Searchcore.net

dond

New Member
Thread author
Apr 3, 2012
4
Hello All,
Obviously, I am new to this forum. I am a help desk analyst with plans to go out on my own in a couple of years (retired). I have run into a redirect "Searchcore.net" that I have been trying to find valid info on how to remove. I also wish to learn how and what needs to be collected to have these problems researched and cleaned. Thanks for you help.
 

malwarekiller

New Member
Mar 30, 2012
688
Welcome to the forums! :) lets have look at your pc with OTL Please be sure to follow only one set of instructions from a single qualified person my fixes are unique and using it on other computers will cause damage......this will ensure u dont end up running different scans and bricking your pc.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c

    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs
 

dond

New Member
Thread author
Apr 3, 2012
4
malwarekiller said:
Welcome to the forums! :) lets have look at your pc with OTL Please be sure to follow only one set of instructions from a single qualified person my fixes are unique and using it on other computers will cause damage......this will ensure u dont end up running different scans and bricking your pc.

Download http://oldtimer.geekstogo.com/OTL.exe

This infection is on a W7 machine in which I tried to remove it first running SAS then Malwarebytes. I came across documentation that said to delete it via A/R programs which I did as well as finding the folder "searchcore" and deleting that. I also cleared a couple of entries via regedit modify but when I hit a couple of keys for "searchcore" that was when I stopped. Your help is greatly appreciated.
 

Attachments

  • Extras.Txt
    65.8 KB · Views: 142
  • OTL.Txt
    98.5 KB · Views: 165

malwarekiller

New Member
Mar 30, 2012
688
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.5 or better installed please disable it for the duration of this run

Run OTL
  1. Under the Custom Scans/Fixes box at the bottom, paste in the following
    Code:
    :OTL
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=141112&systemid=426&sr=0&q={searchTerms}
    IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=141112&systemid=426&sr=0&q={searchTerms}
    IE - HKU\S-1-5-21-3186800326-3317911409-3190794081-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
    IE - HKU\S-1-5-21-3186800326-3317911409-3190794081-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://dogpile.com/
    FF - prefs.js..browser.startup.homepage: "http://www.dogpile.com/"
    FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=141112&systemid=426&sr=0&q="
    O4 - HKLM..\Run: []  File not found
    O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe (Symantec Corporation)
    O15 - HKU\S-1-5-21-3186800326-3317911409-3190794081-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    
    
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
  2. Then click the Run Fix button at the top
  3. Let the program run unhindered, reboot the PC when it is done
  4. Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 

dond

New Member
Thread author
Apr 3, 2012
4
malwarekiller,

Here is the output from the fix run and the quick scan is attached.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}\ not found.
HKU\S-1-5-21-3186800326-3317911409-3190794081-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Secondary Start Pages| /E : value set successfully!
HKU\S-1-5-21-3186800326-3317911409-3190794081-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Prefs.js: "http://www.dogpile.com/" removed from browser.startup.homepage
Prefs.js: "http://dts.search-results.com/sr?src=ffb&appid=141112&systemid=426&sr=0&q=" removed from keyword.URL
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NortonOnlineBackupReminder deleted successfully.
C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe moved successfully.
Registry key HKEY_USERS\S-1-5-21-3186800326-3317911409-3190794081-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Don
->Temp folder emptied: 11887805 bytes
->Temporary Internet Files folder emptied: 15885947 bytes
->Java cache emptied: 15780 bytes
->FireFox cache emptied: 49320517 bytes
->Flash cache emptied: 29018 bytes

User: Lynne
->Temp folder emptied: 1026584 bytes
->Temporary Internet Files folder emptied: 38278561 bytes
->Java cache emptied: 2563680 bytes
->FireFox cache emptied: 176379343 bytes
->Flash cache emptied: 8388 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1120918 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67563 bytes
RecycleBin emptied: 1672944 bytes

Total Files Cleaned = 284.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Don
->Flash cache emptied: 0 bytes

User: Lynne
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.39.2 log created on 04072012_171557

Files\Folders moved on Reboot...
File move failed. C:\Users\Don\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Thanks
 

Attachments

  • OTL.Txt
    74.1 KB · Views: 164

dond

New Member
Thread author
Apr 3, 2012
4
malwarekiller said:
that looks nice! how is the computer running?

Appears to be running well, however you know how some of us are always reluctant to say it is clean after these things happen. Maybe as I learn more about malware I'll be more comfortable with it. As it is at work we run SAS or Malwarebytes and if that doesn't get it the machine gets re-imaged. Thanks again.[/align]
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top