Jump to content


Photo
- - - - -

Can't get rid of Search Browsing (www.searchbrowsing.com) from Internet Explorer 9


  • This topic is locked This topic is locked
29 replies to this topic

#1 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 13 April 2012 - 10:54 AM

I have somehow got a highjacker on my system, and I've tried different things, including your malware scanner, but to no avail.

I think I've got rid of it from Firefox, but in Internet Explorer, as soon as I change the start page, it's changed back to searchbrowser again.

I enclose the reports you've asked for.

Roy

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 13 April 2012 - 02:29 PM

Oracle Jave 6u31 is not compatible with Mozilla Firefox version >=5. Update to Oracle JRE7u3.

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\wcthelper.exe (Search Core Systems)
    PRC - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\wcupdt.exe (Search Core System)
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchbrowsing.com
    IE - HKLM\..\SearchScopes,DefaultScope = {0DF56869-BA25-4E8E-82F9-AF48EA6BCC7E}
    IE - HKLM\..\SearchScopes\{0DF56869-BA25-4E8E-82F9-AF48EA6BCC7E}: "URL" = http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q={searchTerms}
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchbrowsing.com
    IE - HKCU\..\SearchScopes,DefaultScope = {0DF56869-BA25-4E8E-82F9-AF48EA6BCC7E}
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{425F6CC1-69CA-4604-BDC6-7EE7A066A843}: C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\ [2012.04.12 07:50:56 | 000,000,000 | ---D | M]
    O2:[b]64bit:[/b] - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No CLSID value found.
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (&Windows Core Toolbar) - {3A6BE320-DC9B-4D24-A6E8-621B81544F4B} - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\wcoretb.dll (Search Core Systems)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O18 - Protocol\Handler\ms-help - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
    [2012.04.12 07:54:09 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{432CD71F-B42D-4872-8E18-8B4C70AACE97}
    [2012.04.12 07:53:58 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{1E9D334D-7A65-4444-8C92-70369CFCA9B4}
    [2012.04.12 07:40:01 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{41FD4468-70B2-4A2A-AFF3-B9E8B4DD3B7B}
    [2012.04.12 07:29:47 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{CCABCFBC-392D-40DA-8442-D7FA99300679}
    [2012.04.12 07:21:24 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{60F7C204-0D05-444D-BAFB-28D1C3A796F6}
    [2012.04.11 07:38:32 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{392BBFD0-1938-4B80-B78B-49A12A7D2C35}
    [2012.04.11 07:38:19 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{D1438900-9EE5-4F70-9AD0-38411B4D7A89}
    [2012.04.10 07:28:08 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{FEFDA19F-29B5-43AD-89FA-1720D29F2F71}
    [2012.04.10 07:27:55 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{6E393D20-E99F-4C03-BDA4-D9EEE9E07C09}
    [2012.04.09 17:02:12 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{AA4F6EEA-E052-4609-949B-3415E19FC875}
    [2012.04.09 17:01:59 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{B46384DD-EC56-4F26-8F1A-967A51ED1D86}
    [2012.04.08 17:37:28 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{BD3A176A-6973-4616-9C8C-861DA422036D}
    [2012.04.08 17:37:17 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{6B2501CE-7AB6-446C-8C6D-7092FC531B0F}
    [2012.04.04 22:08:20 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{0D6FC1E0-259B-4D49-B38D-6F762BF94779}
    [2012.04.04 22:08:05 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{ED84C78F-B62F-40BC-9DDB-3270627C909C}
    [2012.04.04 09:53:54 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{A1B7E00A-DCCE-4B86-8313-9F4B503CE945}
    [2012.04.04 09:53:42 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{4F85AA4B-1949-467C-857A-669638368F85}
    [2012.04.03 21:53:30 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{CB1E8868-67B1-49A8-816D-621A1B1D6AF9}
    [2012.04.03 21:53:18 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{DB68FFD5-16AC-4C85-900E-8F1E18BE5DE1}
    [2012.04.03 09:52:49 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{F3A772FB-E763-49F1-8973-9F837E50FC30}
    [2012.04.03 09:52:38 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{13BED207-86FA-4C63-BDC6-2425BFBE2271}
    [2012.04.02 21:52:14 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{A954F8E4-FE7E-42FC-AE99-BD2AA5D12DE2}
    [2012.04.02 09:51:50 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{139D4CDB-210B-48B0-B54D-B8F0A7A13D34}
    [2012.04.02 09:51:49 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{C8A87F2E-9F5A-401C-B0A9-2D4AD705A30F}
    [2012.04.01 21:51:25 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{D12F495D-5838-4B77-87F1-71FD955EE230}
    [2012.04.01 19:18:07 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{E3979175-E95F-4825-8578-0FDE82F0F253}
    [2012.04.01 09:51:01 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{C598CE33-DE40-487D-B936-500E65A942F4}
    [2012.03.31 21:50:36 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{A6E9C821-0988-45A6-B77C-ABDBB18C89DA}
    [2012.03.30 21:50:00 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{42B42B14-BB7A-44A9-814A-F29BC010C46C}
    [2012.04.04 21:12:41 | 000,005,046 | ---- | M] () -- C:\ProgramData\oafcpcef.qqj
    [2012.03.31 13:52:21 | 000,000,312 | -H-- | C] () -- C:\Windows\tasks\Windows Core Helper.job
    [2012.03.31 13:52:21 | 000,000,306 | -H-- | C] () -- C:\Windows\tasks\Windows Core Toolbar Updater.job
    @Alternate Data Stream - 60 bytes -> C:\Users\Roy\Praktiskpedagogisk utdannelse:AFP_AfpInfo
    @Alternate Data Stream - 60 bytes -> C:\Users\Roy\Documents\.DS_Store:AFP_AfpInfo
    @Alternate Data Stream - 60 bytes -> C:\Users\Roy\.DS_Store:AFP_AfpInfo
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 15 April 2012 - 07:33 AM

Thanks for your help. You forgot to mention where I could download JRE-7, but I found it by searching on Oracle Runtime or something. I have reinstalled it now, though, and then run OTL

But the problem persists, and while I thought I had got rid of it in Firefox, it remains both in Internet Explorer 9 and Firefox 11.

It seems, though, that it appears after Windows 7 is started, as the popup warning appears that "home page has been changed." I forgot to take a screen dump of it, as I don't know what anti-virus program has given that warning. I think it could be Avast! but the warning looks very grey, and not like the normal Avast! dialog box.

#4 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 15 April 2012 - 09:51 PM

I've restarted Windows 7, and enclose a screen dump of the warning that the settings for the browser (both IE9 and Firefox 11) has changed.

As long as I don't restart Windows, Search Browsing stays away, but as soon as I restart Windows, it pops up again, so there must be something in connection with the startup of Windows that does this. I hope you may have some idea what it can be.

#5 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 April 2012 - 02:35 AM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#6 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 16 April 2012 - 08:24 AM

Sorry, but after a restart searchbrowsing still is on place.

By the way, it's the Advanced System Protector which warns about the change of the browser.

#7 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 18 April 2012 - 02:15 AM

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    Posted Image
  • Click Change parameters

    Posted Image
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    Posted Image
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    Posted Image
  • When it finishes, you will either see a report that no threats were found like below:
    Posted Image

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    Posted Image
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    Posted Image
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#8 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 18 April 2012 - 01:50 PM

Thanks a lot. I hope the attached log will help. I also enclose a screen dump with the unsigned files the scan found.

Firefox now seems to work fine, but Internet Explorer is still a problem.
Roy

#9 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 20 April 2012 - 01:38 AM

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Attach the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#10 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 20 April 2012 - 03:39 PM

It seems to be gone from Firefox, at least, but it just doesn't want to disappear from Internet Explorer. I've tried to change the home page(s) in Internet Explorer, but as soon as I close the settings, SearchBrowsing still is back.

I can only thank you for your time, although I think you will also profit by finding out how to get rid of this obnoctious highjacker.

Roy

#11 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 20 April 2012 - 06:13 PM

Update: I've just installed Nero 11 Trial, and now SearchBrowsing is back in Firefox too!

#12 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 21 April 2012 - 12:36 AM

Run ComboFix again and attach the resulting log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#13 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 22 April 2012 - 12:52 PM

Somehow I got a new error message I've not seen before from something calling itself Windows Core Toolbar Helper: Access violation .... See attached screen dump.

I feel somewhat disappointed your Anti-Malware utility didn't get rid of the haighjacker for me, as I found your utility by searching for "getting rid of Search Browsing" or something, at it came up as a result, but I can see it is difficult to get rid of it.

By the way, The combofix now runs in reduced mode

#14 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 April 2012 - 05:27 PM

Download a fresh copy of ComboFix and run it. Attach the new log when done.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#15 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 25 April 2012 - 12:47 PM

I downloadedd a new copy of combofix as suggested.
Before I ran it, I closed down all guards so there wouldn't be any conflict with combofix.
When the windows restarded, I was not allowed to start any programs, and I got the error message enclosed (screendump), or open combofix.txt, so I restarted Windows again to get services activated again.

When Windows restarted, I got the same warning back: a possible malicous change of start page for my browser (which includes both Firefox and Internet Explorer).

Roy

#16 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 26 April 2012 - 03:07 AM

OK, do a fresh scan with OTL and attach the new OTL log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#17 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 26 April 2012 - 04:12 PM

Thanks. Please find the OTL log attached.
Roy

#18 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 April 2012 - 12:56 AM

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\wcthelper.exe (Search Core Systems)
    PRC - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\wcupdt.exe (Search Core System)
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchbrowsing.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchbrowsing.com
    FF - prefs.js..browser.search.selectedEngine: "SearchBrowsing"
    FF - prefs.js..browser.startup.homepage: "http://www.searchbrowsing.com"
    FF - prefs.js..keyword.URL: "http://www.searchbrowsing.com/web.php?src=hmp&hl=en&camefrom=defaultsearch&q="
    [2012.04.25 13:42:29 | 000,000,648 | ---- | M] () -- C:\Users\Roy\AppData\Roaming\Mozilla\Firefox\Profiles\93t9chma.default\searchplugins\searchbrowsing.xml
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
    O2 - BHO: (&Windows Core Toolbar BHO) - {ACC01A56-70E3-472E-9C4F-83B1DA817DD8} - C:\Program Files (x86)\Search Core Systems\Windows Core Toolbar\browserhelper.dll (Search Core Systems)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    [2012.04.16 07:37:21 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{26B02714-C3C8-457D-8C7B-C3AF792E9365}
    [2012.04.16 07:37:09 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{29D15E94-5D6F-4DC4-AB21-9EE54C6996BF}
    [2012.04.16 07:26:59 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{09E47FF4-0078-4361-8762-F19B61CD7BD6}
    [2012.04.16 07:26:47 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{69ECEF50-B17F-464B-9A8F-8E6111917444}
    [2012.04.15 18:38:48 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{54D58D8F-6099-4838-A5AB-40F379A00B3A}
    [2012.04.15 18:38:37 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{DCFBD996-46A0-4EEF-A217-770548DB4FB1}
    [2012.04.12 19:54:46 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{5AA83604-7FCD-4903-BD50-48AA1E30CB2F}
    [2012.04.12 19:54:34 | 000,000,000 | ---D | C] -- C:\Users\Roy\AppData\Local\{E4798FD9-96DF-4454-8EE0-64035430AECA}
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#19 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 27 April 2012 - 09:22 PM

Thanks for your help. So far it seems I've got rid of the highjacker.

When Windows restarted, it seems searchbrowsing was killed, at least in IE, but there were still traces in Firefox. I, therefore, changed the start page, the search engines and removed the traces I could find in about:config.
I also killed the anti malware and anti virus programs to ensure nothing would prevent OTL working as intended.

When I restarted, it seemed everything was fine. To be safe I rechecked around a little, and gave Windows a new restart to check a new time.

When Windows started, Systweak Advanced system care again warned that the start page was changed by a possible bad program or something. I'm not sure if that's the culprit, but I decided to uninstall it, again remove searchbrowsing traces from Firefox (again IE didn't seem to be affected - phew!) by the help of about:config,and then restarted Windows.

My impression so far is that it at last worked, although I have to see if it somehow by some unfathomable way does pop up again. At least I hope all your untiry work to help med has born good fruits.

Roy

#20 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 29 April 2012 - 12:48 AM

OK, that is good news.

How are things working now?
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#21 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 29 April 2012 - 06:44 AM

Today searchbrowsing is back in IE again! After having been away for a couple of days. I just can't understand what's going on and where it's hiding on the PC.

#22 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 30 April 2012 - 05:58 AM

And today it's taken over Firefox too.

#23 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 30 April 2012 - 07:34 AM

I suddenly saw a warning that somehow Skype lead to a possible dangerous change of the browser start page. Does that make sense? I've not seen this before.

#24 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 01 May 2012 - 05:34 PM

Today search browsing has stayed away from both IE and Firefox. Curiouser and curiouser.

#25 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 01 May 2012 - 06:17 PM

OK, do fresh scans with EEK and OTL. Attach the resulting logs when ready.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#26 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 02 May 2012 - 12:35 PM

I ran a deep scan with EEK, and it found a "trojan_Downloader.Win32.Small!IK among my installation files, so I doubt that is the problem. It's apparently part of the installation back for a utility that's removing Trados passwords, and I've had that on a network disc for some time, long before this problem appeared.

Here are the two reports. At least searchbrowsing isn't there all the time, so it looks like you are on the right track at least.

#27 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 02 May 2012 - 10:25 PM

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Delete the following from your Desktop (If they exist)
CFscript.txt
TDSSKiller.exe
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable
  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    Posted Image
  • Click Posted Image and choose Posted Image
  • Uncheck Posted Image
  • Then go back to Posted Image and click Posted Image to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#28 royost

royost

    Member

  • Members
  • PipPip
  • 17 posts
  • OS:Windows 7 x64
  • AV:Microsoft Security Essentials, Avast!, StopZilla, Emsistof Anti-Malware
  • HIPS:Windows Firewall

Posted 03 May 2012 - 11:38 AM

Thanks. A scanning with Secunia Online Software Inspector seemed to indicate that the Java JRE was outdated, but I am somehow not able to update it. It doesn't seem to want to be installed after it has been downloaded. Guess it may be one of the security programs that is blocking it.

But other than that everything seems to be as it should.

Roy

#29 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 03 May 2012 - 08:37 PM

What error messages, if any, are you getting during the Java install?
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#30 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 07 May 2012 - 05:20 PM

Thread Closed

Reason:
Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users