Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser hijacked with tab "searchnu.com/406"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: browser hijacked with tab "searchnu.com/406"

Unread postby dermot » June 10th, 2013, 5:32 pm

Hi Cypher
Sorry but I let the scan run for about an hour and fifteen minutes before I stopped it! Although the 'files scanned' counter occasionally had a burst of activity, most of the time it was either hanging or increasing painfully slowly by one file at a time! As your instruction mentioned that
•The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection
and yet this only took a few moments, I feel sure that if this scan was normally this slow you would also have mentioned that too! Also I didn't want to leave my antivirus disabled for such a long time! I did check for the log of the partial scan but none appeared in
C:\Program Files\ESET\EsetOnlineScanner\log.txt.
so I have no logs to post for you. Any suggestions? Sorry.... :?
Thanks
Dermot
dermot
Active Member
 
Posts: 14
Joined: June 7th, 2013, 12:01 pm
Advertisement
Register to Remove

Re: browser hijacked with tab "searchnu.com/406"

Unread postby Cypher » June 11th, 2013, 4:29 am

Hi dermot,
No problem, that scan can take quite some time to run.
How is your computer running now, are you experiencing any problems?
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser hijacked with tab "searchnu.com/406"

Unread postby dermot » June 11th, 2013, 3:09 pm

Hi Cypher
The computer is running fine thanks - the only odd thing is that the last couple of times I've started up I get an error message window from 'Microsoft Visual C++ Runtime Library'. The error message reads as follows:
Runtime Error!
Program: C...
This application has requested the Runtime to terminate in an unusual way.
Please contact the application's support team for more information.

I'm not sure which application it is referring to but suspect it is the Bing Desktop as that seems to refresh when I click 'OK' on the error message.

Regarding the ESET online scan, as you've confirmed it takes a long time to run, I will try again now and post back to you later.
dermot
Active Member
 
Posts: 14
Joined: June 7th, 2013, 12:01 pm

Re: browser hijacked with tab "searchnu.com/406"

Unread postby dermot » June 11th, 2013, 8:01 pm

Hi Cypher
Wow, the scan took four and a half hours!!! :!:
However, it did find 7 infected files! :o
Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=8
# IEXPLORE.EXE=10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=03729ee99f21d84d9e1fa1e11a90dfae
# engine=14051
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-06-11 11:49:28
# local_time=2013-06-12 12:49:28 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1045 16777213 100 88 17975 58124952 0 0
# compatibility_mode=5893 16776574 100 94 19729203 123459618 0 0
# scanned=218883
# found=7
# cleaned=0
# scan_time=16106
sh=AFC3D0AB361FAB732F186E63EEC1AE0B7CD530ED ft=1 fh=7a250df4591d3406 vn="Win32/Adware.1ClickDownload.AI application" ac=I fn="C:\Documents and Settings\Dermot\Downloads\FirstRowSportApp_Setup1i.exe"
sh=C88E848F793EC433287746E65679B4C003616CC4 ft=1 fh=cd5864f93f5ebdb4 vn="multiple threats" ac=I fn="C:\Documents and Settings\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe"
sh=43FBD6EC37A2922490875E8D715AA31AEA3DBEB7 ft=1 fh=ad44b8cbad9d39e9 vn="Win32/Adware.1ClickDownload.G application" ac=I fn="C:\Documents and Settings\Dermot\Downloads\VipBoxSportsApp_setup(36).exe"
sh=AFC3D0AB361FAB732F186E63EEC1AE0B7CD530ED ft=1 fh=7a250df4591d3406 vn="Win32/Adware.1ClickDownload.AI application" ac=I fn="C:\Users\Dermot\Downloads\FirstRowSportApp_Setup1i.exe"
sh=C88E848F793EC433287746E65679B4C003616CC4 ft=1 fh=cd5864f93f5ebdb4 vn="multiple threats" ac=I fn="C:\Users\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe"
sh=43FBD6EC37A2922490875E8D715AA31AEA3DBEB7 ft=1 fh=ad44b8cbad9d39e9 vn="Win32/Adware.1ClickDownload.G application" ac=I fn="C:\Users\Dermot\Downloads\VipBoxSportsApp_setup(36).exe"
sh=A3E1C3254E599505A71C7842AF34C87496B94827 ft=1 fh=beba3bd1b6161ebb vn="Win32/Toolbar.SearchSuite application" ac=I fn="C:\_OTL\MovedFiles\06092013_200437\C_Documents and Settings\Dermot\Downloads\iLividSetup-r284-n-bc.exe"
dermot
Active Member
 
Posts: 14
Joined: June 7th, 2013, 12:01 pm

Re: browser hijacked with tab "searchnu.com/406"

Unread postby Cypher » June 12th, 2013, 5:48 am

Hi dermot,
We need to run one more fix.
Please do the the following, then give me another update on how your computer is running.

  • Right-click OTL.exe and select " Run as administrator " to run it.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
  • (Click the select all button next to the codebox to select the entire script).
    Code: Select all
        
    :files
    C:\Documents and Settings\Dermot\Downloads\FirstRowSportApp_Setup1i.exe
    C:\Documents and Settings\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe
    C:\Documents and Settings\Dermot\Downloads\VipBoxSportsApp_setup(36).exe
    C:\Users\Dermot\Downloads\FirstRowSportApp_Setup1i.exe
    C:\Users\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe
    C:\Users\Dermot\Downloads\VipBoxSportsApp_setup(36).exe
    ipconfig /flushdns /c
    
    :commands
    [emptytemp]
     
        

  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser hijacked with tab "searchnu.com/406"

Unread postby dermot » June 12th, 2013, 1:54 pm

Hi Cypher
Computer is running well and no symptoms since the first fix! That's why I was surprised by last night's scan finding 7 infected files - the little feckers must hide themselves very well haha. I ran the fix and here is the log:

All processes killed
Error: Unable to interpret < > in the current context!
========== FILES ==========
C:\Documents and Settings\Dermot\Downloads\FirstRowSportApp_Setup1i.exe moved successfully.
C:\Documents and Settings\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe moved successfully.
C:\Documents and Settings\Dermot\Downloads\VipBoxSportsApp_setup(36).exe moved successfully.
File\Folder C:\Users\Dermot\Downloads\FirstRowSportApp_Setup1i.exe not found.
File\Folder C:\Users\Dermot\Downloads\FlashPlayer_transaction_id=10217e0ef759a198e35e8aeb2ff44d.exe not found.
File\Folder C:\Users\Dermot\Downloads\VipBoxSportsApp_setup(36).exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Dermot\Desktop\cmd.bat deleted successfully.
C:\Users\Dermot\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Dermot
->Temp folder emptied: 1658207917 bytes
->Temporary Internet Files folder emptied: 126079914 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1196 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 92040 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,702.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06122013_184115

Files\Folders moved on Reboot...
C:\Users\Dermot\AppData\Local\Temp\HP Support Framework\HPSF_Config1.dll moved successfully.
C:\Users\Dermot\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Dermot\AppData\Local\Temp\HPV56D8.tmp.vdf moved successfully.
C:\Users\Dermot\AppData\Local\Temp\HPV56D9.tmp.vdf moved successfully.
C:\Users\Dermot\AppData\Local\Temp\HPV5785.tmp.vdf moved successfully.
C:\Users\Dermot\AppData\Local\Temp\HPV5BEE.tmp.vdf moved successfully.
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF02C6E33B7C35284F.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF157216B01F154EEE.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF262519DA2564C509.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF291B5B98FD113A6F.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF2981C1788CD1B881.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF29E906E0CA82D472.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF2A3D4685DD648BA7.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF655BE938FD79A723.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DF71D6E1A7C64640AA.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFA9AEC53861E69C5E.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFC79A05ABAB3E255E.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFCB37E4335BEEB92E.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFE0803F3A3427979C.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFF520E7EA2179572F.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFF9DA176336139CFA.TMP not found!
File\Folder C:\Users\Dermot\AppData\Local\Temp\~DFFE7499DE5B094D39.TMP not found!
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PWP07VRA\sck[2].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OT8F0SGG\Passport[1].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OT8F0SGG\sck[4].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZKBXI8S\DroidSans[1].woff moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZKBXI8S\like[5].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZKBXI8S\script[1].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZKBXI8S\viewtopic[3].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\follow_button.1370380126[1].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\hp-notebook_us_msn_com[1].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\hub[1].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\hub[3].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\xd_arbiter[2].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5POSVNA3\xd_arbiter[3].htm moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\7A7E08C8-3FF5-45F2-873D-A84D669DC82F.dat moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Dermot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
dermot
Active Member
 
Posts: 14
Joined: June 7th, 2013, 12:01 pm

Re: browser hijacked with tab "searchnu.com/406"

Unread postby Cypher » June 12th, 2013, 2:11 pm

Hi dermot,
Computer is running well and no symptoms since the first fix!

Excellent, in that case you are good to go, your latest logs appear to be clean :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clean up with OTL

  • Right click on OTL.exe And select Run as administrator to run it.
  • This will remove some of the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Next.

  • Right click on adwcleaner.exe and select " Run as administrator " to run it.
  • Click on Uninstall.
  • Confirm with yes.

You can now delete any tools/logs we used if they remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: browser hijacked with tab "searchnu.com/406"

Unread postby dermot » June 12th, 2013, 2:50 pm

That's great news! :D

Thank you so much Cypher for giving up your valuable time to help me with this. You are a star!

Best wishes
Dermot :)
dermot
Active Member
 
Posts: 14
Joined: June 7th, 2013, 12:01 pm

Re: browser hijacked with tab "searchnu.com/406"

Unread postby Cypher » June 12th, 2013, 2:59 pm

Hi dermot,
Thank you so much Cypher for giving up your valuable time to help me with this.

You're most welcome, glad we could help :)
As you don't appear to have any questions i will close this topic, good luck and stay safe.

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 329 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware