Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Cannot remove "Yoursearchresults.biz" from PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Cannot remove "Yoursearchresults.biz" from PC

Unread postby Blazinby » January 11th, 2016, 8:43 pm

Hi there,
I seem to have picked up an infection of some sort, every time I open my browsers I.E. or Firefox my search engine defaults to "Yoursearchreults.biz".

I have removed all potential suspicious software I could find and used spybot as well as AVG and other malware tools, none of them seem to remove the pesky thing and I was hoping someone here could point me in the right direction.

Any advice would be greatfully recieved,thanks in advance. I have included FRST logs.

regards Blazinby
Addition.txt


FRST.txt
You do not have the required permissions to view the files attached to this post.
Blazinby
Regular Member
 
Posts: 18
Joined: January 11th, 2016, 7:46 pm
Advertisement
Register to Remove

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby capnkrunch » January 12th, 2016, 2:41 am

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.

Hello Blazinby and welcome to the Malware Removal Forums :)

My name is capnkrunch and I will be helping you with your malware problems. I'm an Undergraduate trainee here, and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • You must have Administrator rights, permissions for this computer.
  • DO NOT run any other fix or removal tools unless instructed to do so.
  • DO NOT install any other software (or hardware) during the cleaning process.
  • Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  • Only reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean".
    Remember, absence of symptoms does mean the infection is all gone.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Failure to respond for 3 days, will result in your topic being closed.

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby Blazinby » January 12th, 2016, 10:58 am

Hi capnkruch, thanks for the welcome

I have backed up my files but got a bit lost trying to make a boot cd.

I also have Hijackthis log if any use?

thanks for taking the time to help :)
Blazinby
Regular Member
 
Posts: 18
Joined: January 11th, 2016, 7:46 pm

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby capnkrunch » January 12th, 2016, 7:15 pm

Hello Blazinby :)

P2P Advisory!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
µTorrent

As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assitance.
If you choose NOT to remove the program(s)...indicate that in your next reply and this topic will be closed.

Otherwise, there are instructions for removing it in the next step.
By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program
itself, may be safe but the files may not... use P2P at your own risk! Keep in mind that this practice may be the source of your current malware infestation.
Reference... siting risk factors, using P2P programs: How to Prevent the Online Invasion of Spyware and Adware

Step one...

Create a System Restore Point
  • Click on Start.
  • Type Create a restore point into the search box and select it from the results.
  • From the Available Drives list select the Windows drive. It will be the one that says (System) after it.
    • If Protection is Off, click Configure.
    • Select Turn on system protection and click OK.
  • Click on Create.
  • Type precleanup into the textbox and click Create.
  • Once it is finished click Close

Step two...

Uninstall Programs
  • Press the Windows Key + R.
  • Enter appwiz.cpl into the text box and click OK.
  • Locate the following programs:
    µTorrent
  • Press the Uninstall or Uninstall/Change button and carefully follow any prompts to uninstall the program.
    • Take care to read through any prompts completely! Some uninstallers may attempt to trick you into keeping the program.
    • Do this for every program listed.
    • Don't worry if you can't find one of the programs. Just be sure to let me know in your reply.
  • Once finished reboot your computer.

Step three...

CKScanner
Please download CKScanner and save it to your Desktop.
This program should only be run once!
Make sure that CKScanner.exe is on the your desktop before running the application!

  • Right click on the CKScanner.exe icon and select Run as administrator.
  • Click the Search For Files button.
  • When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  • Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  • Please copy/paste the contents of ckfiles.txt in your next reply.

Step four...

LicDiag Command
  • Press the Windows Key + R.
  • Type notepad.exe into the text box and click OK.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    @Echo off
    Licensingdiag.exe -report %userprofile%\desktop\report.txt -log NUL
    Notepad.exe %userprofile%\desktop\report.txt
    del %0
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Licdiag.bat to your Desktop.
  • Save as file type All Files or it won't work.
  • Now right click on Licdiag.bat and select Run as administrator.
  • A file report.txt will open on your Desktop, please post the contents in your next reply.

Step five...

Please answer these questions:

Is this computer used for business purposes (including small or home business)? Is this computer ever connected to an educational institute's network (for example at a college or university)?

I need to know so I can provide the proper instructions.
Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Your decision about P2P programs
  • ckfiles.txt
  • report.txt
  • An answer to my question about business use
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby Blazinby » January 12th, 2016, 10:04 pm

Hi capnkrunch,

Step 1 complete

Step 2 comlpete I had already uninstalled as per forum rules before posting I'm guessing there is something I missed

Step 3
ckfiles.txt


Step 4
report.txt


Step 5 The instructions were clear and easy to follow

I have removed p2p software and will not be reinstalling any. (the source of my problems I'm guessing)

I am a full time student and I log into my college portal regularily and use files on my USB drive both at college and at home

This is a home computer which all of my family use.

PC seems slow to respond since I first noticed the problem, it takes a long time to shut down or log out as a user as well as hijacking my search engine no matter how often I delete Yoursearchresults

thank you again
You do not have the required permissions to view the files attached to this post.
Blazinby
Regular Member
 
Posts: 18
Joined: January 11th, 2016, 7:46 pm

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby capnkrunch » January 13th, 2016, 8:07 pm

Hello Blazinby :)

Attached Logs Warning
In the future please copy and paste your replies instead of attaching them unless I specifically say otherwise.

WARNING: No Active Antivirus
You have AVG installed, however it is not enabled. It is essential to keep your antivirus enabled at all times. Before we do anything else you need to have an active antivirus product.

Step one...

Enable AVG Resident Shield
  • Click on Start.
  • Type AVG into the search box and select it from the results.
  • In the top right corner click Options and select Advanced Settings....
  • Click the [+] button next to Computer Protection to expand the menu and then click AntiVirus Settings.
  • Check the box next to Enable Resident Shield and then click Apply.
  • You can now exit the AVG control panel.

STOP! We cannot proceed until you have active antivirus software. Please report back if you were unable to enable AVG's Resident Shield and I will provide further instructions.

Registry Cleaner Warning
There is evidence of Registry Cleaner/Optimizer programs (AVG PC TuneUp, CCleaner) on your computer.

The Windows Registry is very resilient and can handle many orphaned entries without any hit in performance. Registry cleaners may damage your computer, even rendering it unbootable while offering no real benefit. As such I strongly recommend you remove AVG PC TuneUp. Instructions to do so are below.

CCleaner is a good tool for cleaning out temporary files. However, I strongly recommend you avoid it's registry cleaning function. It is just as unecessary and dangerous as any other registry cleaner.

If you are interested in more information, please read Registry Cleaners: Digital Snake Oil on the Malwarebytes Unpacked blog.

Step two...

Reenable Items With MSConfig
  • Press the Windows Key + R.
  • Type msconfig.exe into the text box and click OK.
  • Check Normal startup and click OK.
  • You will be prompted to restart your computer. Click Restart.

Step three...

Uninstall Programs
  • Press the Windows Key + R.
  • Enter appwiz.cpl into the text box and click OK.
  • Locate the following programs:
    AdVPN
    AVG PC TuneUp
    McAfee Security Scan Plus
    Spybot - Search & Destroy
  • Press the Uninstall or Uninstall/Change button and carefully follow any prompts to uninstall the program.
    • Take care to read through any prompts completely! Some uninstallers may attempt to trick you into keeping the program.
    • Do this for every program listed.
    • Don't worry if you can't find one of the programs. Just be sure to let me know in your reply.
  • Once finished reboot your computer.

Step four...

AdwCleaner - Scan Only
  • Please download AdwCleaner by Xplode save it to your Desktop.
  • Close all open programs and windows so that you are at your Desktop.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
    When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  • Do not attempt to clean anything at this point.
  • Click on the Logfile button.
  • This will open a file, AdwCleaner[S1].txt. Copy and paste the contents of that logfile in your reply.

Step five...

Please answer these questions:

Do you recognize the program named Shockwave? Was this program installed voluntarily?

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Were you able to enable AVG Resident Shield?
  • Your decision about registry cleaners
  • AdwCleaner[S1].txt
  • Answers to my questions
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby Blazinby » January 13th, 2016, 9:47 pm

Hi capnkrunch, :D

sorry about the logs I will paste future ones to the end of my posts

step 1 I have enabled resident shield although it looked active already. When I deactivated it I got a warning about no antivirus. I re enabled it

Step 2 complete

Step 3 complete

Step 4 complete log at end of post

Step 5 do not recognise Shockwave, I don't remember installing it

instructions were clear and easy to follow

I believe I have enabled AVG Resident Shield

I will not be using registry cleaners in the future

after selecting Normal Boot and removing the programs it took a very long time to complete the restart on both occasions

# AdwCleaner v5.029 - Logfile created 14/01/2016 at 01:17:26
# Updated 11/01/2016 by Xplode
# Database : 2016-01-12.1 [Server]
# Operating system : Windows 10 Home (x64)
# Username : stephen - MAGGIE
# Running from : C:\Users\stephen\Desktop\adwcleaner_5.029.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

Service Found : vToolbarUpdater40.2.4

***** [ Folders ] *****

Folder Found : C:\Program Files (x86)\myfree codec
Folder Found : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found : C:\Program Files\Common Files\AVG Secure Search
Folder Found : C:\ProgramData\AVG Secure Search
Folder Found : C:\ProgramData\AVG Security Toolbar
Folder Found : C:\Users\Public\Documents\Guid
Folder Found : C:\Users\stephen\AppData\Roaming\WTools
Folder Found : C:\Users\stephen\AppData\Roaming\RPEng
Folder Found : C:\Users\stephen\AppData\Roaming\RunDir

***** [ Files ] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
File Found : C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\iqn7ummx.default-1449965770414\Extensions\Avg@toolbar.xpi
File Found : C:\WINDOWS\SysNative\drivers\netmon_wfp.sys
File Found : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll

***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKCU\Software\WEBAPP
Key Found : HKCU\Software\Microsoft\Tinstalls
Key Found : HKLM\SOFTWARE\NtSvcHandler
Key Found : [x64] HKLM\SOFTWARE\WebBar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CB7EA2A8-C0FB-4CF7-96AF-EA19779A4793}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CB7EA2A8-C0FB-4CF7-96AF-EA19779A4793}

***** [ Web browsers ] *****

[C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\iqn7ummx.default-1449965770414\prefs.js] [Preference] Found : user_pref("browser.safebrowsing.appRepURL", "hxxps://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%");
[C:\Users\maggi_000\AppData\Roaming\Mozilla\Firefox\Profiles\c4sleunq.default-1443162559677\prefs.js] [Preference] Found : user_pref("browser.search.hiddenOneOffs", "Yahoo.co.uk,Bing,Amazon.co.uk,Chambers (UK),DuckDuckGo,eBay.co.uk,Twitter,Wikipedia (en),YourSearchResults");
[C:\Users\cmcga_000\AppData\Roaming\Mozilla\Firefox\Profiles\xdbengq.default\prefs.js] [Preference] Found : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,DuckDuckGo,eBay,Twitter,Wikipedia (en),YourSearchResults");
[C:\Users\cmcga_000\AppData\Roaming\Mozilla\Firefox\Profiles\xdbengq.default\prefs.js] [Preference] Found : user_pref("extensions.Rh8zKb8NHQqON7Ss.scode", "(function(){try{if(window.location.href.indexOf(\"rjYFrTg6qHkHrTr5rdYGpjaGqTC\")>-1){return;}}catch(e){}try{var d=[[\"cryptogmail.com\",\"bancdebinary.c[...]
[C:\Users\cmcga_000\AppData\Roaming\Mozilla\Firefox\Profiles\xdbengq.default\prefs.js] [Preference] Found : user_pref("extensions.ZRmQXG9lKe7tmzii.scode", "(function(){try{if(window.location.href.indexOf(\"rjYFrTg6qHkHrTr5rdYGpjaGqTC\")>-1){return;}}catch(e){}try{var d=[[\"cryptogmail.com\",\"bancdebinary.c[...]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [5778 bytes] ##########
Blazinby
Regular Member
 
Posts: 18
Joined: January 11th, 2016, 7:46 pm

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby capnkrunch » January 14th, 2016, 5:53 pm

Hello Blazinby :)

Good job so far.

For the time being I'd like you to uninstall AVG. I do not generally recommend it anymore for a number of reasons, including concerns about their privacy policy (note that AVG components were flagged by AdwCleaner). In addition, it is no longer a lightweight solution as it used to be so removing it may help with your computer running slowly.

Windows 10 has a built-in antivirus called Windows Defender. We'll use this for now and discuss some other options when we are finished.

Step one...

Uninstall Programs
  • Press the Windows Key + R.
  • Enter appwiz.cpl into the text box and click OK.
  • Locate the following programs:
    AVG
    AVG Web TuneUp
    Shockwave
  • Press the Uninstall or Uninstall/Change button and carefully follow any prompts to uninstall the program.
    • Take care to read through any prompts completely! Some uninstallers may attempt to trick you into keeping the program.
    • Do this for every program listed.
    • Don't worry if you can't find one of the programs. Just be sure to let me know in your reply.
  • Once finished reboot your computer.

Step two...

Windows Defender should activate automatically when AVG is uninstalled but I'd like you to check to make sure.

Ensure Windows Defender is Active
  • Click Start then click Settings.
  • Click Update & Security and then select Windows Defender in the left-hand pane.
  • Ensure Real-time protection is On. If not, click the slider to activate it.
  • You can now exit the settings menu.

STOP! If Windows Defender is not active and you are unable to activate it do not proceed. Instead let me know, preferably from a different machine, so we can resolve this issue first.

Step three...

Show Hidden Files and Folders
  • Click Start and then click File Explorer.
  • Click on the View tab and then click Options.
  • In the Folder Options window click on the View tab.
  • Check Show hidden files and folders and uncheck Hide extensions for known file types.
  • Click OK.

Step four...

Upload Files to VirusTotal
  • Please go to VirusTotal.
  • Click the Choose File button.
  • Navigate to the following file:
    C:\WINDOWS\SysNative\drivers\netmon_wfp.sys
  • Click the Scan it! button.
  • You might see a message saying File already analysed, if you do click Reanalyse.
  • Wait for all the scans to finish then copy and paste the web address from your browser's address bar.
    Example of web address :
    Image
  • Include the link in your next reply.
Note: it is OK if you cannot find the file. Just be sure to let me know which ones in your reply.

Step five...

AdwCleaner - Scan and Clean
  • adwcleaner.exe should still be on your Desktop. If not please download it HERE.
  • Close all open programs and windows so that you are at your Desktop.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
    When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  • In the Files tab uncheck the following:
    C:\WINDOWS\SysNative\drivers\netmon_wfp.sys
  • Click on Cleaning.
  • Once finished AdwCleaner will prompt you to reboot. Please allow it to do so.
  • On reboot a log will open AdwCleaner[C1].txt. Copy and paste the contents of that logfile in your reply.

Step six...

FRST Fix
  • You should still have FRST64.exe in your Downloads folder. If not please download it HERE.
  • Press the Windows Key + R.
  • Type notepad.exe into the text box and click OK.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3874216 2015-12-16] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2814864 2015-12-18] ()
    HKLM-x32\...\Run: [AdVPN] => C:\Program Files (x86)\AdVPN\AdVPN.exe [714752 2015-11-26] (Alto Cloud Media Ltd.)
    HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1139112 2015-12-08] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-3488279127-63086370-3813774398-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-3488279127-63086370-3813774398-1001\...\Policies\Explorer: []
    HKU\S-1-5-21-3488279127-63086370-3813774398-1004\...\Policies\Explorer: []
    HKU\S-1-5-21-3488279127-63086370-3813774398-1005\...\Policies\Explorer: []
    BootExecute: autocheck autochk * sdnclean64.exe
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    SearchScopes: HKU\S-1-5-21-3488279127-63086370-3813774398-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid= {B5865D80-2A55-4462-A797-214820891782}&mid=ad3dc6166b4547d2a160c18a3d8e079d-c5f949612484ff03e1b1875070de097a99d7176f&lang=en&ds=AVG&coid=avgtbavg&cmpid=1215avz&pr=fr&d=2015-05-02 13:56:25&v=4.2.3.128&pid=wtu&sg=&sap=dsp&q={searchTerms}
    BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.2.4.155\AVG Web TuneUp.dll [2015-12-18] (AVG)
    BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
    BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.2.4.155\AVG Web TuneUp.dll [2015-12-18] (AVG)
    FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.2.4\\npsitesafety.dll [No File]
    FF SearchPlugin: C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\iqn7ummx.default-1449965770414\searchplugins\YourSearchResults.xml [2016-01-11]
    FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2015-12-18]
    FF Extension: Block site - C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\iqn7ummx.default-1449965770414\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2016-01-11]
    FF Extension: AVG Web TuneUp - C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\iqn7ummx.default-1449965770414\Extensions\avg@toolbar.xpi [2015-12-16]
    FF HKU\S-1-5-21-3488279127-63086370-3813774398-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
    FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04] [not signed]
    FF HKU\S-1-5-21-3488279127-63086370-3813774398-1004\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
    FF HKU\S-1-5-21-3488279127-63086370-3813774398-1005\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
    FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\95ECF10835EB15F3A3C6F510A9817D6295EC [2015-11-26] <==== ATTENTION
    R2 AdVPN Service; C:\Program Files (x86)\AdVPN\AdVpnService.exe [35328 2015-11-26] () [File not signed]
    S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [627544 2015-12-16] (AVG Technologies CZ, s.r.o.)
    R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3902984 2015-12-16] (AVG Technologies CZ, s.r.o.)
    R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1049000 2015-12-08] (AVG Technologies CZ, s.r.o.)
    R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [583936 2015-12-16] (AVG Technologies CZ, s.r.o.)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
    R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [4377000 2015-12-11] (AVG Technologies CZ, s.r.o.)
    R2 UxTuneUp; C:\Windows\System32\uxtuneup.dll [48552 2015-12-11] (AVG Technologies CZ, s.r.o.)
    R2 UxTuneUp; C:\WINDOWS\SysWOW64\uxtuneup.dll [42408 2015-12-11] (AVG Technologies CZ, s.r.o.)
    R2 vToolbarUpdater40.2.4; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe [1923984 2015-12-18] (AVG Secure Search)
    R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1164688 2015-12-18] ()
    S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
    R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
    R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [315312 2015-12-04] (AVG Technologies CZ, s.r.o.)
    R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
    R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
    R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
    R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [258480 2015-12-04] (AVG Technologies CZ, s.r.o.)
    R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-12-04] (AVG Technologies CZ, s.r.o.)
    R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [315840 2015-12-16] (AVG Technologies CZ, s.r.o.)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-01-11] ()
    R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [31144 2015-11-23] (TuneUp Software)
    2016-01-11 13:53 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
    2016-01-11 13:52 - 2016-01-11 14:12 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-01-11 13:52 - 2016-01-11 13:55 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-01-11 13:52 - 2016-01-11 13:52 - 00001467 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2016-01-11 13:52 - 2016-01-11 13:52 - 00001455 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2016-01-11 13:52 - 2016-01-11 13:52 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
    2016-01-11 13:52 - 2016-01-11 13:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2016-01-11 13:52 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
    2016-01-11 13:51 - 2016-01-11 13:51 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\stephen\Downloads\spybot-2.4.exe
    2016-01-11 13:25 - 2016-01-11 13:25 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
    2016-01-11 13:25 - 2016-01-11 13:25 - 00000000 _____ C:\autoexec.bat
    2016-01-11 13:24 - 2016-01-11 13:25 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\stephen\Downloads\SpyHunter-Installer(1).exe
    2016-01-06 21:53 - 2016-01-06 21:53 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\stephen\Downloads\SpyHunter-Installer.exe
    2016-01-06 01:28 - 2016-01-06 01:40 - 00000000 ____D C:\Users\stephen\AppData\LocalLow\uTorrent
    2015-12-15 14:27 - 2015-12-11 15:33 - 00048552 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\uxtuneup.dll
    2015-12-15 14:27 - 2015-12-11 15:33 - 00042408 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\SysWOW64\uxtuneup.dll
    CustomCLSID: HKU\S-1-5-21-3488279127-63086370-3813774398-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-3E48168F0BF5}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
    Task: {05D59D87-96D4-4809-B3E3-97F234952844} - \One System Care Monitor -> No File <==== ATTENTION
    Task: {07A4BA73-6E2C-4CC0-9C90-4582C0784378} - \APSnotifierPP2 -> No File <==== ATTENTION
    Task: {0D0D7F5F-415F-4BA5-BDDE-E9795793B0CF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {0E8CBF72-BACF-456C-B418-0BC1D825D58F} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {10B3EDC6-37ED-466C-A117-CDB1E3012531} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe [2015-12-11] (AVG Technologies CZ, s.r.o.)
    Task: {25A68E46-C579-4EC3-8EF5-E063E0307D1B} - \IBUpd -> No File <==== ATTENTION
    Task: {35EC7C55-529C-482B-8014-350520EF20DF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {46FAD34F-36A4-4CD0-8BCA-651D7306173F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {49811A13-6A52-49A6-A86C-242A54738A18} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {58892ADB-3640-4938-AFFD-DB5BE0C864EB} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {5B8D9BE7-190D-4AAA-B0CE-5599D6DD766A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {5D6C13FC-A0E0-4F32-A275-A13FD1632A7A} - \One System CarePeriod -> No File <==== ATTENTION
    Task: {6C901A03-B728-48FD-8253-09345D462AF3} - \APSnotifierPP1 -> No File <==== ATTENTION
    Task: {71FDBB6F-0FAC-4CF6-80D6-91C47D61A6F0} - \APSnotifierPP3 -> No File <==== ATTENTION
    Task: {7E05E333-440E-4A41-A615-CDD8579B0F5E} - \SmartWeb Upgrade Trigger Task -> No File <==== ATTENTION
    Task: {8AEDF436-33EE-442E-A1FD-C28DFCCEFF25} - \SwiftSearch Auto Updater 1.10.0.25 Core -> No File <==== ATTENTION
    Task: {8D435A42-F6A4-452D-B01A-E8AB4CA713C0} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
    Task: {9027744C-BC63-42FB-9581-8CE3CDCB06A5} - \One System Care Run Delay -> No File <==== ATTENTION
    B75A4-B30B-451B-914F-0F05E7C19F46} - \SwiftSearch Auto Updater 1.10.0.25 Pending Update -> No File <==== ATTENTION
    Task: {A82CF6DE-22FC-4106-B744-E1011BE2AD50} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {D2794EA9-DE59-4E4C-A896-369704F28B51} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {D7D1F4A3-AEC0-46E2-8941-FCCEBE89056D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {EB8FBA59-4982-4D21-8793-EDB8B55056E8} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
    Task: {FB5EB42F-2D5B-49C4-B8D7-829794D7B939} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
    FirewallRules: [{5ED036ED-F5AB-4048-BDFC-E8B47D75749A}] => (Allow) D:\Program Files (x86)\FrostWire 6\FrostWire.exe
    FirewallRules: [{D17527EF-2462-4A78-9F98-2A7798A0EAC5}] => (Allow) D:\Program Files (x86)\FrostWire 6\FrostWire.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
    FirewallRules: [{8C209DAE-C769-4D16-A8CA-04247FDF68EE}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
    FirewallRules: [{563ACA44-5FBF-47FD-A368-945205C57BE6}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
    FirewallRules: [{06CADD38-A975-479C-801F-433E8AA7ACEF}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
    FirewallRules: [{62E09C26-A72C-4760-993C-DB48D3A0D308}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
    AVG (Version: 16.31.7356 - AVG Technologies) Hidden
    AVG 2016 (Version: 16.0.4492 - AVG Technologies) Hidden
    AVG PC TuneUp (x32 Version: 16.13.3 - AVG Technologies) Hidden
    AVG Zen (Version: 1.31.9 - AVG Technologies) Hidden
    FMW 1 (Version: 1.42.1 - AVG Technologies) Hidden
    
    C:\Program Files (x86)\AVG
    C:\Program Files (x86)\AVG Web TuneUp
    C:\Program Files (x86)\AdVPN
    C:\Program Files\Common Files\AV\Spybot - Search and Destroy
    C:\Program Files\AVG Web TuneUp
    C:\Program Files\McAfee Security Scan
    C:\Program Files (x86)\AVG Web TuneUp
    C:\Program Files (x86)\Common Files\AVG Secure Search
    C:\ProgramData\McAfee Security Scan
    C:\Windows\System32\DRIVERS\avgboota.sys
    C:\Windows\System32\DRIVERS\avgdiska.sys
    C:\Windows\System32\DRIVERS\avgidsdrivera.sys
    C:\Windows\System32\DRIVERS\avgidsha.sys
    C:\Windows\System32\DRIVERS\avgldx64.sys
    C:\Windows\System32\DRIVERS\avgloga.sys
    C:\Windows\System32\DRIVERS\avgmfx64.sys
    C:\Windows\System32\DRIVERS\avgrkx64.sys
    C:\Windows\system32\DRIVERS\avgwfpa.sys
    D:\Program Files (x86)\FrostWire 6
    
    Hosts:
    EmptyTemp:
    CMD: ipconfig /flushdns
  • Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  • Right click on FRST64.exe and select Run as administrator.
  • Press the Fix button one time only and wait.
  • When FRST finishes you will be prompted to reboot your computer. Click OK.
  • Your computer should now restart. On reboot navigate to your Downloads folder where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step seven...

Revised FRST Scan
  • You should still have FRST64.exe in your Downloads folder. If not please download it HERE.
  • Close all open programs and windows.
  • Right click FRST64.exe and select Run as administrator.
  • Under Optional Scan check Addition.txt.
  • Press the Scan button and wait while the scan finishes.
  • Once finished, two files will open: FRST.txt and Addition.txt. Please copy and paste the contents of both logs in your reply.
    The logs can also be found in the same directory where FRST was run from.

Please try all your browsers (Firefox, Chrome, Internet Explorer, and Edge) to see which, if any still have problems.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • The VirusTotal link
  • AdwCleaner[C1].txt
  • Fixlog.txt
  • FRST.txt
  • Addition.txt
  • Which browsers if any are still experiencing issues?
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby capnkrunch » January 16th, 2016, 6:34 pm

Hello Blazinby :)

It has been 48 hours since my last post.
  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response.
  • If you do not reply within the next 24 hours, this topic will be closed.
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Cannot remove "Yoursearchresults.biz" from PC

Unread postby pgmigg » January 17th, 2016, 8:25 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3178
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware