searchnu/searchqu 406

[xpert]

Hello,

I just sold my laptop and until I buy a new one I am using my wife's. I just discovered that it's been infected with this searchn(q)u 406 thing. I noticed it because I tried to set my homepage, but it would always revert to 406. I realized something was wrong, I googled it and here I am.

I am using Microsoft Security Essentials as an antivirus, but I don't have another anti-malware on this computer (it's a windows 7 64).

I tried some youtube registry editing methods, but it didn't work. I am not a computer expert, but I can handle any clear instruction. Everytime I tried to change the home page in any browser (I have IE (default with Windows), Firefox (my favourite) and Chrome (my wife got used to it)). I receive a popup bottom right that says that searchnu detected and prevented the attempt to change the home page (cool!). I am waiting for your instructions. I hope it can be solved without re-installing windows as i am little bit short of time.

Meanwhile, is it safe for me to use my Internet Banking, email, etc.? Is ther any advice that applies for our situation.

Thanks for being here for us.

As seen on the forum, I downloaded OTL and the scan logs are attached.

Extras.Txt

OTL.Txt

[Maniac]

Hello xpert and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Step 1

Please uninstall the following applications:

BearShare

MediaBar

Conduit Engine

iLivid

Mp3Tube Toolbar

µTorrent

uTorrentBar_NL Toolbar

Windows iLivid Toolbar

Step 2

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://search.bearshare.com//web?src=ieb&appid=119&systemid=2&sr=0&q={searchTerms}
  IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
  IE - HKLM\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files (x86)\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
  IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://search.bearshare.com//web?src=ieb&appid=119&systemid=2&sr=0&q={searchTerms}
  IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
  IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
  IE - HKU\.DEFAULT\..\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}: "URL" = http://www.basicscan.com/?prt=BASICSCAN115&keywords={searchTerms}
  IE - HKU\S-1-5-18\..\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}: "URL" = http://www.basicscan.com/?prt=BASICSCAN115&keywords={searchTerms}
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files (x86)\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=GOM2&o=16141&src=crm&q={searchTerms}&locale=en_EU&apn_ptnrs=QO&apn_dtid=YYYYYYYYBE&apn_uid=4EE5024A-6902-476D-9495-E701D8220B75&apn_sauid=077C1E1C-6A97-436E-92B3-7E3E1150CB38
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{2E664FEA-7278-4621-B2AE-CDC772D21CBA}: "URL" = http://mp3tubetoolbar.com/?tmp=toolbar_sb_results&prt=pinballtbfour01ie&Keywords={searchTerms}&clid=78d3c515cb5843c6b3fd30ad840de445
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}: "URL" = http://www.basicscan.com/?prt=BscscnPB&keywords={searchTerms}
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://search.bearshare.com//web?src=ieb&appid=119&systemid=2&sr=0&q={searchTerms}
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
  IE - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
  FF - prefs.js..browser.search..defaultengine: "Yahoo-Mp3Tube"
  FF - prefs.js..browser.search..defaultenginename: "Yahoo-Mp3Tube"
  FF - prefs.js..browser.search..order.1: "Yahoo-Mp3Tube"
  FF - prefs.js..browser.search..selectedEngine: "Yahoo-Mp3Tube"
  FF - prefs.js..browser.search..selectedEngineURL: "http://mp3tubetoolbar.com/?&prt=pinballtbfour01ff&clid=78d3c515cb5843c6b3fd30ad840de445&subid=&keywords={searchTerms}"
  FF - prefs.js..browser.search.defaultengine: "Ask.com"
  FF - prefs.js..browser.search.defaultenginename: "Ask.com"
  FF - prefs.js..browser.search.order.1: "Ask.com"
  FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/406"
  [2012/05/31 22:19:20 | 000,002,401 | ---- | M] () -- C:\Users\Henriette\AppData\Roaming\Mozilla\Firefox\Profiles\229i7na2.default\searchplugins\askcom.xml
  [2011/08/02 11:29:35 | 000,002,055 | ---- | M] () -- C:\Users\Henriette\AppData\Roaming\Mozilla\Firefox\Profiles\229i7na2.default\searchplugins\daemon-search.xml
  [2012/06/01 07:13:56 | 000,001,211 | ---- | M] () -- C:\Users\Henriette\AppData\Roaming\Mozilla\Firefox\Profiles\229i7na2.default\searchplugins\Mp3Tube.xml
  [2011/08/12 20:08:59 | 000,002,507 | ---- | M] () -- C:\Users\Henriette\AppData\Roaming\Mozilla\Firefox\Profiles\229i7na2.default\searchplugins\SearchResults.xml
  [2012/02/25 23:19:58 | 000,002,519 | ---- | M] () -- C:\Users\Henriette\AppData\Roaming\Mozilla\Firefox\Profiles\229i7na2.default\searchplugins\Search_Results.xml
  [2012/02/22 12:23:35 | 000,000,000 | ---D | M] (BasicScan) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}
  [2012/02/22 12:20:39 | 000,000,000 | ---D | M] (MP3Tube Toolbar) -- C:\Program Files (x86)\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com
  [2012/06/01 07:13:56 | 000,001,211 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Mp3Tube.xml
  [2011/08/12 20:08:59 | 000,002,507 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\SearchResults.xml
  [2012/02/25 23:19:58 | 000,002,519 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
  CHR - default_search_provider: Search Results (Enabled)
  CHR - default_search_provider: search_url = http://dts.search-results.com/sr?src=crb&appid=164&systemid=406&sr=0&q={searchTerms}
  CHR - default_search_provider: suggest_url = 
  O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
  O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O2 - BHO: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files (x86)\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
  O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
  O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
  O2 - BHO: (MediaBar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll ()
  O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O3 - HKLM\..\Toolbar: (Mp3Tube Toolbar) - {46897C77-E7A6-4c33-BFFB-E9C2E2718942} - C:\Program Files (x86)\Mp3Tube Toolbar\mp3tubetb.DLL (Mp3Tube Toolbar)
  O3 - HKLM\..\Toolbar: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files (x86)\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
  O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
  O3 - HKLM\..\Toolbar: (MediaBar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll ()
  O3 - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\Toolbar\WebBrowser: (Mp3Tube Toolbar) - {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - C:\Program Files (x86)\Mp3Tube Toolbar\mp3tubetb.DLL (Mp3Tube Toolbar)
  O3 - HKU\S-1-5-21-3577840564-2367242795-1344259241-1000\..\Toolbar\WebBrowser: (uTorrentBar_NL Toolbar) - {87775FDB-6972-41F9-AE51-8326E38CB206} - C:\Program Files (x86)\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
  O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngr.dll (Bandoo Media, inc)
  O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
  O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
  O20 - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll) - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\IEBHO.dll (Bandoo Media, inc)
  [2012/02/22 12:21:19 | 000,000,000 | ---- | C] () -- C:\ProgramData\8e850328e42f6b87d28f8bfdc7000224_c
  
  :files
  C:\Program Files (x86)\Windows iLivid Toolbar
  C:\Program Files (x86)\BearShare Applications
  C:\Program Files (x86)\Mp3Tube Toolbar
  C:\Program Files (x86)\uTorrentBar_NL
  C:\Program Files (x86)\BearShare Applications
  C:\Program Files (x86)\ConduitEngine
  
  :Commands
  [emptytemp]
  [clearallrestorepoints]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
  
• Please post the OTL fix log in your next reply.
  

Note: A copy of an OTL fix log is saved in a text file at C:\_OTL\MovedFiles

Step 3

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• OTL Fix log
  
• Malwarebytes' Anti-Malware log

[xpert]

Thanks for the quick answer.

I am now just before step 3.

Here is the OTL Fix Log.

06012012_143019.log

[xpert]

Step 3 completed.

Here is the log

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.01.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Henriette :: HENRIETTE-PC [administrator]

Protection: Enabled

1/06/2012 14:41:28

mbam-log-2012-06-01 (14-41-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 203483

Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCR\AppID\{D2083641-E57F-4eab-BB85-0582424F4A29} (Adware.HotBar.CP) -> Quarantined and deleted successfully.

HKCR\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCR\Typelib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCR\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCR\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCR\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCR\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKCU\Software\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IspAssistant-Mp3Tube (Adware.Adware.MP3TubeToolBar) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

C:\Users\Henriette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Detected: 3

C:\Users\Henriette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Users\Henriette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Users\Henriette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

(end)

[Maniac]

Very good!

How are things running now?

[xpert]

everything seems to be ok.

Lots of thanks!

[Maniac]

Glad I could help!

Please re-run OTL and click on CleanUp button.

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379&pid=515983&st=0entry515983

Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!