Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

searchnu 406, Is there a removal guide?


  • Please log in to reply
8 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:09:20 AM

Posted 25 March 2012 - 11:37 AM

My wife's laptop got hit with this over the last few days. Before I make a formal help request here I thought I would ask if there already is removal guide? Maybe it is also known by another name??

Thanks in advance for any help.
Nawtheasta

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,016 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 25 March 2012 - 12:21 PM

Hello Nawtheasta, This is a search/tool bar infection.
First see if this exists,if so,delete it.
C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

Edited by boopme, 25 March 2012 - 12:21 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:09:20 AM

Posted 25 March 2012 - 02:48 PM

Hi Boopme
Thanks very much for getting back to me so quickly!
I am always paranoid about doing these things in the proper way.
Yes, there is a Windows iLivid folder in program files. Clicking this shows a Datamngr folder and an Icon ( Like a box with a windows shield) that is titled uninstall.
Clicking the datamngr folder shows two folders and three Icons
Folders are:
FirefoxExtensions
Toolbar

Icons are:
datamngr.dll
datamngr.UI
IEBHO.dll
Please clarify if you are advising me to delete the Windows ilivid toolbar folder from C:\Program Files or are you advising to progress down to the Toolbar folder in datamngr and delete just that.

Ref. MBAM
Yesterday I updated and ran a complete scan. Nothing was found.
Ref. SAS
SAS was updated and ran a complete scan. Regular tracking cookies were found along with 21 items that SAS called Adware DoubleD. All removed by SAS
I look forward to your response.
Thanks in advance
Nawtheasta

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,016 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 25 March 2012 - 03:30 PM

Yes,,,delete the Windows ilivid toolbar folder from C:\Program Files. I do not know your operating system,but if you go into the remove programs application and see it (Searchqu) you may be able to uninstall it there and that should remove all associated filrs.

Either way you go,reboot after removal

have a great day Nawtheaster.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:09:20 AM

Posted 25 March 2012 - 04:06 PM

Hi Boopme
I used the uninstall feature in control panel to remove Windows iLivid and then restarted. Windows iLivid is no longer listed in the program files.
Clicking FF results in McAfee SA blocking a redirect to searchnu.com / 406. It appears that the redirect is still there. The laptop is running Vista Home premium.
Any ideas?
Many thanks and Best Regards
Nawtheasta

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,016 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 25 March 2012 - 08:54 PM

Ok lets try another
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

>>>

In FireFox it may be the Add ons/Plugins. try disabling them one at a time and see which one was at fault.

How to disable extensions and plugins

Keeping your third-party plugins up to date
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:09:20 AM

Posted 26 March 2012 - 01:35 PM

Hi Boopme
PreNote: The Windows iLivid toolbar folder is no longer there but I did notice a separate folder in the program files entitled iLivid. This has mostly .dll items

What I have done:
I had TDSS Killer on a disc from a few months ago. I copied to my wife’s laptop.
It updated when I ran it. ( Although I am not sure where the update is because when I reclicked to run again a short time ago it wanted to update again)
I did as you said and checked Detect TDLSF file system.
TDSS Killer found nothing
I disabled all but one FF Add-ons one at a time. This had no effect.
Clicking FF desktop Icon still tries to redirect to searchnu / 406.
The only Add-on I did not disable was McAfee Site Adviser because that blocks searchnu / 406.
Updated and ran complete MBAM and SAS sans. Nothing was found except a few tracking cookies by SAS.
Not sure where to go from here.
Thanks again for your continued help.
Best Regards
Nawtheasta

#8 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:09:20 AM

Posted 26 March 2012 - 06:50 PM

Hi Boopme
This might have been simpler then I originally thought. I updated to FF 11 tonight on the laptop. It still tried to go to searchnu/406 but kept getting blocked by SA. It was then I noticed that the homepage had been reset to searchnu/406.
I reset homepage to Google and closed FF. When I reopened it went to Google. May be the first step of the infection was to reset the homepage? Deleting the folder you told me to do and the SAS scan cleaning out the DoubleD may have taken care of it. Possibly the reset homepage was just a remnant.
Anyway, we will see how it goes. Thanks for your patience and help.
Best Regards
Nawtheasta

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,016 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 26 March 2012 - 06:58 PM

Hi, yes that was probably it.. i was going to reply with reinstall FF and do the "custom" ,not the "recommended" install. Where you get to see what is being install and perhaps there was an option of not installing searchqu.

Well give it a go and see if it stays away.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users