-3 files per second.

Thanks for the info.
0
 

Author Comment

by:funasset
ID: 40204882
Just not my day. I followed the article on creating the UBCD4Win and everything finished OK. I booted the laptop from it and after the initial selection display it blue screened.

I let the laptop boot normally so that I could create a Panda USB stick but when booting the laptop from that it gave some error about not being able to find 'Synaptics' files and rebooted back in to Windows.

I've now booted it from an F-Secure rescue CD, updated the signatures via USB and I'll see how that goes. If it goes at the same speed for the whole scan as it is now then it'll take a while.

Never volunteer to 'take a quick look' at a computer for someone ;-)
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40205024
Never Fix a computer for free period.  There is an excellent article on why here on ee.  Check it out at

http://www.experts-exchange.com/Other/Consulting/A_2111-WARNING-5-Reasons-why-you-should-NEVER-fix-a-computer-for-free.html
0
 

Author Comment

by:funasset
ID: 40205124
How true that is! I'm not at the lofty heights of being a Consultant but I do know how Doctors must feel. As soon as people find out they are a 'Dr' they must get asked about all sorts of aches, pains and rashes - even if they are a Dr of Physics. I get the same. As soon as someone finds out I'm in IT it's not long before I hear "...something strange keeps popping up on my PC screen. Would you........?". What's more is that I am expected to be an expert - not just someone who works in IT but an EXPERT in all aspects of IT be it umpteen operating systems, PC components, pricing, printers, scanners, ALL application software ad infinitum. What they don't see is weeks like this one where I have made a dent in a brick wall with my head and am utterly stumped by this malware - if I happen to remove some malware from someone's PC they sometimes say "Blimey that was quick - was that all it was?"!! They don't realise that behind that brief scan with a particular program, there are often days like today!!

Still, the F-Secure rescue scan is plodding along and 2 hours after starting it has raced to 12% complete. I'll leave it going over the weekend and hope the cleaner doesn't dust the keyboard..........

Have a good weekend all.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40205142
Yes. I get the same all the time. My family even brings their laptops to gatherings. I stopped this by giving everyone a SARDU crafted bout disk one time and properly messing up a laptop another time.  Worked like a charm.
0
 
LVL 70

Expert Comment

by:Merete
ID: 40205772
LOl never fix a computer for free!!
What are we doing on Experts Exchange then, just had to throw that one in, we do this for free right ;)
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40205918
Yes (although the t-shirts are pay in a way), on the other hand the "don't do it for free" rule is more of an in person thing.
0
 
LVL 70

Expert Comment

by:Merete
ID: 40205921
I donate them all to the water wells every year,
http://blog.experts-exchange.com/ee-blog/experts-exchange-builds-two-wells-in-ethiopia-raises-money-for-third/
I would have had just way to many, as you know every new year we start again, more t-shirts for every new achievement, I donated over 60 last year so it feels great to know they help somewhere.   ;)
I get it back through the exchange part of EE ... brilliant. The access  to information we have on EE database.
0
 

Author Comment

by:funasset
ID: 40208600
Well not a good start to the week....the F-Secure scan I left running on Friday completed with no malware found. Back to the drawing board................
0
 
LVL 70

Expert Comment

by:Merete
ID: 40208696
May I ask where are you seeing it?
In the browser homepage in every browser?
I'd uninstall all browsers then start the cleanup again. Off the internet as well.

In the uninstall a program did you uninstall
Select BuenoSearch Toolbar, DaleSearch Toolbar, TikaSearch Toolbar etc. and select Uninstall then follow the uninstallation process
If you cant find it, search for any recent installed software you don’t know or trust and remove it.
check what you have done.
A new one>>
Remove BuenoSearch.com (Bueno Search)
http://www.fixyourbrowser.com/removal-instructions/remove-buenosearch-com-bueno-search/ 
Do you disconnect from the internet?
Have you tried safemode?
I'd manually delete everything as per my suggestion previously>>
http://www.experts-exchange.com/Software/Anti_Spyware/Q_28476408.html#a40200994
Wish I could come visit ;)
0
 
LVL 93

Expert Comment

by:nobus
ID: 40208725
ok
try this : download regseeker  http://www.hoverdesk.net/      and install it - then run it
select search in registry, and enter  Bueno Search
when it's finished - in the bottom line, select Select - then select All
under Action select delete
0
 

Author Comment

by:funasset
ID: 40208786
Merete - in answers to your questions...
1. It's just in IE - Chrome is OK. If I go in to Control Panel/Internet Options and set the home page to About:blank then click Apply and Close it will revert to Bueno Search immediately i.e. if I go straight back in to Internet Options. I tried uninstalling IE, flushing out all traces of it then reinstalling but the problem was still there.

2. There is nothing listed in Uninstall Programs that looks like a possible cause - no entries with any of the names you gave. I did follow your earlier tips and deleted what I could find but still no joy. I will investigate whether an active LAN connection is part of the problem. I'm also going to play around in Safe Mode to see if I can get it working there.

Nobus - thanks for the link. I'll give that a try although I've done manual searches for Bueno Search and 'Conduit' (which is the default search engine it inserts in IE's Manage Add-ons) and chopped out all references found - they came back after a restart :-(

It's very well hidden. The more I look for it the more I think it's a service rather than a rootkit as none of the rootkit scanners have found anything. My next joy will be playing around with disabling services in MSCONFIG to see if I can find it that way.

Thanks all
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40208809
Try using process explorer from Microsoft.
0
 

Author Comment

by:funasset
ID: 40208835
Thanks.

In Safe Mode with Networking, IE works properly......

How do I know what to look for in Process Explorer? Something tells me that the little blighter's process isn't going to be obvious...
0
 
LVL 70

Expert Comment

by:Merete
ID: 40208876
This is pretty obvious>>set the home page to About:blank then click Apply and Close<< make that >> about:Tabs not about blank,
also write it exactly as I have   about:Tabs
 don't click apply tick to use current then ok it and close IE
about:Tabs
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40208879
start process explorer first (you can make it a image hijack - it will ask if you want to use it as a substitute for task manager), once you have it started and running check the various processes running, familiarize yourself with them.  Next start IE.  When IE has started look at what has changed in PE.  Especially look for Conduit.
0
 

Author Comment

by:funasset
ID: 40209733
Well, some success at last!!  I decided to use MSCONFIG and just start at the top of the Services list, disable a bunch at a time, Restart etc. Luckily there was something going on in the first 5 services I tried. In the end I pinned it down - I'll need to verify tomorrow though - to what was listed as the Advanced Systemcare 7 service. Rightly or wrongly I've used this particular app for ages now just to keep things tidy.  I can only guess that either the service had been hijacked in some way or something nasty got installed as part of the ASC install. I notice that these days the installer has that dreaded Express/Custom choice which it never used to have. These days it seems to try and point you towards Yahoo as a homepage and to put something called Spigot toolbar on your PC. No mention of Bueno Search though. Strange. I am always very careful with installers as I've been bitten myself in the past.

More testing tomorrow.........
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40209969
You can also try using Ninite (https://ninite.com/) which does auto updating and automatically says no (whether it is unchecking or checking the appropriate box) to any addons.  The only down part of ninite is that you are unable to change the install locations.

ASC has generally been okay in the past, but you never know what an update will bring.  Java has for some time tried to install McAfee on my system everytime I update.  This has turned what little respect I had for the company to utter annoyance.  (although I still use and update the stinger tool)
0
 
LVL 70

Expert Comment

by:Merete
ID: 40210491
Very good to hear funasset
0
 

Author Closing Comment

by:funasset
ID: 40211368
Difficult to assign the points on this one. Any one of the responses could have worked in removing this thing depending upon the circumstances. I've assigned multiple solutions as anyone else reading this thread will find a whole host of useful info which will help. I hope that is OK with everyone.
0
 
LVL 70

Expert Comment

by:Merete
ID: 40211412
Tell me about it I have a sore finger scrolling down, "grins"
but well done with the splitting of points funasset you only get 500, it's not about points anyway I'm really happy for you that finally!! you got rid of it.
Glad to have helped in the process.
Best Wishes
Merete
0
 

Author Comment

by:funasset
ID: 40211443
Thanks to all concerned.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40211445
Yes glad to have helped!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question