Jump to content

Getting rid of Search Protection


Recommended Posts

I need help, I do not know where this thing came from but it is getting the best of me. When ever I log on I get my home page(yahoo.com) then this SEARCH PROTECTION THING POPS asking me if I want to block the changes. It is either "msn" or "yahoo". I click no "to keep yahoo" it goes away but then if I open another page it asks me the same stupid question. I copied the source from the pop up and I'll paste it here. By looking at that can someone tell me how to get rid of this thing.

 

I am running xp home, sp3, Pentium 4 3.06 ghz, 1.0 gb of ram, IE 8. Not the best system but it gets thing done. Here it comes.............Thanks, John

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "">

<head>

<title>Search Protection</title>

<link rel="stylesheet" type="text/css" href="window.css"/>

 

<!--[if !IE]>-->

<link rel="stylesheet" type="text/css" href="NotIE6.css" />

<!--<![endif]-->

<!--[if !(IE 6)]>

<link rel="stylesheet" type="text/css" href="NotIE6.css" />

<![endif]-->

<!--[if IE 6]>

<link rel="stylesheet" type="text/css" href="OnlyIE6.css" />

<![endif]-->

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"></script>

<script type="text/javascript" src="wnd.js"></script>

 

<meta http-equiv="MSThemeCompatible" content="Yes"/>

 

</head>

<body>

 

<div id="allText">

<div id="disclosureText" class="textInside bold" style="margin-top: 14px;margin-bottom: 14px;">An application has changed your search settings.<br/><br/>Do you want to block the following change(s)?</div>

<div id="lineHomePage" class="textInside" style="display:none"> 

- Homepage change from " <span id="lineHomePageFrom" class="bold"></span>" to "<span id="lineHomePageTo" class="bold"></span>"

</div>

<div id="lineDefaultSearch" class="textInside" style="display:none"> 

- Default Search Provider change from "<span id="lineDefaultSearchFrom" class="bold"></span>" to "<span id="lineDefaultSearchTo" class="bold"></span>"

</div>

</div>

 

<div id="allButtons">

<button id="decline" class="button" type="button" onclick="bl.trackDecision('declined', 'block', 'left');">No</button>

<button id="accept" class="button" type="button" onclick="bl.trackDecision('accepted', 'block', 'left');">Yes</button>

</div>

 

<div id="searchIcon"/>

 

</body>

</html>

Edited by john9611
Link to post
Share on other sites

First of all, STOP clicking it. ;) You're not helping your situation...

Download http://majorgeeks.co...ware_d5756.html and save to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location and copy/paste the results in your next post.

 

p.s. moving to virus/spyware...

 

 

:xmas_laugh:

Link to post
Share on other sites

Thanks caintry_boy, I think this was my problem. I did not try it yet but the way it looks I sure had a dooozy. Thanks John

 

 

 

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8367

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/16/2011 8:29:54 PM

mbam-log-2011-12-16 (20-29-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 231878

Time elapsed: 51 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 46

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\Installr\1.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\Installr\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\program files\funwebproducts\Installr\2.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137327.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137328.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137330.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137331.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137332.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137359.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137362.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137380.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137363.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137364.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137365.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137366.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137367.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137368.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137369.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137370.SCR (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137371.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137372.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137373.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137374.EXE (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137375.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137376.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137377.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137378.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137379.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137381.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137382.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137383.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137384.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137385.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137386.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137387.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137388.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137390.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137391.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137392.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137393.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137394.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137406.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137407.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137408.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137409.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137410.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137411.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\system volume information\_restore{8f7a5040-9305-4bda-a5ee-e7ee68e6a93b}\RP782\A0137412.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

c:\documents and settings\HP_Owner\my documents\my pictures\my pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Rebooted as requested, Still pops up, got rid of the crap aleast.

 

Here is what it says:

 

SEARCH PROTECTION

 

An application has changed your search settings

Do you want to block the following change(s)

 

Homepage changed from

www.msn.com to www.yahoo.com

 

Is this a yahoo thing??

From what I have read it is found in IE 6 AND 7

 

I am using 8......Any more help would greatly be appreciated.(sp?)

 

Thanks John

Link to post
Share on other sites

Now you need to download this > http://www.trendmicr.../HijackThis.exe and save it to your desktop in it's own folder called HJT. Open the program and select to "Do a system scan and save a log". Do Not Have HJT Fix Anything!! When the scan finishes the log will open in Notepad. Copy/paste the contents of the log into a new thread that you start here beginning with the Malwarebytes log > http://forums.pcpits...ijackthis-logs/

 

Please wait for help there from one of our Trusted Advisors, they are quite busy. ;)

 

 

 

 

:xmas_laugh:

Link to post
Share on other sites

It looks like a Zugo search bar is installed. Open Add/Remove Programs and uninstall all products whose publisher is Zugo Ltd.

 

EDIT: If Zugo isn't in Add/Remove Programs, open Tools, Manage Add-ons, and Enable or Disable Add-ons. Check each category for Zugo and disable all instances.

 

Again EDIT: Also check the Program FilesSearchToolbar folder for an uninstaller.

Edited by TomGL2
Link to post
Share on other sites

I could not find anything on Zugo

In Add-ons, what's listed that does not show Microsoft as publisher? Disable everything non-Microsoft and see if "search protextion" still pops up. If not, reenable a few or even one at a time until you find the culprit.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...