Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer homepage: search.searchbulls.com unable to fix


  • Please log in to reply
13 replies to this topic

#1 pcpshaun

pcpshaun

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 04:37 PM

Hi, I've lurked for years but I work at a small MSP with a retail storefront.  I'm a on-site server/networking guy but I'm covering for the in-store service technician position while we hire a replacement.  I've got a couple PCs on the bench that I cannot stop the Internet Explorer from opening an amazonaws compute instance that redirects to http://search.searchbulls.com as the first homepage.  So far I've done the following with this systems:

 

Boot into Safe Mode with Networking

  • Run full TRON script from https://www.reddit.com/r/TronScript/comments/3coyyp/tron_v639_20150709_adobe_flash_update_subtool/
  • Run Malwarebytes Anti-Malware
  • Run ADWCleaner
  • Run ESET NOD32 Full Scan
  • Run and examine HiJackThis logs (cannot find entry that would be causing the behavior)
  • Run and examine AUTORUNS logs (cannot find entry that would be causing the behavior)
  • Check HOSTS and LMHOSTS files
  • Run Hitman Pro
  • Remove extensions from Firefox, Chrome, and Opera
  • Perform full reset on Internet Explorer 11
  • Search registry for any entries referring to amazonaws or searchbulls (none found)

After this all browsers work wonderfully except for Internet Explorer, which works fine and no longer redirects search results EXCEPT for the fact that the FIRST homepage always opens up an amazonaws which redirects to search.searchbulls.com.  Additional homepages open fine upon launching IE.  No matter what I set the first homepage to, it will always end up at search.searchbulls.com.

 

At this point I'm stumped, anyone have any insight into this particular issue?  Let me know if you need some FARBAR logs or anything else.

 

Any help is greatly appreciated!



BC AdBot (Login to Remove)

 


#2 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 06:27 PM

I'd like to point out that I am more than happy starting from square one with whatever established troubleshooting process you already use.  I have a feeling I may just be a little extra block headed today and probably missing something obvious.



#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 07:49 PM

Is m ore than one computer affected on the same network with the very same issue?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 07:51 PM

It's two separate PCs from two distinct customers whom dropped them off for service.



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 07:58 PM

Reset Internet Explorer.
Download MIcrosoft FixIt file from here: http://go.microsoft.com/?linkid=9646978
You can use ANY browser to download "FixIt" file.
Double click on downloaded MicrosoftFixit50195.msi file to run the fix.
Make sure you follow ALL steps listed there.
Windows 8/8.1 users. Reset IE manually: https://support.microsoft.com/kb/923737?wa=wsignin1.0
 


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 08:03 PM

Downloaded and ran the FixIt file on each computer, problem not resolved, and problem not resolved after reboot.



#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 08:13 PM

Disconnect both computer from the net and run FixIt again.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 08:31 PM

Pulled the Ethernet and made sure the wireless wasn't connected on either machine.  Re-ran the FixIt and the IE homepage is still attempting to open http://ca-bb.s3-website-us-east-1.amazonaws.com/?grp=1 which if I was connected to the Internet would redirect to http://search.searchbulls.com.  As a side note, Chrome is now exhibiting the same behavior with the homepage on both machines; whilst Chrome on both machines was fine earlier.  The malware must have hooked back into Chrome after reboot.



#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 08:37 PM

p22002970.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 09:01 PM

From computer A:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.3.8 (07.09.2015:1)
OS: Windows 7 Home Premium x64
Ran by stu on Thu 07/09/2015 at 19:39:43.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Chrome


[C:\Users\stu\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\stu\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\stu\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\stu\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/09/2015 at 19:44:49.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From computer B:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.3.8 (07.09.2015:1)
OS: Windows 7 Home Premium x64
Ran by Ryan on 09/07/2015 at 19:46:03.63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully deleted: [Service] ywi3m2v2n3m0bgr [Reboot required]



~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\BGDSYUHSHPKCEFHU
Successfully deleted: [Task] C:\Windows\system32\tasks\GlobalUpdate-ywy3y2vxn2s0bwr



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\otshot
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Update eye perform
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Util eye perform



~~~ Files

Successfully deleted: [File] C:\Users\Ryan\AppData\Roaming\appdataFr25.bin
Successfully deleted: [File] C:\Users\Ryan\appdata\local\google\chrome\user data\default\local storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\Google Chrome.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\Google Chrome.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\User Pinned\TaskBar\Google Chrome.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\User Pinned\TaskBar\Google Chrome.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\Google Chrome.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\User Pinned\TaskBar\Internet Explorer.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\Internet Explorer.lnk
Successfully disinfected: [Shortcut] C:\Users\Ryan\AppData\Roaming\microsoft\internet explorer\quick launch\User Pinned\TaskBar\Internet Explorer.lnk



~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\microsoft\windows\start menu\programs\knctr
Successfully deleted: [Folder] C:\Users\Ryan\appdata\local\crashrpt
Successfully deleted: [Folder] C:\Users\Ryan\appdata\local\installer
Successfully deleted: [Folder] C:\Users\Ryan\appdata\locallow\company
Successfully deleted: [Folder] C:\Users\Ryan\AppData\Roaming\itibiti
Successfully deleted: [Folder] C:\ProgramData\7c0535b143fc4671b6ebd202fbffe066
Successfully deleted: [Folder] C:\ProgramData\Service1198
Successfully deleted: [Folder] C:\Users\Ryan\appdata\local\20487



~~~ Chrome


[C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 09/07/2015 at 19:47:41.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After reboot computer A still experiencing problem in IE but Chrome is fine.  Performed previously posted FixIt on computer A again and rebooted.  Still experiencing problem in IE and Chrome is still fine.

 

After reboot compute B works as expected in all browsers.



#11 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 09:06 PM

After looking at the JRT results from computer B, I went and had a glance at the "Internet Explorer.lnk" shortcuts on computer A and they are all poisoned with the offending URL.  I launched IEXPLORE.EXE directly and it works as expected on computer A.  I feel like a bonehead.



#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 09:10 PM

Nice :)


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 pcpshaun

pcpshaun
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 July 2015 - 09:12 PM

Thanks for the help, Broni!

 

I owe you an Internet beer sometime.



#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:39 AM

Posted 09 July 2015 - 09:14 PM

Cool beans :)


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users