Link to home
Start Free TrialLog in
Avatar of funasset
funasset

asked on

Can't get rid of Bueno Search browser hijacker

A colleague has given me their laptop to try and put right and the problem would appear to be with a browser hijacker called Bueno Search. Chrome is on the laptop but (thankfully) that seems OK - it's IE 11 that is having the problem. Every time IE is opened it hijacks the defined home page and goes to Bueno Search.

I have followed umpteen procedures I've found on the web but with no luck. Malwarebytes seems to detect all/some of it which I quarantine but after a reboot it's back again. I've also used Hitman Pro, Spybot S&D, JRS, Advanced Systemcare and a few others - same story.  I even uninstalled IE, went through a procedure to clean the registry, rebooted and reinstalled and the ******* thing is still there.  It seems to create a key called DOMStorage under HKCU/Software/Microsoft/Internet Explorer as well as one or two other entries and they keep coming back.

There are no add-ons, extensions or installed programs that have 'bueno' in the title, unlike a lot of the solution guides demonstrate.  Can anyone advise on how I can find out what process keeps creating the registry keys or some sure fire way of nuking this thing - avoiding a full Windows reinstall if possible!

Thanks
SOLUTION
Avatar of Tyler Verkade
Tyler Verkade

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of funasset
funasset

ASKER

No I missed that one so will give it a try, thanks.

No proxy is being used, everything set to autodetect. Yes I've been in to Reset IE quite a few times but it hasn't helped unfortunately.
I'm sorry! I've personally not had to deal with Bueno Search before, so I don't know exactly how to remove it, but I'll do whatever I can to help! Please let me know if McAfee Stinger makes a difference. Good luck!
The AV on the laptop (Panda) neutralised the Stinger download claiming it was bad?
Really? I've never had an issue like that before. I've used it on machines with Microsoft Security Essentials, Symantec Endpoint Protection, AVG, Avast, GFI Managed Antivirus, etc., and I've never had one of them flag it as dangerous software... You downloaded it from McAfee, right? Not a third-party download site that claimed to have it?
Yup.  I'll try again tomorrow. Thanks in the mean time.
Avatar of Louie
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You may want to try this program also, if stinger does not work. Used this many of times and cleaned a bunch of them. Nasty ones too. Make sure to backup when it does tells you to backup.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
i suppose you uninstalled it, and removed it from the add-ins in IE , as said here :   http://malwaretips.com/blogs/remove-bueno-search/     

if it survives, you can have a rootkit -  i use roguekiller for this : http://majorgeeks.com/RogueKiller_d6983.html
Thank you all for your advice - much appreciated.  I'll try and answer a few things -

I have already followed the malwaretips.com removal guide and hit it with Adwcleaner, Malwarebytes and Hitman Pro. Despite each finding various things and dealing with them the problem returns after a reboot.

I'm a SysAdmin for a living (if you can call it a living!) so I'm OK with trying something like Combofix and the other utilities mentioned. The laptop in question is someone's home machine and the owner's kids get to use it - bad bad bad. She gave it to me to fix as Windows Explorer keeps crashing out randomly. I read somewhere that this malware does weird things like that as well as hijacking the browser so I'm hoping to kill 2 birds with one flamethrower.

I will download and try Combofix and the others (a very helpful and comprehensive article by the way) after I have had a go with McAfee's software.

Thanks again to everyone - I'll report back later!
did you try roguekiller yet?
Sorry - haven't had the chance. Stinger took 4 hours to scan and came back clean. I'm gradually working my way through all the tools suggested.
Chameleon from MBAM has what amounts to a version of Roguekiller built into it.  Roguekiller is probably better, but I always try chameleon first (usually by running the svchst file).
Just a quick update before I head home. Today I tried -

Stinger - reported no problems
TDSSKiller - no problems
Combofix - no obvious problems in the log file that I could see
Panda - not supported on this OS (Win7 x64). Maybe it's part of Panda Free AV these days?
RogueKiller - no problems
SpyBHORemover - no problems
Sophos - will leave scanning overnight.

I'd like to get hold of the muppet who wrote this and nail their ears to a fence................ Maybe I'm running these things in the wrong way - should I boot in to Safe mode or something before running these utilities? I did boot in to Safe Mode a couple days ago, followed one of the removal guides, reset IE, chopped the offending bits from the registry etc then restarted - you can guess the rest :-)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Many thanks for the extra advice. I need all I can get with this pesky thing!

Just to completed the last post I made yesterday, the Sophos scanner came up Clean as well.
has anyone touched on this>
disconnect from internet doing these things, cut them off
Maybe it is not malicious like a virus or trojan.
After reading this I understand what this is about.
Kind of like using you for adds.
With some very good free tools I find I have to click decline up to three times maybe 4 to stop these and then finally I will see the promised your program will install now, maybe a lot of folks don't realise you can decline over and over until you see the right next step.
When a decline is offered use it what can you lose. Most times you will discover it continues. Learn by them ;)
Source
http://www.pcthreat.com/parasitebyid-34192en.html
Quote>
Should you install the full version of Bueno Search, your home page and default search engine will be change to buenosearch.com. It affects all main browsers including Internet Explorer, Google Chrome and Mozilla Firefox. Granted, the search engine does provide you with relevant results, but you can never be sure about what other links might be embedded in the search results.
It is easy to see that Bueno Search is not a malicious infection, because its website even provides you with removal instructions customized for each browser.
 However, its Privacy Statement is a little bit worrying, because it claims that Bueno Search makes use of cookies to gather certain information related to your web browsing habits automatically
Bueno Search Removal
Windows 8
Move mouse cursor to the bottom right of the screen.
Click Settings and go to Control Panel.
Select Uninstall a program and remove Bueno Search.
Windows Vista & Windows 7
Open Start menu and click Control Panel.
Go to Uninstall a program and remove Bueno Search.
Windows XP
Open Start menu and go to Control Panel.
Select Add or remove programs and uninstall Bueno Search.
How to remove Bueno Search from browser
Mozilla Firefox
Click Firefox button and go to Options.
Under General tab, click Restore to Default button and click OK.
Click the search engine icon on the left of search box (top right corner).
Select Manage search engines and remove Bueno Search from the list. Click OK.
Press Ctrl+Shift+A and Add-ons manager tab will open.
Disable and remove Bueno Search from Extensions.
Internet Explorer
Press Alt+X and click Internet options.
Under General tab, click Use Default and click OK.
Press Alt+X again and to go Manage add-ons.
Remove Bueno Search from Toolbars and Extensions.
Click Search providers on the left.
Set a new default search engine, remove Bueno Search.
Google Chrome
Press Alt+F and go to Tools.
Click Extensions and remove Bueno Search.
Click Settings on the left and mark Open a specific page or set of pages.
Click Set pages and change your home page address. Click OK.
Select Manage search engines under Search.
Set a new default search engine, delete Bueno Search and click Done.
It would be a good idea to scan your computer with SpyHunter free scanner once you are down with manual Bueno Search removal. This way you will be able to check for possibly unwanted applications in your computer. Do invest in a computer safeguard application if need be.
-------------------------------------
Another
How to Remove Bueno Search and Buenosearch.com Redirect from Your PC?
This section is committed to offer guide on how to remove Google redirect virus.
http://forums.anvisoft.com/viewtopic-53-6683-0.html
So use this combined with my new steps.
Good Luck again
Thanks for the extra tips.  I followed the steps in the first post. All seemed well although the Hosts file looked a little odd. I'm used to seeing one as per your example but this one just had "127.0.0.1  Localhost" in it and no other text.  Also I noticed that if I go in to Control Panel/Internet Settings and change the Home Page from the malware search address to about:tabs, click Apply then Close, if I open the settings again straight away the home page has been reset to bueno search.

I've attached the HijackThis log file.
hijackthis.log
Delete these first then we'll try again
address to about:Tabs ,  or even make Google a new home page to drop the other
https://www.google.com 

Ah you've got a Garmin lol so do I.

Mark to delete>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buenosearch.com/?babsrc=HP_ss&mntrId=C0A900FF09DF704F&affID=127909&tsp=5199

Mark to delete >O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Consider using the system file checker after its gone.
I think I have done most of that in the course of testing yesterday. No matter what webpage I set Home to, it is reverted back to Bueno Search as soon as I hit Apply and Close.  I have also been in to Regedit myself and removed that key several times but it just comes back.

Why remove the Apple service?
It pains me to report that none of the helpful suggestions have worked.  The home page is still being reset - where is this thing hiding?! I'm doing a SFC /SCANNOW at the moment before trying to narrow down startup services using msconfig.

I can't think of anything else - except a big hammer!

Thanks all
It is unclear to me which of the rootkit scanners I recommended  in this post you tried.

You can read the whole article on rootkits and the reviews with links to the software - all free - here.
Thomas - many thanks. I've been trying to find quiet time to read your article but people keep giving me work to do - very inconsiderate!

Thus far I've been doing all the scans in Windows. I think I'll create a Windows USB stick, load it up with the scanners and try again.  In answer to your question I have used -

spyBHORemover - no errors
Sophos - no errors
Panda - I couldn't seem to find this one and what I did find wouldn't run on my OS. I'm now looking in to the Panda AV that's already installed as it seems to have some additional useful options - including creating a bootable USB stick.
Radix - couldn't find a version for Win 7 x64

I haven't got around to trying these yet -
F-Secure Blacklight
Gmer
RootkitRevealer

Many thanks
I generally find that a stick created with the SARDU utility will tackle just about anything.  Some like YUMI better and my next step is to do an article comparing them.  YUMI is Universal USB installer revved up.  You can check out my article on SARDU here.

In terms of Rootkit detectors, try the free version of MBAM and check the rootkit detection option on the settings page.
Why remove the Apple service?<< sorry my mistake it looked the same as the buenosearch
What does the Bonjour application does in the computer? Is it safe to remove it?
Did you delete this one?
>>>Mark to delete>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buenosearch.com/?babsrc=HP_ss&mntrId=C0A900FF09DF704F&affID=127909&tsp=5199

I don't believe scanners will find this as it is not marked a security risk it is basically add ware
and the owner of this computer gave it permission to install along with some sort of free player or free program he installed.
If you could find out what that program was maybe it has a hook.
I understand you have a lot of experts helping you.
Please confirm you have delete that line in hijackthis.
Otherwise consider perform a repair re-install.
I've got a boot CD (Hiren's) which I think has some sort of XP-lite on it and I've also created a stick that will boot Windows (allegedly) instead of booting in to a Windows installer, which is what a lot of the related articles seemed to be interested in.

Just to confirm, I did opt to remove that buenosearch entry  mentioned by Merete but to no avail. The extra tools in Panda (Panda Cloud) detected the same nasty things that Malwarebytes does but despite selecting 'Clean' and rebooting, the damned thing is still there so the booting from an external source is the next way to go I feel.

I'll update this later - hopefully with something positive!

Thanks all
The boot Cd that rhymes with sirens contains pirated software and is therefore verboten on e-e.  You can get everything you need by using UBCD4WIN and installing the necessary programs into that environment.  I believe I said previously that I use a SARDU created boot device that contains MANY bootable images including UBCD4WIN.
Thank for the tip - I had no idea!
Thanks again. There are so many options that it's hard to keep track of them isn't it?! I'm also doing this whilst doing my normal work which doesn't help.

Since I had no luck with using scanners in Windows I'm now building the, ahem, 'approved' boot CD and will give that a try. At the moment I've also got the laptop in Safe mode and undergoing a scan by Vipre AV. Panda will also let me create a bootable USB to run so that's another option on the list. As I mentioned previously, overnight I created a USB stick which should actually boot in to Windows and give me options to run some of the scanners I already tried within the 'live' Windows. Under the CD-not-to-be-named's XP Lite I tried to run a couple of the portable versions of scanners but with mixed results. Either nothing was found, the app wouldn't start/install or problems that were found had no effect once cleaned off.

So glad it's Friday......
Just a heads up, we used Vipre for about a year (Business edition).  It has one problem that made me give it up, the scan is too fast.  I was led to the conclusion that it was scanning either too little of the destination computers or the algorithm was not that good.  When I tested comodo endpoint security, it identified and cleaned hundreds of items that Vipre had missed.
It seems to do the opposite in Safe Mode. So much so that I'll have to stop it otherwise I'll get nothing else done today. It's going through the folders on the laptop in A to Z order at about 2-3 files per second.

Thanks for the info.
Just not my day. I followed the article on creating the UBCD4Win and everything finished OK. I booted the laptop from it and after the initial selection display it blue screened.

I let the laptop boot normally so that I could create a Panda USB stick but when booting the laptop from that it gave some error about not being able to find 'Synaptics' files and rebooted back in to Windows.

I've now booted it from an F-Secure rescue CD, updated the signatures via USB and I'll see how that goes. If it goes at the same speed for the whole scan as it is now then it'll take a while.

Never volunteer to 'take a quick look' at a computer for someone ;-)
Never Fix a computer for free period.  There is an excellent article on why here on ee.  Check it out at

https://www.experts-exchange.com/Other/Consulting/A_2111-WARNING-5-Reasons-why-you-should-NEVER-fix-a-computer-for-free.html
How true that is! I'm not at the lofty heights of being a Consultant but I do know how Doctors must feel. As soon as people find out they are a 'Dr' they must get asked about all sorts of aches, pains and rashes - even if they are a Dr of Physics. I get the same. As soon as someone finds out I'm in IT it's not long before I hear "...something strange keeps popping up on my PC screen. Would you........?". What's more is that I am expected to be an expert - not just someone who works in IT but an EXPERT in all aspects of IT be it umpteen operating systems, PC components, pricing, printers, scanners, ALL application software ad infinitum. What they don't see is weeks like this one where I have made a dent in a brick wall with my head and am utterly stumped by this malware - if I happen to remove some malware from someone's PC they sometimes say "Blimey that was quick - was that all it was?"!! They don't realise that behind that brief scan with a particular program, there are often days like today!!

Still, the F-Secure rescue scan is plodding along and 2 hours after starting it has raced to 12% complete. I'll leave it going over the weekend and hope the cleaner doesn't dust the keyboard..........

Have a good weekend all.
Yes. I get the same all the time. My family even brings their laptops to gatherings. I stopped this by giving everyone a SARDU crafted bout disk one time and properly messing up a laptop another time.  Worked like a charm.
LOl never fix a computer for free!!
What are we doing on Experts Exchange then, just had to throw that one in, we do this for free right ;)
Yes (although the t-shirts are pay in a way), on the other hand the "don't do it for free" rule is more of an in person thing.
I donate them all to the water wells every year,
http://blog.experts-exchange.com/ee-blog/experts-exchange-builds-two-wells-in-ethiopia-raises-money-for-third/
I would have had just way to many, as you know every new year we start again, more t-shirts for every new achievement, I donated over 60 last year so it feels great to know they help somewhere.   ;)
I get it back through the exchange part of EE ... brilliant. The access  to information we have on EE database.
Well not a good start to the week....the F-Secure scan I left running on Friday completed with no malware found. Back to the drawing board................
May I ask where are you seeing it?
In the browser homepage in every browser?
I'd uninstall all browsers then start the cleanup again. Off the internet as well.

In the uninstall a program did you uninstall
Select BuenoSearch Toolbar, DaleSearch Toolbar, TikaSearch Toolbar etc. and select Uninstall then follow the uninstallation process
If you cant find it, search for any recent installed software you don’t know or trust and remove it.
check what you have done.
A new one>>
Remove BuenoSearch.com (Bueno Search)
http://www.fixyourbrowser.com/removal-instructions/remove-buenosearch-com-bueno-search/ 
Do you disconnect from the internet?
Have you tried safemode?
I'd manually delete everything as per my suggestion previously>>
https://www.experts-exchange.com/questions/28476408/Can't-get-rid-of-Bueno-Search-browser-hijacker.html?anchorAnswerId=40200994#a40200994
Wish I could come visit ;)
ok
try this : download regseeker  http://www.hoverdesk.net/      and install it - then run it
select search in registry, and enter  Bueno Search
when it's finished - in the bottom line, select Select - then select All
under Action select delete
Merete - in answers to your questions...
1. It's just in IE - Chrome is OK. If I go in to Control Panel/Internet Options and set the home page to About:blank then click Apply and Close it will revert to Bueno Search immediately i.e. if I go straight back in to Internet Options. I tried uninstalling IE, flushing out all traces of it then reinstalling but the problem was still there.

2. There is nothing listed in Uninstall Programs that looks like a possible cause - no entries with any of the names you gave. I did follow your earlier tips and deleted what I could find but still no joy. I will investigate whether an active LAN connection is part of the problem. I'm also going to play around in Safe Mode to see if I can get it working there.

Nobus - thanks for the link. I'll give that a try although I've done manual searches for Bueno Search and 'Conduit' (which is the default search engine it inserts in IE's Manage Add-ons) and chopped out all references found - they came back after a restart :-(

It's very well hidden. The more I look for it the more I think it's a service rather than a rootkit as none of the rootkit scanners have found anything. My next joy will be playing around with disabling services in MSCONFIG to see if I can find it that way.

Thanks all
Try using process explorer from Microsoft.
Thanks.

In Safe Mode with Networking, IE works properly......

How do I know what to look for in Process Explorer? Something tells me that the little blighter's process isn't going to be obvious...
This is pretty obvious>>set the home page to About:blank then click Apply and Close<< make that >> about:Tabs not about blank,
also write it exactly as I have   about:Tabs
 don't click apply tick to use current then ok it and close IE
User generated image
start process explorer first (you can make it a image hijack - it will ask if you want to use it as a substitute for task manager), once you have it started and running check the various processes running, familiarize yourself with them.  Next start IE.  When IE has started look at what has changed in PE.  Especially look for Conduit.
Well, some success at last!!  I decided to use MSCONFIG and just start at the top of the Services list, disable a bunch at a time, Restart etc. Luckily there was something going on in the first 5 services I tried. In the end I pinned it down - I'll need to verify tomorrow though - to what was listed as the Advanced Systemcare 7 service. Rightly or wrongly I've used this particular app for ages now just to keep things tidy.  I can only guess that either the service had been hijacked in some way or something nasty got installed as part of the ASC install. I notice that these days the installer has that dreaded Express/Custom choice which it never used to have. These days it seems to try and point you towards Yahoo as a homepage and to put something called Spigot toolbar on your PC. No mention of Bueno Search though. Strange. I am always very careful with installers as I've been bitten myself in the past.

More testing tomorrow.........
You can also try using Ninite (https://ninite.com/) which does auto updating and automatically says no (whether it is unchecking or checking the appropriate box) to any addons.  The only down part of ninite is that you are unable to change the install locations.

ASC has generally been okay in the past, but you never know what an update will bring.  Java has for some time tried to install McAfee on my system everytime I update.  This has turned what little respect I had for the company to utter annoyance.  (although I still use and update the stinger tool)
Very good to hear funasset
Difficult to assign the points on this one. Any one of the responses could have worked in removing this thing depending upon the circumstances. I've assigned multiple solutions as anyone else reading this thread will find a whole host of useful info which will help. I hope that is OK with everyone.
Tell me about it I have a sore finger scrolling down, "grins"
but well done with the splitting of points funasset you only get 500, it's not about points anyway I'm really happy for you that finally!! you got rid of it.
Glad to have helped in the process.
Best Wishes
Merete
Thanks to all concerned.
Yes glad to have helped!