uk.search-results.com Virus

[Taz1]

A while ago I downloaded a piece of software to try it out and since then all my search engines for google and firefox now default to "_http://uk.search-results.com". All my attempts to get it back to google failed (except for the search box, which I don't use, but can't change it in the URL bar where I type my searches).  Avast never picked up this virus. Anybody any idea why it didn't pick it up and what to do to get rid of this virus?

[!Donovan]

Did you install Searchqu?

If so, this page will help:
http://deletemalware.blogspot.com/2011/05/how-to-remove-searchqu-uninstall-guide.html

[Taz1]

No, I never installed it but I think it might have come with some software I installed from the internet. I needed to unzip a file and downloaded various zip utils to try out. I suspect it might have come with JZipV1 but I can't be sure.

[!Donovan]

No, I never installed it but I think it might have come with some software I installed from the internet. I needed to unzip a file and downloaded various zip utils to try out. I suspect it might have come with JZipV1 but I can't be sure.

There are many alternatives including WinRAR and 7Zip.

Also, see this about JZip:
http://www.techsupportforum.com/forums/f131/help-firefox-homepage-hijacked-by-jzip-561379.html

[Taz1]

Thanks, this gave me an idea where to look.  I finally managed to fix my Firefox browser. There are a few steps I didn't see mentioned. On the config screen (about:config) there are two more entries that need to be reset apart from browser.search.defaultenginename. When making a search I found the following entries:

Code: [Select]

keyword.URL;http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=

Code: [Select]

extensions.wrc.SearchRules.rambler.ru.style;.WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url("IMAGE") right no-repeat}

resetting keyword.URL and extensions.wrc.SearchRules.rambler.ru.style fixed my problem.

Strange, though, going back into about:config after having reset those two, I can't find the second entry (extensions.wrc.SearchRules.rambler.ru.style) at all anymore, only
extensions.wrc.SearchRules.rambler.ru.URL

[!Donovan]

I can't find the second entry (extensions.wrc.SearchRules.rambler.ru.style) at all anymore

It's good that it's gone, as a search at Google reveals it to be potentially malicious.


Are you experiencing any more problems?

[Taz1]

Are you experiencing any more problems?

So far everything seems back to normal. System is still a bit sluggish, though, but might be just the internet a bit slow today. I did a full virus scan which passed fine except that it came across one password protected archive it couldn't scan, "install_flashplayer11x64_mssd_aih.exe" which surprised me a bit, but might be nothing. 

[!Donovan]

it came across one password protected archive it couldn't scan, "install_flashplayer11x64_mssd_aih.exe" which surprised me a bit, but might be nothing. 

Files that can't be scanned are just that. In this case, the file was password protected, meaning that a password is required to access the file.

Regarding the name of it, it appears to be a legit file that is password protected for commercial reasons, so nothing to worry about.