Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with the not so lovely websearch.good-results.info virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 villanelle

villanelle

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 February 2013 - 05:48 PM

Hi everyone,

 

I am trying (but not very successfully) not to freak out about this http://websearch.good-results.info virus. I am not the most computer savvy person, but I know enough to try and run malware bytes, tdss killer and avg to detect something. Obviously it doesn't show up, so I tried to follow instructions on how remove it with the registry editor, but I couldn't find the files they mentioned.

 

I have a HP laptop (Pavilion dv6 - for better or for worse), and I am using Windows 7 Home Premium.

 

Could someone please help me?

 

Anxiously yours,

 

A freaked out philosophy phd student.


Edited by Budapest, 10 February 2013 - 06:20 PM.
Moved from Win7 ~Budapest


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:39 PM

Posted 10 February 2013 - 05:59 PM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters




  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now




  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue




  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.



  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.



  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results

 



#3 villanelle

villanelle
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 February 2013 - 06:08 PM

Oops, I was so busy following Gringos reply on another thread, that I didn't see your response.

 

Okay, here are the other steps I saw in Gringo's report, and then I will follow yours.

 

 

I also saw
that Gringo had instructed another user to follow these steps and post the
logs, so I just went ahead and did that.



 



From
security check.exe:



 



Results of
screen317's Security Check version 0.99.57 



 Windows 7 Service Pack 1 x64 (UAC is enabled) 



 Internet Explorer 9 



``````````````Antivirus/Firewall
Check:``````````````



 Windows Firewall Disabled! 



AVG
Internet Security 2013  



 Antivirus up to date!  



`````````Anti-malware/Other
Utilities Check:`````````



 Malwarebytes Anti-Malware version
1.70.0.1100 



 Adobe Flash Player 11.5.502.110 



 Adobe Reader 8 Adobe Reader out
of Date!



 Mozilla Firefox 17.0.1 Firefox
out of Date!
 



 Google Chrome 24.0.1312.56 



 Google Chrome 24.0.1312.57 



````````Process
Check: objlist.exe by Laurent````````
 



 AVG avgwdsvc.exe



 Panda Security Panda Cloud Antivirus
PSANHost.exe 



 Panda Security Panda Cloud Antivirus
PSUAService.exe 



 Panda Security Panda Cloud Antivirus
PSUAMain.exe 



`````````````````System
Health check`````````````````



 Total Fragmentation on Drive C: 2%



````````````````````End
of Log``````````````````````



 



From
adwcleaner:



#
AdwCleaner v2.112 - Logfile created 02/10/2013 at 23:55:49



# Updated
10/02/2013 by Xplode



# Operating
system : Windows 7 Home Premium Service Pack 1 (64 bits)



# User :
Cyndy - CYNDY-PC



# Boot Mode
: Normal



# Running
from : C:\Users\Cyndy\Downloads\adwcleaner.exe



# Option
[Delete]



 



 



*****
[Services] *****



 



 



*****
[Files / Folders] *****



 



Deleted on
reboot : C:\ProgramData\BetterSoft



File
Deleted :
C:\Users\Cyndy\AppData\Roaming\Mozilla\Firefox\Profiles\8mvtfjyj.default\searchplugins\WebSearch.xml



Folder
Deleted : C:\ProgramData\Browse2save



Folder Deleted
: C:\ProgramData\InstallMate



Folder
Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Browse2save



Folder
Deleted : C:\ProgramData\RightClick



Folder
Deleted : C:\Users\Cyndy\AppData\Local\Wajam



 



*****
[Registry] *****



 



Data
Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~2\browse~1\sprote~1.dll



Data
Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~2\websea~1\sprote~1.dll



Key Deleted
: HKCU\Software\AppDataLow\SProtector



Key Deleted
: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}



Key Deleted
: HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}



Key Deleted
: HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}



Key Deleted
: HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32



Key Deleted
: HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS



Key Deleted
: HKLM\Software\SP Global



Key Deleted
: HKLM\Software\SProtector



Key Deleted
: HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp



Key Deleted
: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet
Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}



Key Deleted
:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3F3165C-74D3-6FDB-3274-14FDA8698CFA}



 



*****
[Internet Browsers] *****



 



-\\
Internet Explorer v9.0.8112.16447



 



Replaced :
[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] =
hxxp://websearch.good-results.info/?pid=625&r=2013/02/10&hid=1472659438&lg=EN&cc=IT
--> hxxp://www.google.com



Replaced :
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] =
hxxp://websearch.good-results.info/?pid=625&r=2013/02/10&hid=1472659438&lg=EN&cc=IT
--> hxxp://www.google.com



 



-\\ Mozilla
Firefox v17.0.1 (en-US)



 



File :
C:\Users\Cyndy\AppData\Roaming\Mozilla\Firefox\Profiles\8mvtfjyj.default\prefs.js



 



Deleted :
user_pref("aol_toolbar.default.homepage.check", false);



Deleted :
user_pref("aol_toolbar.default.search.check", false);



Deleted :
user_pref("browser.search.defaultenginename", "WebSearch");



Deleted :
user_pref("browser.search.defaultenginename,S",
"WebSearch");



Deleted :
user_pref("browser.search.defaulturl",
"hxxp://websearch.good-results.info/?pid=625&r=2013/02/10&hid[...]



Deleted :
user_pref("browser.search.order.1", "WebSearch");



Deleted :
user_pref("browser.search.order.1,S", "WebSearch");



Deleted :
user_pref("browser.search.selectedEngine", "WebSearch");



Deleted :
user_pref("browser.search.selectedEngine,S", "WebSearch");



Deleted :
user_pref("browser.startup.homepage", "hxxp://websearch.good-results.info/?pid=625&r=2013/02/10&hid=[...]



Deleted :
user_pref("extensions.BabylonToolbar.prtkDS", 0);



Deleted :
user_pref("extensions.BabylonToolbar.prtkHmpg", 0);



Deleted :
user_pref("extensions.wajam.affiliate_id", "5920");



Deleted :
user_pref("extensions.wajam.firstrun", "false");



Deleted :
user_pref("extensions.wajam.log_send_info", "false");



Deleted :
user_pref("extensions.wajam.mappingListJsonString",
"{\"version\":\"0.21083\",\"supported_sites\":{\[...]



Deleted :
user_pref("extensions.wajam.no_trace", "false");



Deleted :
user_pref("extensions.wajam.server_current_mapping_version",
"0.21083");



Deleted :
user_pref("extensions.wajam.trace_log", "1355058639224 -
processInstallationUpgrade - version set to[...]



Deleted :
user_pref("extensions.wajam.unique_id",
"637EB2B9CB18DE50BE8D22F800D1FD9E");



Deleted :
user_pref("extensions.wajam.user_current_mapping_version",
"0");



Deleted :
user_pref("extensions.wajam.version", "1.26");



Deleted :
user_pref("keyword.URL", "hxxp://websearch.good-results.info/?pid=625&r=2013/02/10&hid=1472659438&lg[...]



Deleted :
user_pref("sweetim.toolbar.previous.browser.search.defaultenginename",
"");



Deleted :
user_pref("sweetim.toolbar.previous.browser.search.selectedEngine",
"");



Deleted :
user_pref("sweetim.toolbar.previous.browser.startup.homepage",
"");



Deleted :
user_pref("sweetim.toolbar.previous.keyword.URL", "");



Deleted :
user_pref("sweetim.toolbar.scripts.1.domain-blacklist",
"");



Deleted :
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS",
"");



Deleted :
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP",
"");



Deleted :
user_pref("sweetim.toolbar.searchguard.enable", "");



 



-\\ Google
Chrome v24.0.1312.57



 



File :
C:\Users\Cyndy\AppData\Local\Google\Chrome\User Data\Default\Preferences



 



[OK] File
is clean.



 



*************************



 



AdwCleaner[S1].txt
- [5047 octets] - [10/02/2013 23:55:49]



 



##########
EOF - C:\AdwCleaner[S1].txt - [5107 octets] ##########



 



 



Rogue
Killer:



 



There were
two reports on my desktop.



 



1:



 



RogueKiller
V8.5.0 [Feb  9 2013] by Tigzy



mail :
tigzyRK<at>gmail<dot>com



Feedback :
http://www.geekstogo.com/forum/files/file/413-roguekiller/



Website :
http://tigzy.geekstogo.com/roguekiller.php



Blog :
http://tigzyrk.blogspot.com/



 



Operating
System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version



Started in
: Normal mode



User :
Cyndy [Admin rights]



Mode : Scan
-- Date : 02/11/2013 00:02:21



| ARK || FAK || MBR |



 



¤¤¤ Bad
processes : 1 ¤¤¤



[SUSP PATH]
OptimizerPro.exe -- C:\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe
-> KILLED [TermProc]



 



¤¤¤
Registry Entries : 3 ¤¤¤



[TASK][SUSP
PATH] schedule!3036567561.job :
C:\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe /schedule /profile
"c:\programdata\bettersoft\optimizerpro\3036567561.ini" -> FOUND



[HJ DESK]
HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) ->
FOUND



[HJ DESK]
HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) ->
FOUND



 



¤¤¤
Particular Files / Folders: ¤¤¤



 



¤¤¤ Driver
: [NOT LOADED] ¤¤¤



 



¤¤¤ HOSTS
File: ¤¤¤



-->
C:\Windows\system32\drivers\etc\hosts



 



 



 



¤¤¤ MBR
Check: ¤¤¤



 



+++++
PhysicalDrive0: TOSHIBA MK6465GSX ATA Device +++++



--- User
---



[MBR]
fd7c00624c4edd5c0b849196a680ee63



[BSP]
cd3a33a8f80dd7f5b96790af772c1552 : Windows 7/8 MBR Code



Partition
table:



0 -
[ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo



1 -
[XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo



User = LL1
... OK!



User = LL2
... OK!



 



Finished :
<< RKreport[1]_S_02112013_02d0002.txt >>



RKreport[1]_S_02112013_02d0002.txt



 



 



2. RogueKiller
V8.5.0 [Feb  9 2013] by Tigzy



mail :
tigzyRK<at>gmail<dot>com



Feedback :
http://www.geekstogo.com/forum/files/file/413-roguekiller/



Website :
http://tigzy.geekstogo.com/roguekiller.php



Blog :
http://tigzyrk.blogspot.com/



 



Operating
System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version



Started in
: Normal mode



User :
Cyndy [Admin rights]



Mode :
Remove -- Date : 02/11/2013 00:02:49



| ARK || FAK || MBR |



 



¤¤¤ Bad
processes : 1 ¤¤¤



[SUSP PATH]
OptimizerPro.exe -- C:\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe
-> KILLED [TermProc]



 



¤¤¤
Registry Entries : 3 ¤¤¤



[TASK][SUSP
PATH] schedule!3036567561.job :
C:\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe /schedule /profile
"c:\programdata\bettersoft\optimizerpro\3036567561.ini" -> DELETED



[HJ DESK]
HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) ->
REPLACED (0)



[HJ DESK]
HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) ->
REPLACED (0)



 



¤¤¤
Particular Files / Folders: ¤¤¤



 



¤¤¤ Driver
: [NOT LOADED] ¤¤¤



 



¤¤¤ HOSTS
File: ¤¤¤



-->
C:\Windows\system32\drivers\etc\hosts



 



 



 



¤¤¤ MBR
Check: ¤¤¤



 



+++++
PhysicalDrive0: TOSHIBA MK6465GSX ATA Device +++++



--- User
---



[MBR]
fd7c00624c4edd5c0b849196a680ee63



[BSP]
cd3a33a8f80dd7f5b96790af772c1552 : Windows 7/8 MBR Code



Partition
table:



0 -
[ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo



1 -
[XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo



User = LL1
... OK!



User = LL2
... OK!



 



Finished :
<< RKreport[2]_D_02112013_02d0002.txt >>



RKreport[1]_S_02112013_02d0002.txt
; RKreport[2]_D_02112013_02d0002.txt



 



 



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:39 PM

Posted 10 February 2013 - 06:12 PM

Do not follow the instructions given to others.

 

Do you stll need help?


Edited by narenxp, 10 February 2013 - 06:12 PM.


#5 villanelle

villanelle
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 February 2013 - 06:39 PM

Hey Narenxp, yes I still need help. I ran the programmes mentioned by Gringo just to give you as much info as possible. Did you read them?

 

I ran the TDSS Killer again, there were no viruses detected (the report was 124 pages so I won't post it) and the other. Here it is:

 

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software



Run date: 2013-02-11 00:29:36



-----------------------------



00:29:36.682    OS
Version: Windows x64 6.1.7601 Service Pack 1



00:29:36.682    Number
of processors: 8 586 0x1E05



00:29:36.683    ComputerName:
CYNDY-PC  UserName: Cyndy



00:29:38.059   
Initialize success



00:29:43.894    Disk 0
(boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0



00:29:43.894    Disk 0
Vendor: TOSHIBA_MK6465GSX GJ002C Size: 610480MB BusType: 11



00:29:43.909    Disk 0
MBR read successfully



00:29:43.925    Disk 0
MBR scan



00:29:43.925    Disk 0
Windows 7 default MBR code



00:29:43.940    Disk 0
Partition 1 80 (A) 07    HPFS/NTFS
NTFS          100 MB offset 2048



00:29:43.956    Disk 0
Partition 2 00     07    HPFS/NTFS NTFS       610378 MB offset 206848



00:29:43.987    Disk 0
scanning C:\Windows\system32\drivers



00:29:50.184   
Service scanning



00:30:20.085   
Modules scanning



00:30:20.085    Disk 0
trace - called modules:



00:30:20.147   
ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS
hal.dll msahci.sys



00:30:20.147    1
nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007d4e790]



00:30:20.147    3
CLASSPNP.SYS[fffff88001bb343f] -> nt!IofCallDriver ->
[0xfffffa8007c6db10]



00:30:20.147    5 hpdskflt.sys[fffff88001b5a189]
-> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007b17680]



00:30:20.147    Scan
finished successfully



00:31:41.259    Disk 0
MBR has been saved successfully to "C:\Users\Cyndy\Desktop\MBR.dat"



00:31:41.275    The log
file has been saved successfully to
"C:\Users\Cyndy\Desktop\aswMBR.txt"

 

I cannot run the online scan at this point as it is too late at night to run a scan for a few hours.

 

Thanks for your help.

 

C xx



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:39 PM

Posted 10 February 2013 - 06:53 PM

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck
 



#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 10 February 2013 - 07:31 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/484964/infected-with-httpwebsearchgood-resultsinfo/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Please do not bump your topic. Do not worry about being forgotten; we have mechanisms in place to ensure that you are not overlooked.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

~Blade
Forum Administrator

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users