Jump to content

Recommended Posts

Posted

DOSEARCHES has invaded my computer!!

 

 

Please help!

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 6:17:37 PM, on 10/9/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16686)
 
 
Boot mode: Normal
 
Running processes:
C:UsersChuck BonettiAppDataRoamingSearch ProtectionSearchProtection.exe
C:Program Files (x86)Common FilesJavaJava Updatejusched.exe
C:Program Files (x86)Common FilesAppleInternet ServicesApplePhotoStreams.exe
C:Program Files (x86)PlexPlex Media ServerPlex Media Server.exe
C:Program Files (x86)PlexPlex Media ServerPlexDlnaServer.exe
C:Program FilesWebrootWRSA.exe
C:Program Files (x86)PlexPlex Media ServerPlexScriptHost.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)Common FilesAppleInternet ServicesAPSDaemon.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:Program Files (x86)GoogleChromeApplicationchrome.exe
C:UsersChuck BonettiDownloadsHijackThis.exe
 
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = 
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = 
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64blank.htm
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = 
O2 - BHO: IBM Forms Viewer Helper - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:Program Files (x86)IBMForms Viewer4.0PEhelper.dll
O2 - BHO: QuickShare WidgetEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~2MICROS~2Office14GROOVEEX.DLL
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program Files (x86)Javajre7binssv.dll
O2 - BHO: (no name) - {8232785C-5C98-4A6E-B7B4-911FFBED7582} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program Files (x86)Common FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:PROGRA~2MICROS~2Office14URLREDIR.DLL
O2 - BHO: Webroot Vault - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:ProgramDataWRDatapkgLPBar.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre7binjp2ssv.dll
O3 - Toolbar: Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:ProgramDataWRDatapkgLPBar.dll
O3 - Toolbar: QuickShare Widget - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
O4 - HKLM..Run: [WRSVC] "C:Program FilesWebrootWRSA.exe" -ul
O4 - HKLM..Run: [Adobe ARM] "C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [APSDaemon] "C:Program Files (x86)Common FilesAppleApple Application SupportAPSDaemon.exe"
O4 - HKLM..Run: [WD Quick View] C:Program Files (x86)Western DigitalWD Quick ViewWDDMStatus.exe
O4 - HKLM..Run: [bCSSync] "C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe" /DelayServices
O4 - HKLM..Run: [QuickTime Task] "C:Program Files (x86)QuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program Files (x86)Common FilesJavaJava Updatejusched.exe"
O4 - HKLM..Run: [iTunesHelper] "C:Program Files (x86)iTunesiTunesHelper.exe"
O4 - HKCU..Run: [steam] "C:Program Files (x86)SteamSteam.exe" -silent
O4 - HKCU..Run: [Facebook Update] "C:UsersChuck BonettiAppDataLocalFacebookUpdateFacebookUpdate.exe" /c /nocrashserver
O4 - HKCU..Run: [searchProtection] "C:UsersChuck BonettiAppDataRoamingSearch ProtectionSearchProtection.EXE" /autostart
O4 - HKCU..Run: [uTorrent] "C:UsersChuck BonettiAppDataRoaminguTorrentuTorrent.exe"  /MINIMIZED
O4 - HKCU..Run: [Plex Media Server] "C:Program Files (x86)PlexPlex Media ServerPlex Media Server.exe"
O4 - HKCU..Run: [ApplePhotoStreams] C:Program Files (x86)Common FilesAppleInternet ServicesApplePhotoStreams.exe
O4 - HKCU..Run: [sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [sDP] C:UsersChuck BonettiAppDataLocalFilesFrog Update Checkerupdate_checker.exe /auto 
O4 - HKCU..Run: [browser Infrastructure Helper] C:UsersChuck BonettiAppDataLocalSmartbarApplicationQuickShare.exe startup
O4 - HKCU..RunOnce: [FlashPlayerUpdate] C:WindowsSysWOW64MacromedFlashFlashUtil32_11_8_800_175_ActiveX.exe -update activex
O4 - HKUSS-1-5-18..RunOnce: [sPReview] "C:WindowsSystem32SPReviewSPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [sPReview] "C:WindowsSystem32SPReviewSPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'Default user')
O4 - Startup: Facebook Messenger.lnk = Chuck BonettiAppDataLocalFacebookMessenger2.1.4814.0FacebookMessenger.exe
O4 - Startup: ZooskMessenger.lnk = C:Program Files (x86)ZooskMessengerZooskMessenger.exe
O4 - Global Startup: Install Webroot FF RunOnce.lnk = C:Program Files (x86)Common Fileswruninstall.exe
O4 - Global Startup: Install Webroot IE RunOnce.lnk = C:Program Files (x86)Common Fileswruninstall.exe
O9 - Extra button: @C:Program Files (x86)Windows LiveWriterWindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program Files (x86)Windows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:Program Files (x86)Windows LiveWriterWindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program Files (x86)Windows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll
O9 - Extra button: Webroot - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:ProgramDataWRDatapkgLPBar.dll
O9 - Extra 'Tools' menuitem: Webroot - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:ProgramDataWRDatapkgLPBar.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:program files (x86)common filesmicrosoft sharedwindows livewlidnsp.dll
O10 - Unknown file in Winsock LSP: c:program files (x86)common filesmicrosoft sharedwindows livewlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~2COMMON~1SkypeSKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:Program Files (x86)Windows LivePhoto GalleryAlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:Program Files (x86)Common FilesMicrosoft SharedOFFICE14MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:WindowsSysWOW64MacromedFlashFlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:Windowssystem32atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program Files (x86)Common FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: @%SystemRoot%system32efssvc.dll,-100 (EFS) - Unknown owner - C:WindowsSystem32lsass.exe (file missing)
O23 - Service: FastFreeConverterUpdt - Unknown owner - C:Program Files (x86)Fast Free ConverterFastFreeConverterUpdt.exe (file missing)
O23 - Service: @%systemroot%system32fxsresm.dll,-118 (Fax) - Unknown owner - C:Windowssystem32fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - C:Program FilesJasmioMedia Center Support ServiceJasmio.MediaCenter.Service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing)
O23 - Service: @%SystemRoot%System32netlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:Windowssystem32PnkBstrA.exe
O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing)
O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:Program Files (x86)SkypeUpdaterUpdater.exe
O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing)
O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%system32sppsvc.exe,-101 (sppsvc) - Unknown owner - C:Windowssystem32sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:Program Files (x86)Common FilesSteamSteamService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:Program Files (x86)Common FilesSupportSoftbinssrc.exe
O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%system32vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%SystemRoot%system32vds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32vds.exe (file missing)
O23 - Service: @%systemroot%system32vssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32vssvc.exe (file missing)
O23 - Service: @%SystemRoot%system32WatWatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:Windowssystem32WatWatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%system32wbengine.exe,-104 (wbengine) - Unknown owner - C:Windowssystem32wbengine.exe (file missing)
O23 - Service: WD Backup (WDBackup) - Western Digital Technologies, Inc. - C:Program Files (x86)Western DigitalWD SmartWareWDBackupEngine.exe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital Technologies, Inc. - C:Program Files (x86)Western DigitalWD Drive ManagerWDDriveService.exe
O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing)
O23 - Service: WRSVC - Webroot - C:Program FilesWebrootWRSA.exe
 
--
End of file - 14253 bytes
 

post-2153-0-78295300-1381371661_thumb.pn

hijackthis.txt

  • Administrator
Posted

Welcome to the forums Chuck. Have you run Malwarebytes and SuperAntiSpyware? If yes, did they find and remove any malware? If they did, please copy/paste the logs.

Posted (edited)

Welcome to the forums Chuck. Have you run Malwarebytes and SuperAntiSpyware? If yes, did they find and remove any malware? If they did, please copy/paste the logs.

Unfortunately I hadn't  seen this prior to running those programs.  I downloaded the kit on your website, which was helpful thanks, but dang DOSEARCHES is still haunting me.  I have gone through IE AND CHROME thoroughly and still when they open they go straight to DOSEARCHES like the link below.  The only thing I've read is a redirect registry change, but I was unable to find the key in my registry to delete.  :(  Webroot is redirecting it on IE at least it won't let it open, but it's still trying and chrome is just hopeless.  Always opens to dosearches.

 

DO NOT CLICK DO NOT CLICK DO NOT CLICK

www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=ST9500424AS_S2V0NBZ1XXXXS2V0NBZ1&ts=1381271071
Edited by Tarun
Made link unclickable.
Posted

Both Malwarebytes and SuperAntiSpyware create scan logs by default - unless you've either deleted the logs or uninstalled the programs, the logs should be there.

 

Also, it may have hijacked the shortcuts that open the browsers. I skimmed through a thread on the Malwarebytes forum where they assisted a user in removing DOSEARCHES, and after everything should have been cleaned out there was still a problem - turned out that the browser shortcuts were opening DOSEARCHES. Right-click on the browser shortcuts, select "Properties", and check the Target - it should contain nothing but the path to the browser program, for example:

"C:Program FilesInternet Exploreriexplore.exe".

 

Edit out anything else.

Posted

Both Malwarebytes and SuperAntiSpyware create scan logs by default - unless you've either deleted the logs or uninstalled the programs, the logs should be there.

 

Also, it may have hijacked the shortcuts that open the browsers. I skimmed through a thread on the Malwarebytes forum where they assisted a user in removing DOSEARCHES, and after everything should have been cleaned out there was still a problem - turned out that the browser shortcuts were opening DOSEARCHES. Right-click on the browser shortcuts, select "Properties", and check the Target - it should contain nothing but the path to the browser program, for example:

"C:Program FilesInternet Exploreriexplore.exe".

 

Edit out anything else.

 

 

Sir, I am going to need you to raise on hand, flat palm, and proceed to use the other hand, flat palm, to strike it *high five yourself for being AWESOME

 

 

That totally worked.  I can't believe I forgot to check there.  Nasty little bug that dosearches crap was.  Now I'm going through and checking EVERYTHING

Posted

Glad to hear it. Don't get down on yourself, I wouldn't have thought of that either - neither did the helper on that Malwarebytes thread. The guy being helped came up with that on his own, after he'd run everything including the kitchen sink and still had a problem. The malware scanners should have fixed that, but for some reason didn't.

 

It still would be a good idea to post those scan logs.

Posted

Glad to hear it. Don't get down on yourself, I wouldn't have thought of that either - neither did the helper on that Malwarebytes thread. The guy being helped came up with that on his own, after he'd run everything including the kitchen sink and still had a problem. The malware scanners should have fixed that, but for some reason didn't.

 

...

 

+1 Not sure I would have thought of that either.

 

I can see why it got past the scanners, though: scanners usually look for a hijacked Home Page, without checking shortcuts sitting on the Desktop. Since the shortcut itself has been changed, there is no Home Page hijack. It will also (obviously, when you think about it) survive the scanner resetting the Home Page. Unless scanners are updated to spot this one, they will just regard the shortcut as yet one more user-created custom shortcut.

 

.

Posted

Should have been more clear - I was referring to the scanners that were run on that MalwareBytes thread. They used some more comprehensive scans that generate a log to be analyzed by an expert, who creates a fixlist from it. One scan had found that, and it had been included in the fixlist, but it didn't work for some reason. MBAM and SAS I wouldn't expect to fix that.

  • 5 months later...
  • Administrator
Posted

The issue this thread has been opened for has been resolved.

If you need continued support, please start a new thread and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: PC Cleanup

It is recommended that you review our PC Security wiki page to help secure your computer and protect it.

Guest
This topic is now closed to further replies.
×
×
  • Create New...