Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Searchqu removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Searchqu removal

Unread postby Gary R » April 26th, 2011, 2:29 am

Don't see anything in your OTL log to explain why IE's search is still set to w w w.search-results.com

So let's search around a little and see if we can find out why ....

Please download SystemLook from one of the links below and save it to your Desktop.

For 64 bit Systems
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:regfind
www.search-results.com
search-results.com
search results
search
results

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: Searchqu removal

Unread postby ihatemalware8 » April 26th, 2011, 12:05 pm

This was in the extras log

"{457C9AC8-A27E-470F-8CF0-0D67471F1363}" = protocol=17 | dir=in | app=c:\program files (x86)\windows ilivid toolbar\toolbar\dtuser.exe |

Does the ilivid toolbar have anything to do with the searchqu and search-results thing? I have heard it installs malware.

I will run systemlook in a little bit
ihatemalware8
Regular Member
 
Posts: 15
Joined: April 20th, 2011, 8:51 pm

Re: Searchqu removal

Unread postby ihatemalware8 » April 26th, 2011, 12:50 pm

here's part of my systemlook log, it turned into a 1.5mb txt file because it was so long. i think a lot of the entries are from my spybot s&d and javacool spyware blaster's restricted domains list. However I took a quick peek at the beginning and there is still some searchqu stuff. if you want to see the whole list i can upload it somewhere and you can download the txt file.

ystemLook 04.09.10 by jpshortstuff
Log created at 12:05 on 26/04/2011 by Joan
Administrator - Elevation successful

========== regfind ==========

Searching for "www.search-results.com"
No data found.

Searching for "search-results.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com]
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com]

Searching for "search results"
No data found.

Searching for "search"
[HKEY_CURRENT_USER\AppEvents\EventLabels\SearchProviderDiscovered]
[HKEY_CURRENT_USER\AppEvents\EventLabels\SearchProviderDiscovered]
@="Search Provider Discovered"
[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\SearchProviderDiscovered]
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\FindSearch]
[HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar]
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"Value"="http://www.searchqu.com/406"
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"DefaultValue"="user_pref("browser.startup.homepage", "http://www.searchqu.com/406");"
[HKEY_CURRENT_USER\Software\DataMngr\Files\SelectedSearch]
[HKEY_CURRENT_USER\Software\DataMngr\Files\SelectedSearch]
"Value"="Web Search"
[HKEY_CURRENT_USER\Software\DataMngr\Files\SelectedSearch]
"Message"="search engine"
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"Value"="http://www.searchqu.com/web?src=ffb&systemid=406&q="
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"Message"="search engine"
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"DefaultValue"="user_pref("keyword.URL", "http://www.searchqu.com/web?src=ffb&systemid=406&q=");"
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"Name"="FFUrlbar search"
[HKEY_CURRENT_USER\Software\DataMngr\List\Item1]
"Key"="Software\Microsoft\Internet Explorer\SearchScopes"
[HKEY_CURRENT_USER\Software\DataMngr\List\Item1]
"Message"="search engine"
[HKEY_CURRENT_USER\Software\DataMngr\List\Item2]
"Value"="http://www.searchqu.com/406"
[HKEY_CURRENT_USER\Software\Microsoft\IAM\Accounts\Active Directory GC]
"LDAP Search Base"="NULL"
[HKEY_CURRENT_USER\Software\Microsoft\IAM\Accounts\VeriSign]
"LDAP Search Base"="NULL"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{486D7793-3043-488C-A39B-B676A05F9FBB}]
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{486D7793-3043-488C-A39B-B676A05F9FBB}]
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{486D7793-3043-488C-A39B-B676A05F9FBB}]
"FaviconPath"="C:\Users\Joan\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{486D7793-3043-488C-A39B-B676A05F9FBB}.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"DisplayName"="Web Search"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"URL"="http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"ShowSearchSuggestions"="1"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"SuggestionsURL_JSON"="http://www.searchqu.com/suggest.php?src=ieb&systemid=406&qu={searchTerms}&ft=json"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8B1A8E36-C6C3-4461-8966-2BDE0BA6E4F8}]
"URL"="http://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8B1A8E36-C6C3-4461-8966-2BDE0BA6E4F8}]
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8B1A8E36-C6C3-4461-8966-2BDE0BA6E4F8}]
"FaviconPath"="C:\Users\Joan\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{8B1A8E36-C6C3-4461-8966-2BDE0BA6E4F8}.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AB0EC67F-D6F8-4DCC-8619-E966207B336E}]
"FaviconPath"="C:\Users\Joan\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{AB0EC67F-D6F8-4DCC-8619-E966207B336E}.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research]
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{81F95CF7-A582-402A-AE2F-CEA901D4207E}]
"QueryPath"="http://integrate.factiva.com/research/query.asmx"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{81F95CF7-A582-402A-AE2F-CEA901D4207E}]
"RegistrationPath"="http://integrate.factiva.com/research/query.asmx"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{81F95CF7-A582-402A-AE2F-CEA901D4207E}\{E76BCF9F-AFE3-4509-BF75-F0187BF195C5}]
"AboutPath"="http://www.factiva.com/en/research"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}]
"QueryPath"="http://office.microsoft.com/Research/query.asmx"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}]
"RegistrationPath"="http://office.microsoft.com/Research/query.asmx"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{05EA20D9-18DC-4446-A9F8-F6C5161357CE}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{19BC3378-2319-4C50-990A-17600534DFF9}]
"ServiceName"="Local Address Search (Korean)"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{2EF9BA38-C64D-4D08-8287-EB9B2F34D0E9}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{3025A91E-BDA1-4AFC-93A0-C8FFA8ED2003}]
"ServiceName"="Live Search Singapore"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{3025A91E-BDA1-4AFC-93A0-C8FFA8ED2003}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{367320E9-4519-4DA9-B378-7D558B634090}]
"ServiceName"="Live Search Canada: French"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{367320E9-4519-4DA9-B378-7D558B634090}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{431EDE57-B54B-49FB-A944-76201F746749}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{585D6C55-32A2-4E14-B287-5B0BA7088E00}]
"ServiceName"="Live Search Canada"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{585D6C55-32A2-4E14-B287-5B0BA7088E00}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{5B6013C8-5C36-47D4-9AC0-22DBC558E5CB}]
"ServiceName"="Live Search India"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{5B6013C8-5C36-47D4-9AC0-22DBC558E5CB}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{5ECE69BA-86F3-43F1-B120-E16447CBD2F7}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{67D50A84-401A-42C1-801A-029435E34615}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{6AEF5596-203D-4817-A17B-8A4810BF5D33}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{818435D0-0F60-401D-A48D-C677372AA835}]
"ServiceName"="Live Search Australia"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{818435D0-0F60-401D-A48D-C677372AA835}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{89B7F815-F3B1-4E57-8AFE-31FE4F5A05F4}]
"ServiceName"="Live Search U.K."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{89B7F815-F3B1-4E57-8AFE-31FE4F5A05F4}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{934E2429-BC83-4FFB-B3A2-6761EC6870DE}]
"ServiceName"="Live Search South Africa"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{934E2429-BC83-4FFB-B3A2-6761EC6870DE}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{A9167F26-9553-416D-B94E-1F6D9A2EEC3C}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{AE88164D-E0DF-4BC6-9B31-4399E9B4E5C5}]
"ServiceName"="Live Search New Zealand"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{AE88164D-E0DF-4BC6-9B31-4399E9B4E5C5}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{C8AB1768-BC24-4789-B87B-33ABA88A8975}]
"ServiceName"="Live Search Malaysia"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{C8AB1768-BC24-4789-B87B-33ABA88A8975}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{C8DF8ECA-78C5-4073-88D0-A24585AB987A}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{DA0B6D82-B161-4190-8878-AA5D07F94C9F}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{E13847DA-E186-427A-94D0-AA01163D80CE}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{ED0B84FD-3B80-47DF-AFA9-8B54E8BFEA2F}]
"ServiceName"="Live Search U.S.: Spanish"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{ED0B84FD-3B80-47DF-AFA9-8B54E8BFEA2F}]
"Description"="Use the Bing service to search for web results relevant to your query."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{88686849-2DD9-474D-9300-778E3336FA5D}\{FBEEEE40-FB96-4A4B-9D02-D293FF69FC07}]
"Description"="Provides the latest price information, news, research, and analysis tools for stocks and funds."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{C818DC43-F71C-11D6-9039-00B0D019A5D1}]
"ProviderName"="HighBeam Research, Inc."
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{C818DC43-F71C-11D6-9039-00B0D019A5D1}\{C818DC43-F71C-11D6-9039-00B0D019A5D1}]
"ServiceName"="HighBeam (TM) Research"
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Research\Sources\{C818DC43-F71C-11D6-9039-00B0D019A5D1}\{C818DC43-F71C-11D6-9039-00B0D019A5D1}]
"TermsOfUse"="Copyright (c) 2004 Highbeam Research, Inc."
[HKEY_CURRENT_USER\Software\Microsoft\Search Enhancement Pack]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.search-ms]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Search]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Search\ScopeList]
"a"="C:\Users\Joan\Searches\Everywhere.search-ms"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Search\ScopeList]
"b"="C:\Users\Joan\Searches\Indexed Locations.search-ms"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences]
"BreadCrumbBarSearchDefault"="MSNSearch"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences]
"IEAddressBarSearchDefault"="MSNSearch"
ihatemalware8
Regular Member
 
Posts: 15
Joined: April 20th, 2011, 8:51 pm

Re: Searchqu removal

Unread postby Gary R » April 26th, 2011, 5:03 pm

The entry you found in the Extra log was an "allowed" item for your Firewall that I'd missed removing last time, it was not in of itself a particular danger to your machine but I've scripted it for removal this time.

There are however a few things in the SystemLook log that need attention.

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com]
[-HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar]
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"Value"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"DefaultValue"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"Value"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"DefaultValue"=-
[HKEY_CURRENT_USER\Software\DataMngr\List\Item2]
"Value"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"URL"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"SuggestionsURL_JSON"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{457C9AC8-A27E-470F-8CF0-0D67471F1363}"=-

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Let me know if this resolves your problem with IE.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Searchqu removal

Unread postby ihatemalware8 » April 26th, 2011, 7:14 pm

It is still listed as the default search in IE and still listed in the Manage Add-Ons section where you choose your search provider
I actually found more searchqu entries in the systemlook log. I uploaded the full log (compressed it so it would upload here). I only posted the first bit of the full log in my last post. If you do a search for "searchqu" it will come up with a bunch of entries near the middle of the log that I missed.

Thanks for the help so far.


========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysearch-results.com\ not found.
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage\\Value deleted successfully.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage\\DefaultValue deleted successfully.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch\\Value deleted successfully.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch\\DefaultValue deleted successfully.
Registry value HKEY_CURRENT_USER\Software\DataMngr\List\Item2\\Value deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\URL deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\SuggestionsURL_JSON deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{457C9AC8-A27E-470F-8CF0-0D67471F1363} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{457C9AC8-A27E-470F-8CF0-0D67471F1363}\ not found.

OTL by OldTimer - Version 3.2.22.3 log created on 04262011_191346
You do not have the required permissions to view the files attached to this post.
ihatemalware8
Regular Member
 
Posts: 15
Joined: April 20th, 2011, 8:51 pm

Re: Searchqu removal

Unread postby Gary R » April 27th, 2011, 2:20 am

OK, let's have another go.

Before we start I want you to uninstall Spybot S&D, since there's a very strong chance it will replace the resgistry settings we're about to remove. I should have recommended this last time.

You can re-install it as soon as we've successfully removed the searchqu entries.

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Reg
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"Value"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage]
"DefaultValue"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"Value"=-
[HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch]
"DefaultValue"=-
[HKEY_CURRENT_USER\Software\DataMngr\List\Item2]
"Value"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"URL"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"SuggestionsURL_JSON"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\Homepage]
"Value"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\Homepage]
"DefaultValue"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\UrlbarSearch]
"Value"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\UrlbarSearch]
"DefaultValue"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\List\Item2]
"Value"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"URL"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"SuggestionsURL_JSON"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\Homepage]
"Value"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\Homepage]
"DefaultValue"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\UrlbarSearch]
"Value"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\UrlbarSearch]
"DefaultValue"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\List\Item2]
"Value"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"URL"=-
[HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
"SuggestionsURL_JSON"=-


  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Before re-installing Spybot, let me know if searchqu is no longer your default search.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Searchqu removal

Unread postby ihatemalware8 » April 27th, 2011, 11:21 am

Here's the OTL log from the fixes
Looks like it's gone, thanks for the help!

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage\\Value not found.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\Homepage\\DefaultValue not found.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch\\Value not found.
Registry value HKEY_CURRENT_USER\Software\DataMngr\Files\UrlbarSearch\\DefaultValue not found.
Registry value HKEY_CURRENT_USER\Software\DataMngr\List\Item2\\Value not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\URL not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\SuggestionsURL_JSON not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\Homepage\\Value deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\Homepage\\DefaultValue deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\UrlbarSearch\\Value deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\Files\UrlbarSearch\\DefaultValue deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr\List\Item2\\Value deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\URL deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\SuggestionsURL_JSON deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\Homepage\\Value not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\Homepage\\DefaultValue not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\UrlbarSearch\\Value not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\Files\UrlbarSearch\\DefaultValue not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\DataMngr\List\Item2\\Value not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\URL not found.
Registry value HKEY_USERS\S-1-5-21-2350576119-2956720047-572655467-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\\SuggestionsURL_JSON not found.

OTL by OldTimer - Version 3.2.22.3 log created on 04272011_112035
ihatemalware8
Regular Member
 
Posts: 15
Joined: April 20th, 2011, 8:51 pm

Re: Searchqu removal

Unread postby Gary R » April 27th, 2011, 12:17 pm

OK, time for a little tidying up, then I'll make a few suggestions about security.

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller and SystemLook.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Searchqu removal

Unread postby ihatemalware8 » April 27th, 2011, 4:00 pm

Finished the cleanup, everything looks good. I was helping someone else with their computer. I put Noscript in Firefox, have Spybot S&D protection running in the background, and have used the restricted domains from both Spybot and Javacool Spyware Blaster. The McAfee Antivirus is running the background as well. But the person I am helping tends to go on lots of suspicious sites and opens lots of emails. Is there anything else I can really do to protect the computer?
ihatemalware8
Regular Member
 
Posts: 15
Joined: April 20th, 2011, 8:51 pm

Re: Searchqu removal

Unread postby Gary R » April 27th, 2011, 4:19 pm

ihatemalware8 wrote:.... the person I am helping tends to go on lots of suspicious sites and opens lots of emails. Is there anything else I can really do to protect the computer?


Other than nailing their mousing hand to the table ;) :D , I suggest you Sandbox their browser and their e-mail client ...... viewtopic.php?p=557962#p557962 (read the section at the bottom of the post).

Sandboxing is not 100% secure, and it requires a little learning about, but used properly it can reduce risks for the sort of person you're describing. If they pick up something unwanted, then clearing out the Sandbox will usually remove it.

See also .... http://www.sandboxie.com/

Sandboxie is free, and pretty easy to install and use. Have a go with it and see what you think.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Searchqu removal

Unread postby Gary R » April 27th, 2011, 4:20 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware