Jump to content

Do-search infection?


Recommended Posts

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://do-search.com...76GHWPEAGHWPEAXHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com...HWPEAGHWPEAX&q={searchTerms}HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com...HWPEAGHWPEAX&q={searchTerms}SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =BHO-x32: WordOv - {14E5E74B-0B52-4669-8B78-6527C7A09831} - C:\Users\Chris L Hendrick\AppData\Roaming\WordOv\temp.dat ()C:\Users\Chris L Hendrick\AppData\Roaming\WordOv
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-11-2013 01

 

Ran by Chris L Hendrick at 2013-11-25 18:20:38 Run:1

 

Running from C:\Users\Chris L Hendrick\Downloads

 

Boot Mode: Normal

 

==============================================

 

 

Content of fixlist:

 

*****************

 

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://do-search.com...76GHWPEAGHWPEAX

 

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com...HWPEAGHWPEAX&q={searchTerms}

 

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com...HWPEAGHWPEAX&q={searchTerms}

 

SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =

 

BHO-x32: WordOv - {14E5E74B-0B52-4669-8B78-6527C7A09831} - C:\Users\Chris L Hendrick\AppData\Roaming\WordOv\temp.dat ()

 

 

C:\Users\Chris L Hendrick\AppData\Roaming\WordOv

 

*****************

 

 

HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

 

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.

 

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.

 

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14E5E74B-0B52-4669-8B78-6527C7A09831} => Key deleted successfully.

 

HKCR\Wow6432Node\CLSID\{14E5E74B-0B52-4669-8B78-6527C7A09831} => Key deleted successfully.

 

C:\Users\Chris L Hendrick\AppData\Roaming\WordOv => Moved successfully.

 

 

==== End of Fixlog ====

Link to post
Share on other sites

I´m discussing this issue with other malware removers.

Please be patient with us in the meantime as we want to provide the best support possible.

Not a problem at all Marius. I'd like to get it taken care of but it's not taking my computer out of commission so do what you need to.

 

Would it matter if I let you know what I was doing when it happened?

Link to post
Share on other sites

Hi there,

 

sorry for the late reply - I´m ill at the moment and could not work the past days.

 

 

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    reg: reg query "HKLM\system\currentcontrolset\services\appmgmt"
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-12-2013 01

Ran by Chris L Hendrick at 2013-12-10 19:33:50 Run:2

Running from C:\Users\Chris L Hendrick\Downloads

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

reg: reg query "HKLM\system\currentcontrolset\services\appmgmt"

*****************

 

========= reg query "HKLM\system\currentcontrolset\services\appmgmt" =========

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\appmgmt

ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\appmgmt\Parameters

 

========= End of Reg: =========

 

==== End of Fixlog ====

Link to post
Share on other sites

Shortcut Cleaner 1.2.6 by Lawrence Abrams (Grinler)

 

http://www.bleepingcomputer.com/

 

Copyright 2008-2013 BleepingComputer.com

 

More Information about Shortcut Cleaner can be found at this link:

 

http://www.bleepingcomputer.com/download/shortcut-cleaner/

 

 

Windows Version: Windows 8

 

Program started at: 12/20/2013 07:39:53 PM.

 

 

Scanning for registry hijacks:

 

 

* No issues found in the Registry.

 

 

Searching for Hijacked Shortcuts:

 

 

Searching C:\Users\Chris L Hendrick\AppData\Roaming\Microsoft\Windows\Start Menu\

 

 

  * Shortcut Cleaned: C:\Users\Chris L Hendrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://do-search.com/?type=sc&ts=1384647336&from=mp3&uid=HitachiXHTS541010A9E680_J8100076GHWPEAGHWPEAX

 

 

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

 

 

Searching C:\Users\Chris L Hendrick\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

 

 

  * Shortcut Cleaned: C:\Users\Chris L Hendrick\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://do-search.com/?type=sc&ts=1384647336&from=mp3&uid=HitachiXHTS541010A9E680_J8100076GHWPEAGHWPEAX

 

 

  * Shortcut Cleaned: C:\Users\Chris L Hendrick\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://do-search.com/?type=sc&ts=1384647336&from=mp3&uid=HitachiXHTS541010A9E680_J8100076GHWPEAGHWPEAX

 

 

Searching C:\Users\Public\Desktop\

 

 

Searching C:\Users\Chris L Hendrick\Desktop

 

 

 

3 bad shortcuts found.

 

 

Program finished at: 12/20/2013 07:39:56 PM

 

Execution time: 0 hours(s), 0 minute(s), and 2 seconds(s)

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.