Malware searchnu 102 and goon search.com

I have been infected with this virus/malware and it has entered 3 different computers i use over the course of the last few hours. Avast never alerted and all systems were up to date. the initial infection occured early this morning after downloading a jzip software that showed to be good on a laptop running Windows 7. I have run Avast boot scan, Malwarebytes and removed as much as i could from task manager and the startup menu. Please help as it seems to be eating away. i am in safe mode now and using an Ipad on 3G for most communication other than this. Btw, the other computers are : Windows 7 and Vista. thanks

It seems bandoo is some browser/toolbar crap

so try this, run AdwCleaner search, when the log pops up, close it and click delete
you find it here http://forum.avast.com/index.php?topic=53253.0

post the log here

if that does not solve your problem, see in same guide how to get a OTL log
attach the OTL log and a removal specialist will help you

http://forum.avast.com/index.php?topic=53253.0

It seems bandoo is some browser/toolbar crap

so try this, run AdwCleaner search, when the log pops up, close it and click delete
you find it here http://forum.avast.com/index.php?topic=53253.0

AdwCleaner v2.003 - Logfile created 10/07/2012 at 01:28:23

Updated 23/09/2012 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Betsey walker - BETSEYWALKER-PC

Boot Mode : Safe mode with networking

Running from : C:\Users\Betsey walker\Downloads\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Coupons.com
Folder Deleted : C:\Program Files (x86)\splashtop
Folder Deleted : C:\ProgramData\splashtop
Folder Deleted : C:\Users\Betsey walker\AppData\Local\Conduit
Folder Deleted : C:\Users\Betsey walker\AppData\Local\OpenCandy
Folder Deleted : C:\Users\Betsey walker\AppData\Local\splashtop
Folder Deleted : C:\Users\Betsey walker\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\Betsey walker\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Betsey walker\AppData\LocalLow\Coupons.com
Folder Deleted : C:\Users\Betsey walker\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\BETSEY~1\AppData\Local\Temp\TempDir

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Coupons.com
Key Deleted : HKCU\Software\AppDataLow\Software\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{1B5D4053-1DC0-4C49-B5FD-9E6153E8185F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{37153479-1976-43C3-A1EE-557513977B64}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{190AB5CB-249C-4F9C-B8B0-F273C3EE7A5D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{37153479-1976-43C3-A1EE-557513977B64}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2559647
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Coupons.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{190AB5CB-249C-4F9C-B8B0-F273C3EE7A5D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{190AB5CB-249C-4F9C-B8B0-F273C3EE7A5D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{1B5D4053-1DC0-4C49-B5FD-9E6153E8185F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{37153479-1976-43C3-A1EE-557513977B64}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{5C1F20D7-0913-4158-869F-185D6385D2D2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{DFFADD57-493F-4423-8D95-034258F81450}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{37153479-1976-43C3-A1EE-557513977B64}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Coupons.com Toolbar
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{37153479-1976-43C3-A1EE-557513977B64}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{37153479-1976-43C3-A1EE-557513977B64}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{37153479-1976-43C3-A1EE-557513977B64}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{37153479-1976-43C3-A1EE-557513977B64}]

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\ Google Chrome v22.0.1229.79

File : C:\Users\Betsey walker\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.21] : urls_to_restore_on_startup = [ “hxxp://www.google.com/ig?hl=en&t=0”, “hxxp://www.google.com/ig?hl=en&source=iglk”, “hxxp://www.searchnu.com/102”, “hxxp://www.goonsearch.com/?source=IBR-IB-PDP-INS-HP” ]
Deleted [l.2567] : urls_to_restore_on_startup = [ “hxxp://www.google.com/ig?hl=en&t=0”, “hxxp://www.google.com/ig?hl=en&source=iglk”, “hxxp://www.searchnu.com/102”, “hxxp://www.goonsearch.com/?source=IBR-IB-PDP-INS-HP” ]


AdwCleaner[R1].txt - [5167 octets] - [07/10/2012 01:27:09]
AdwCleaner[S1].txt - [5659 octets] - [07/10/2012 01:28:23]

########## EOF - C:\AdwCleaner[S1].txt - [5719 octets] ##########

if that does not solve your problem, see in same guide how to get a OTL log
attach the OTL log and a removal specialist will help you

This seems to have helped this computer but not the originally infected one (laptop). I am still running OLT on it. BTW, i actually saw the info on Essexboy post and ran before i saw your reply. However, the aswMBR.exe scan kept stopping at the latter part of the scan when it was scanning the OTL.exe file.

I will send the other computer files after we resolve this one. Thanks much

hi wtwalker,

If you need help with the other computer, just ask to do so in this thread. No need to create a second thread for that one. Whoever comes in to help you will likely have a workaround for you to get aswMBR.exe to run to completion on the first one. We have several malware experts on hand, so no worries there.

Forthcoming fix for this system you are now working on most likely will not work as well, if at all, on the other computer. Each requires a different analysis/cure to get them healthy again. So, just be patient. You have done your part. Help is coming soon.

Thanks. I am anticipating their response. i have finished the scans on the 2nd computer also but will wait to post until after someone gets back on the first. The aswMBR.exe scan also stopped toward the end of the process on the 2nd computer also.

You may try to run aswMBR from safe mode

The first OTL log looks OK, do you want to do then one at a time ?

So on the info submitted on the first one, you believe everything is removed and it is virus / malware free now? It seems to be running fine and Malwarebytes doesn’t find anything. I can send the 2nd computer files on this thread if you are ready.

2nd computer (laptop and originally infected computer) OTL logs are attached. i am still showing the malware search engines show up when opening google - searchnu and goonsearch.

Could you let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
FF:64bit: - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O20:64bit: - AppInit_DLLs: (c:\progra~2\search~2\datamngr\x64\iebho.dll) - File not found
O20:64bit: - AppInit_DLLs: (protector.dll) - File not found
O20 - AppInit_DLLs: (protector.dll) - C:\windows\SysWow64\protector.dll ()

:Files
C:\ProgramData\Best Buy pc app
C:\progra~2\search~2
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Ran OTL with the script. After reboot, ran the QUICK SCAN 2 times - the first without checking the all users box so i thought i should run another with “all users” box checked. They are named accordingly.
Unfortunately, the two programs still load as separate tabs when i launch google chrome browser - searchnu and goonsearch. In Internet Explorer they don’t seem to be active. Overall responsiveness of the computer does seem (subjectively) to be better now. I use Google chrome 70% of the time and was using Chrome when the infection/attack occured. Thanks for your help and i look forward to your next recommendation.

Unfortunately due to the way Chrome is constructed my tools do not see all areas

I do not use Chrome, but what you need to do is reset your home page to just one tab and delete all search engines that you do not want

This is how they are added so I would imagine you reverse it to stop them

1. Click the Tools button.
  1. Select “Options”.

  2. When the “Google Chrome Options” dialog box appears, click the “Basics” tab.

  3. In the “On startup” section, click the “Open the following pages” radio button.

  4. To startup Google Chrome with a webpage or multiple pages:

Click the “Add” button, then when the “Add page” dialog appears, enter the URL to add to your startup pages or select a recently-viewed page. Click “Add” in the “Add page” dialog box. Repeat as desired to open multiple pages when starting Google Chrome.

Since my computers (3) were infected with this malware, i have not signed on to Google chrome as i think that may be how all computers on my home wireless network were infected. From a user perspective, this was the advantage as all of your settings are synced for Chrome whenever you sign in. I can change some settings on Chrome without signing in and have done so since last night. I only have one home page tab set - although 4 pop up on this computer (2 of which are the searchnu.com/102 and goonsearch) i am only using Google as a search engine and have checked all the extensions for validity. Early on in the process, i saw that searchnu and goonsearch came up as additional search engines in the “Manage Search Engine” area and i removed them.

Obviously, i have to get this reolved and am willing to do what i need to do. QUESTIONS: 1) If i sign into my Google account, do Ii run the risk of retransmitting the malware to the other computers once i boot them up and sign on? 2) You have helped me fix one of other 2 computers (and i ran the adwCleaner and Malwarebytes on the second which seems to be doing much better. Should i sign in to Google Chrome on the computer that appears to be fixed and make the more detailed setting changes, then shut it down and sign in to this computer’s Chrome? 3) or should i just forget about the syncing feature? I also sync google calendar with Outlook and Apple iPad Calendar.

I don’t know if it helps, but i am attaching the log file for the aswMBR scan i did on this computer. It also generated a DAT file. Let me know if you want to see that. Thanks again for your help.

Also, should i go ahead and run OTL and send the logs to you on my 3rd computer? it seems to be doing better since the adwCleaner scan and Malwarebytes but want to make sure. BTW, the Malwarebytes does not seem to be doing much good as it has caught 1 problem on the 3 computers in the last 30 hours.

As an update. I worked through all of the browser settings and appear to have removed the tool bars for searchnu and goonsearch. the system seems to be running better now although i am not 100% sure all of the redirect virus entries are off.
In the meantime, i am sending the OTL file for my 3rd computer. It seems to be running in a stable manner after the adwCleaner, Malwarebytes and OTL scan ran. Please review this and let me know if any next steps. I am still holding off of signing into my Google account on Chrome until I have more confidence in the integrity of all computers.

Thanks very much for your help!

The computers are now OK, it is the synch data that is suspect… When you log on it will synch and download the bad stuff again… I am not sure if you can use IE to delete the current synch data and start afresh

It looks as though the MBAM and AdwCleaner combo did the job

Essexboy, thanks so much for your help. It has been outstanding and much appreciated!
I think the Google sync stuff is still a concern and i am trying to figure out, with Google, of how to eradicate it and still be able to use the sync functions.
Thanks again!

If you do find out how to delete the old synch could you let me know, as this is becoming a recurring problem

I will definitely let you know.

Thank you ;D