Chuck Bonetti Posted October 10, 2013 Posted October 10, 2013 DOSEARCHES has invaded my computer!! Please help! Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 6:17:37 PM, on 10/9/2013 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v10.0 (10.00.9200.16686) Boot mode: Normal Running processes: C:UsersChuck BonettiAppDataRoamingSearch ProtectionSearchProtection.exe C:Program Files (x86)Common FilesJavaJava Updatejusched.exe C:Program Files (x86)Common FilesAppleInternet ServicesApplePhotoStreams.exe C:Program Files (x86)PlexPlex Media ServerPlex Media Server.exe C:Program Files (x86)PlexPlex Media ServerPlexDlnaServer.exe C:Program FilesWebrootWRSA.exe C:Program Files (x86)PlexPlex Media ServerPlexScriptHost.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)Common FilesAppleInternet ServicesAPSDaemon.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:Program Files (x86)GoogleChromeApplicationchrome.exe C:UsersChuck BonettiDownloadsHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=ST9500424AS_S2V0NBZ1XXXXS2V0NBZ1&ts=1381271071 R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://www.google.com/ R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=ST9500424AS_S2V0NBZ1XXXXS2V0NBZ1&ts=1381271071 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=ST9500424AS_S2V0NBZ1XXXXS2V0NBZ1&ts=1381271071 R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64blank.htm R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = O2 - BHO: IBM Forms Viewer Helper - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:Program Files (x86)IBMForms Viewer4.0PEhelper.dll O2 - BHO: QuickShare WidgetEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll (file missing) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~2MICROS~2Office14GROOVEEX.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program Files (x86)Javajre7binssv.dll O2 - BHO: (no name) - {8232785C-5C98-4A6E-B7B4-911FFBED7582} - (no file) O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program Files (x86)Common FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:PROGRA~2MICROS~2Office14URLREDIR.DLL O2 - BHO: Webroot Vault - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:ProgramDataWRDatapkgLPBar.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre7binjp2ssv.dll O3 - Toolbar: Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:ProgramDataWRDatapkgLPBar.dll O3 - Toolbar: QuickShare Widget - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing) O4 - HKLM..Run: [WRSVC] "C:Program FilesWebrootWRSA.exe" -ul O4 - HKLM..Run: [Adobe ARM] "C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe" O4 - HKLM..Run: [APSDaemon] "C:Program Files (x86)Common FilesAppleApple Application SupportAPSDaemon.exe" O4 - HKLM..Run: [WD Quick View] C:Program Files (x86)Western DigitalWD Quick ViewWDDMStatus.exe O4 - HKLM..Run: [bCSSync] "C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe" /DelayServices O4 - HKLM..Run: [QuickTime Task] "C:Program Files (x86)QuickTimeQTTask.exe" -atboottime O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program Files (x86)Common FilesJavaJava Updatejusched.exe" O4 - HKLM..Run: [iTunesHelper] "C:Program Files (x86)iTunesiTunesHelper.exe" O4 - HKCU..Run: [steam] "C:Program Files (x86)SteamSteam.exe" -silent O4 - HKCU..Run: [Facebook Update] "C:UsersChuck BonettiAppDataLocalFacebookUpdateFacebookUpdate.exe" /c /nocrashserver O4 - HKCU..Run: [searchProtection] "C:UsersChuck BonettiAppDataRoamingSearch ProtectionSearchProtection.EXE" /autostart O4 - HKCU..Run: [uTorrent] "C:UsersChuck BonettiAppDataRoaminguTorrentuTorrent.exe" /MINIMIZED O4 - HKCU..Run: [Plex Media Server] "C:Program Files (x86)PlexPlex Media ServerPlex Media Server.exe" O4 - HKCU..Run: [ApplePhotoStreams] C:Program Files (x86)Common FilesAppleInternet ServicesApplePhotoStreams.exe O4 - HKCU..Run: [sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun O4 - HKCU..Run: [sDP] C:UsersChuck BonettiAppDataLocalFilesFrog Update Checkerupdate_checker.exe /auto O4 - HKCU..Run: [browser Infrastructure Helper] C:UsersChuck BonettiAppDataLocalSmartbarApplicationQuickShare.exe startup O4 - HKCU..RunOnce: [FlashPlayerUpdate] C:WindowsSysWOW64MacromedFlashFlashUtil32_11_8_800_175_ActiveX.exe -update activex O4 - HKUSS-1-5-18..RunOnce: [sPReview] "C:WindowsSystem32SPReviewSPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'SYSTEM') O4 - HKUS.DEFAULT..RunOnce: [sPReview] "C:WindowsSystem32SPReviewSPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'Default user') O4 - Startup: Facebook Messenger.lnk = Chuck BonettiAppDataLocalFacebookMessenger2.1.4814.0FacebookMessenger.exe O4 - Startup: ZooskMessenger.lnk = C:Program Files (x86)ZooskMessengerZooskMessenger.exe O4 - Global Startup: Install Webroot FF RunOnce.lnk = C:Program Files (x86)Common Fileswruninstall.exe O4 - Global Startup: Install Webroot IE RunOnce.lnk = C:Program Files (x86)Common Fileswruninstall.exe O9 - Extra button: @C:Program Files (x86)Windows LiveWriterWindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program Files (x86)Windows LiveWriterWriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:Program Files (x86)Windows LiveWriterWindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program Files (x86)Windows LiveWriterWriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra button: Webroot - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:ProgramDataWRDatapkgLPBar.dll O9 - Extra 'Tools' menuitem: Webroot - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:ProgramDataWRDatapkgLPBar.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O10 - Unknown file in Winsock LSP: c:program files (x86)common filesmicrosoft sharedwindows livewlidnsp.dll O10 - Unknown file in Winsock LSP: c:program files (x86)common filesmicrosoft sharedwindows livewlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~2COMMON~1SkypeSKYPE4~1.DLL O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:Program Files (x86)Windows LivePhoto GalleryAlbumDownloadProtocolHandler.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:Program Files (x86)Common FilesMicrosoft SharedOFFICE14MSOXMLMF.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:WindowsSysWOW64MacromedFlashFlashPlayerUpdateService.exe O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:Windowssystem32atiesrxx.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:Program Files (x86)Common FilesAppleMobile Device SupportAppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe O23 - Service: @%SystemRoot%system32efssvc.dll,-100 (EFS) - Unknown owner - C:WindowsSystem32lsass.exe (file missing) O23 - Service: FastFreeConverterUpdt - Unknown owner - C:Program Files (x86)Fast Free ConverterFastFreeConverterUpdt.exe (file missing) O23 - Service: @%systemroot%system32fxsresm.dll,-118 (Fax) - Unknown owner - C:Windowssystem32fxssvc.exe (file missing) O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - C:Program FilesJasmioMedia Center Support ServiceJasmio.MediaCenter.Service.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64LMIGuardianSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:Program Files (x86)LogMeInx64LogMeIn.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing) O23 - Service: @%SystemRoot%System32netlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:Windowssystem32PnkBstrA.exe O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing) O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:Program Files (x86)SkypeUpdaterUpdater.exe O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing) O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing) O23 - Service: @%SystemRoot%system32sppsvc.exe,-101 (sppsvc) - Unknown owner - C:Windowssystem32sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:Program Files (x86)Common FilesSteamSteamService.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:Program Files (x86)Common FilesSupportSoftbinssrc.exe O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%system32vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: @%SystemRoot%system32vds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32vds.exe (file missing) O23 - Service: @%systemroot%system32vssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32vssvc.exe (file missing) O23 - Service: @%SystemRoot%system32WatWatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:Windowssystem32WatWatAdminSvc.exe (file missing) O23 - Service: @%systemroot%system32wbengine.exe,-104 (wbengine) - Unknown owner - C:Windowssystem32wbengine.exe (file missing) O23 - Service: WD Backup (WDBackup) - Western Digital Technologies, Inc. - C:Program Files (x86)Western DigitalWD SmartWareWDBackupEngine.exe O23 - Service: WD Drive Manager (WDDriveService) - Western Digital Technologies, Inc. - C:Program Files (x86)Western DigitalWD Drive ManagerWDDriveService.exe O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing) O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing) O23 - Service: WRSVC - Webroot - C:Program FilesWebrootWRSA.exe -- End of file - 14253 bytes hijackthis.txt
Administrator Tarun Posted October 10, 2013 Administrator Posted October 10, 2013 Welcome to the forums Chuck. Have you run Malwarebytes and SuperAntiSpyware? If yes, did they find and remove any malware? If they did, please copy/paste the logs.
Chuck Bonetti Posted October 14, 2013 Author Posted October 14, 2013 (edited) Welcome to the forums Chuck. Have you run Malwarebytes and SuperAntiSpyware? If yes, did they find and remove any malware? If they did, please copy/paste the logs. Unfortunately I hadn't seen this prior to running those programs. I downloaded the kit on your website, which was helpful thanks, but dang DOSEARCHES is still haunting me. I have gone through IE AND CHROME thoroughly and still when they open they go straight to DOSEARCHES like the link below. The only thing I've read is a redirect registry change, but I was unable to find the key in my registry to delete. :( Webroot is redirecting it on IE at least it won't let it open, but it's still trying and chrome is just hopeless. Always opens to dosearches. DO NOT CLICK DO NOT CLICK DO NOT CLICK www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=ST9500424AS_S2V0NBZ1XXXXS2V0NBZ1&ts=1381271071 Edited October 16, 2013 by Tarun Made link unclickable.
greenknight Posted October 15, 2013 Posted October 15, 2013 Both Malwarebytes and SuperAntiSpyware create scan logs by default - unless you've either deleted the logs or uninstalled the programs, the logs should be there. Also, it may have hijacked the shortcuts that open the browsers. I skimmed through a thread on the Malwarebytes forum where they assisted a user in removing DOSEARCHES, and after everything should have been cleaned out there was still a problem - turned out that the browser shortcuts were opening DOSEARCHES. Right-click on the browser shortcuts, select "Properties", and check the Target - it should contain nothing but the path to the browser program, for example: "C:Program FilesInternet Exploreriexplore.exe". Edit out anything else. Chuck Bonetti 1
Chuck Bonetti Posted October 15, 2013 Author Posted October 15, 2013 Both Malwarebytes and SuperAntiSpyware create scan logs by default - unless you've either deleted the logs or uninstalled the programs, the logs should be there. Also, it may have hijacked the shortcuts that open the browsers. I skimmed through a thread on the Malwarebytes forum where they assisted a user in removing DOSEARCHES, and after everything should have been cleaned out there was still a problem - turned out that the browser shortcuts were opening DOSEARCHES. Right-click on the browser shortcuts, select "Properties", and check the Target - it should contain nothing but the path to the browser program, for example: "C:Program FilesInternet Exploreriexplore.exe". Edit out anything else. Sir, I am going to need you to raise on hand, flat palm, and proceed to use the other hand, flat palm, to strike it *high five yourself for being AWESOME That totally worked. I can't believe I forgot to check there. Nasty little bug that dosearches crap was. Now I'm going through and checking EVERYTHING
greenknight Posted October 16, 2013 Posted October 16, 2013 Glad to hear it. Don't get down on yourself, I wouldn't have thought of that either - neither did the helper on that Malwarebytes thread. The guy being helped came up with that on his own, after he'd run everything including the kitchen sink and still had a problem. The malware scanners should have fixed that, but for some reason didn't. It still would be a good idea to post those scan logs.
James_A Posted October 16, 2013 Posted October 16, 2013 Glad to hear it. Don't get down on yourself, I wouldn't have thought of that either - neither did the helper on that Malwarebytes thread. The guy being helped came up with that on his own, after he'd run everything including the kitchen sink and still had a problem. The malware scanners should have fixed that, but for some reason didn't. ... +1 Not sure I would have thought of that either. I can see why it got past the scanners, though: scanners usually look for a hijacked Home Page, without checking shortcuts sitting on the Desktop. Since the shortcut itself has been changed, there is no Home Page hijack. It will also (obviously, when you think about it) survive the scanner resetting the Home Page. Unless scanners are updated to spot this one, they will just regard the shortcut as yet one more user-created custom shortcut. .
greenknight Posted October 17, 2013 Posted October 17, 2013 Should have been more clear - I was referring to the scanners that were run on that MalwareBytes thread. They used some more comprehensive scans that generate a log to be analyzed by an expert, who creates a fixlist from it. One scan had found that, and it had been included in the fixlist, but it didn't work for some reason. MBAM and SAS I wouldn't expect to fix that.
Administrator Tarun Posted March 19, 2014 Administrator Posted March 19, 2014 The issue this thread has been opened for has been resolved.If you need continued support, please start a new thread and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: PC CleanupIt is recommended that you review our PC Security wiki page to help secure your computer and protect it.
Recommended Posts