Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

defualt-search.net keeps coming back to firefox [Solved]

Started by MalwareDetective , Feb 22 2015 05:42 AM

  • This topic is locked This topic is locked

#16
Metallica
Posted 24 February 2015 - 12:00 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Let's see if this sticks.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

If it doesn't work, can you check in Folderlock if you have inadvertently locked these settings yourself?

Attached Files


  • 0

Advertisements

#17
MalwareDetective
Posted 24 February 2015 - 02:29 PM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-02-2015
Ran by Izi at 2015-02-24 22:27:53 Run:1
Running from G:\fix
Loaded Profiles: Izi (Available profiles: Izi)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
ProxyEnable: [S-1-5-21-4153785029-2044526644-2206695350-1001] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-4153785029-2044526644-2206695350-1001] => https=127.0.0.1:54952
FF Homepage: hxxp://www.default-search.net?sid=503&aid=100&itype=n&ver=15440&tm=611&src=hmp
FF Keyword.URL: hxxp://www.default-search.net/search?sid=503&aid=100&itype=n&ver=15440&tm=611&src=ds&p=
end
*****************
 
HKU\S-1-5-21-4153785029-2044526644-2206695350-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-21-4153785029-2044526644-2206695350-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.
 
==== End of Fixlog 22:27:53 ====
 
 
Thanks

  • 0

#18
Metallica
Posted 24 February 2015 - 02:38 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Looks good, but did it work?
  • 0

#19
MalwareDetective
Posted 26 February 2015 - 03:45 AM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

It look like it did work.

Thank you very much for your time  :yes:


  • 0

#20
Metallica
Posted 26 February 2015 - 04:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Glad we could help. :)

Be careful what you download and click on while installing it.
  • 0

#21
Metallica
Posted 26 February 2015 - 04:56 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#22
Metallica
Posted 27 February 2015 - 09:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Thread re-opened by user request.
Can you let me know when the symptoms returned and post fresh FRST logs please.
  • 0

#23
MalwareDetective
Posted 27 February 2015 - 10:56 AM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Hey,

Thanks for re-opening the thread.

Both logs are attached.

 

The symptoms returned today. I haven't changed the settings\installed new programs etc.. Malwarebytes had his routine scan and he found traces in:  C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181 as you can also see in the log

Attached Files


  • 0

#24
Metallica
Posted 27 February 2015 - 12:04 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


Can you then please do a fresh install of Malwarebytes Anti-Malware?
After the re-install under Settings > Detection and Protection put a checkmark before "Scan for rootkits"
Run a Threat Scan after that.
If it finds anything post the Scan log as well please.

Attached Files


  • 0

#25
MalwareDetective
Posted 27 February 2015 - 12:29 PM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Izi at 2015-02-27 20:18:29 Run:3
Running from G:\fix
Loaded Profiles: Izi (Available profiles: Izi)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
FF Homepage: http://www.default-s...&tm=611&src=hmp
FF Keyword.URL: http://www.default-s...tm=611&src=ds=
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Linkey" /f
EmptyTemp:
end
*****************

Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.

========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Linkey" /f =========

The operation completed successfully.

 

========= End of Reg: =========

EmptyTemp: => Removed 621.9 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:18:43 ====

 

 

 

I removed and installed malwarebytes as requested and checked "Scan for rootkits" but nothing was found in the threat scan.

 

 

 


  • 0

Advertisements

#26
MalwareDetective
Posted 27 February 2015 - 12:39 PM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Update: It only found this item:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 27/02/2015
Scan Time: 20:30:21
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.27.06
Rootkit Database: v2015.02.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Izi

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347557
Time Elapsed: 7 min, 18 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.DefaultSearch.A, C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.default-s...&tm=611&src=hmp");), ,[3376ae74f199ab8b7d88917ffd097e82]

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Should I quarantine it?


  • 0

#27
Metallica
Posted 27 February 2015 - 01:21 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yes Quaraintine that please. Then reboot and let me know if Firefox is behaving.
  • 0

#28
MalwareDetective
Posted 27 February 2015 - 01:56 PM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Hi,

Unfortunately defualt-search is still here  :no:

Thank you for your affords 


  • 0

#29
Metallica
Posted 27 February 2015 - 03:10 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Can you find C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181\prefs.js for me and zip it up.
The ApppData folder is hidden. You can read here
http://www.howtogeek...-windows-vista/

how to show hidden files and folders.
Attach the zipped file to your next post please.


  • 0

#30
MalwareDetective
Posted 28 February 2015 - 02:53 AM

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

There we go:

 

 

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP