Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

defualt-search.net keeps coming back to firefox [Solved]


  • This topic is locked This topic is locked

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Let's see if this sticks.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

If it doesn't work, can you check in Folderlock if you have inadvertently locked these settings yourself?

Attached Files


  • 0

Advertisements


#17
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-02-2015
Ran by Izi at 2015-02-24 22:27:53 Run:1
Running from G:\fix
Loaded Profiles: Izi (Available profiles: Izi)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
ProxyEnable: [S-1-5-21-4153785029-2044526644-2206695350-1001] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-4153785029-2044526644-2206695350-1001] => https=127.0.0.1:54952
FF Homepage: hxxp://www.default-search.net?sid=503&aid=100&itype=n&ver=15440&tm=611&src=hmp
FF Keyword.URL: hxxp://www.default-search.net/search?sid=503&aid=100&itype=n&ver=15440&tm=611&src=ds&p=
end
*****************
 
HKU\S-1-5-21-4153785029-2044526644-2206695350-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-21-4153785029-2044526644-2206695350-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.
 
==== End of Fixlog 22:27:53 ====
 
 
Thanks

  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Looks good, but did it work?
  • 0

#19
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

It look like it did work.

Thank you very much for your time  :yes:


  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Glad we could help. :)

Be careful what you download and click on while installing it.
  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Thread re-opened by user request.
Can you let me know when the symptoms returned and post fresh FRST logs please.
  • 0

#23
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Hey,

Thanks for re-opening the thread.

Both logs are attached.

 

The symptoms returned today. I haven't changed the settings\installed new programs etc.. Malwarebytes had his routine scan and he found traces in:  C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181 as you can also see in the log

Attached Files


  • 0

#24
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


Can you then please do a fresh install of Malwarebytes Anti-Malware?
After the re-install under Settings > Detection and Protection put a checkmark before "Scan for rootkits"
Run a Threat Scan after that.
If it finds anything post the Scan log as well please.

Attached Files


  • 0

#25
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Izi at 2015-02-27 20:18:29 Run:3
Running from G:\fix
Loaded Profiles: Izi (Available profiles: Izi)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
FF Homepage: http://www.default-s...&tm=611&src=hmp
FF Keyword.URL: http://www.default-s...tm=611&src=ds=
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Linkey" /f
EmptyTemp:
end
*****************

Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.

========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Linkey" /f =========

The operation completed successfully.

 

========= End of Reg: =========

EmptyTemp: => Removed 621.9 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:18:43 ====

 

 

 

I removed and installed malwarebytes as requested and checked "Scan for rootkits" but nothing was found in the threat scan.

 

 

 


  • 0

Advertisements


#26
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Update: It only found this item:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 27/02/2015
Scan Time: 20:30:21
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.27.06
Rootkit Database: v2015.02.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Izi

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347557
Time Elapsed: 7 min, 18 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.DefaultSearch.A, C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.default-s...&tm=611&src=hmp");), ,[3376ae74f199ab8b7d88917ffd097e82]

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Should I quarantine it?


  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts
Yes Quaraintine that please. Then reboot and let me know if Firefox is behaving.
  • 0

#28
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Hi,

Unfortunately defualt-search is still here  :no:

Thank you for your affords 


  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,957 posts

Can you find C:\Users\Izi\AppData\Roaming\Mozilla\Firefox\Profiles\0hryk0zj.default-1424707096181\prefs.js for me and zip it up.
The ApppData folder is hidden. You can read here
http://www.howtogeek...-windows-vista/

how to show hidden files and folders.
Attach the zipped file to your next post please.


  • 0

#30
MalwareDetective

MalwareDetective

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

There we go:

 

 

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP