Help with HijackThis Log?

[overst33r]

Hi all,

I need some HJT help. Whenever I use the address bar in Chrome to search it first redirects to u-search.net, then goes to google.com. I've ran MS Essentials, Malwarebytes, spybot, etc.

I've marked two R0 with -----> that I think that should be removed. Anything else?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:29:40 AM, on 9/12/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Users\overst33r\AppData\Roaming\Spotify\spotify.exe
C:\Users\overst33r\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
------->R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://u-search.net/?a=1&e=1[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
-------->R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://u-search.net/?a=1&e=1[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\overst33r\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Spotify] "C:\Users\overst33r\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\overst33r\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8125 bytes

 

[lxskllr]

I pasted it in here, and nothing came back obviously dirty. I just glanced over it, so you should look too...

http://hijackthis.de/#anl

 

[mechBgon]

As a first step, you could try System Restore and see if that undoes the problem.

I agree about the two R0 entries, plus this one seems suspicious:

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

And unless you have a definite need for Java, uninstall Java completely. It's heavily exploited, and its potential for damage is high.

Superantispyware is another good tool to try, and they have a free version.

 

[overst33r]

I pasted it in here, and nothing came back obviously dirty. I just glanced over it, so you should look too...

http://hijackthis.de/#anl

Didn't know such a site existed. Thank you.

As a first step, you could try System Restore and see if that undoes the problem.

I agree about the two R0 entries, plus this one seems suspicious:

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

And unless you have a definite need for Java, uninstall Java completely. It's heavily exploited, and its potential for damage is high.

Superantispyware is another good tool to try, and they have a free version.

Thanks for the suggestions. Tried system restore with no luck. Ran superantispyware also and no major hits besides tracking cookies.

I'm curious why it redirects there and then goes back to google...

 

[lxskllr]

Poke around in Chrome's settings. There might be something going on there. I don't use Chrome, so I'm not familiar with it's advanced settings, or program variables.

 

[Slugbait]

Looks like u-search is brand new, created just three weeks ago. So anti-malware progs probably haven't updated their definitions for it yet. They apparently install as a plug-in with Next->Next->Next installs of GrooveDown.

My guess is that the redirect to google is a referral tactic. They make a few pennies on every 100 referral links or whatever. Could be a way for the dev of GrooveShark to make a few bucks. Doesn't seem as bad as what Patchou did, but it's still early and I can't find any other info on it.

Try disabling the plug-in from Chrome's management. If that's not successful, switch to IE until anti-malware progs catch up.

 

[davidzou2131]

The latest version of Groovedown (as of 13th Sept 2012) has included some malware which changes your internet browser's default search engine to 'u-search.net'.

Most people are not aware of this change as 'u-search' simply redirects to the corresponding google page.

This redirection still allows the creators of 'u-search' to know and log what you search for, which is an invasion of privacy.

As far as I'm aware, it doesn't install and services or create any startup items. It does however, create/modify a few configuration files for browsers.


Fix for Google Chrome:

1. Go to Chrome Settings (Wrench Icon) > Settings
2. Under the heading "Search", Click "Manage Search Engines"
3. If you mouse over the current default search engine (u-search), you will get a cross on the right hand side which will allow you to remove the search engine.
4. Set another engine as default.
5. You may also want to check your homepage if you have one.

Fix for Mozilla Firefox:

This fix is a bit trickier as it requires you to remove the 'user.js' file and change a few Firefox about:config settings.

The user.js file is a file with settings that are loaded every time firefox is started, which is what causes u-search to replace itself every time you start firefox.
It is located at:

C:\Users\[Your username]\AppData\Roaming\Mozilla\Firefox\Profiles\[random letters and numbers].default\user.js

The about:config contains many advanced settings which you should not touch if you don't know what you're doing.
​

1. Navigate to the following directory/folder by one of the following:
   - Pasting into 'Run' (open by pressing Win+R)
   - Pasting into the Start Menu Search then press Enter
   - Pasting into an Explorer Address Bar then press Enter
   

   %APPDATA%\Mozilla\Firefox\Profiles\

   
   
   
2. There should only be one folder (xxxxxxxxxxx.default). Open that folder.
3. Look for a file called 'user.js'.
4. Most people will be safe to just delete the file. If you have persistent settings, you can open it with a text editor and remove the lines related to u-search only.
5. Open firefox and enter the following into the address bar and press enter:
   

   about:config

6. You should be greeted with a warning. Click on the button in the middle of the page.
7. In the page that loads, enter 'u-search' in the search box at the top of the page (without quotes)
   Refer to this image: http://cl.ly/image/2H242z2i3c0s
8. For each of the results that show up, Right click on it and select 'Reset'.
   
   For people that use Google's I'm Feeling Lucky search, Set keyword.url to the following:
   

   http://www.google.com/search?ie=UTF-8&oe=UTF-8&rls=org.mozilla:en-US:official&client=firefox-a&sourceid=navclient&gfns=1&q=

9. You may want to also check your search bar (next to address bar).
10. Restart firefox and youre done.

Fix for IE (Not that you should be using IE):

1. Click on the Settings Icons (Top right under the close button)
2. Then select 'Manage add-ons'
3. On the left select 'Search Providers' under 'Addon types'
4. Select your normal search provider on the right and click 'Set as Default" (bottom right)
5. Then select 'u-Search' and click remove.
6. You would also want to change your homepage back.

Hope this helps.

 

[overst33r]

The latest version of Groovedown (as of 13th Sept 2012) has included some malware which changes your internet browser's default search engine to 'u-search.net'.

Most people are not aware of this change as 'u-search' simply redirects to the corresponding google page.

This redirection still allows the creators of 'u-search' to know and log what you search for, which is an invasion of privacy.

As far as I'm aware, it doesn't install and services or create any startup items. It does however, create/modify a few configuration files for browsers.


Fix for Google Chrome:

1. Go to Chrome Settings (Wrench Icon) > Settings
2. Under the heading "Search", Click "Manage Search Engines"
3. If you mouse over the current default search engine (u-search), you will get a cross on the right hand side which will allow you to remove the search engine.
4. Set another engine as default.
5. You may also want to check your homepage if you have one.

Fix for Mozilla Firefox:

This fix is a bit trickier as it requires you to remove the 'user.js' file and change a few Firefox about:config settings.

The user.js file is a file with settings that are loaded every time firefox is started, which is what causes u-search to replace itself every time you start firefox.
It is located at:

C:\Users\[Your username]\AppData\Roaming\Mozilla\Firefox\Profiles\[random letters and numbers].default\user.js

The about:config contains many advanced settings which you should not touch if you don't know what you're doing.
​

1. Navigate to the following directory/folder by one of the following:
   - Pasting into 'Run' (open by pressing Win+R)
   - Pasting into the Start Menu Search then press Enter
   - Pasting into an Explorer Address Bar then press Enter
   

   %APPDATA%\Mozilla\Firefox\Profiles\

   
   
   
2. There should only be one folder (xxxxxxxxxxx.default). Open that folder.
3. Look for a file called 'user.js'.
4. Most people will be safe to just delete the file. If you have persistent settings, you can open it with a text editor and remove the lines related to u-search only.
5. Open firefox and enter the following into the address bar and press enter:
   

   about:config

6. You should be greeted with a warning. Click on the button in the middle of the page.
7. In the page that loads, enter 'u-search' in the search box at the top of the page (without quotes)
   Refer to this image: http://cl.ly/image/2H242z2i3c0s
8. For each of the results that show up, Right click on it and select 'Reset'.
   
   For people that use Google's I'm Feeling Lucky search, Set keyword.url to the following:
   

   http://www.google.com/search?ie=UTF-8&oe=UTF-8&rls=org.mozilla:en-US:official&client=firefox-a&sourceid=navclient&gfns=1&q=

9. You may want to also check your search bar (next to address bar).
10. Restart firefox and youre done.

Fix for IE (Not that you should be using IE):

1. Click on the Settings Icons (Top right under the close button)
2. Then select 'Manage add-ons'
3. On the left select 'Search Providers' under 'Addon types'
4. Select your normal search provider on the right and click 'Set as Default" (bottom right)
5. Then select 'u-Search' and click remove.
6. You would also want to change your homepage back.

Hope this helps.

You are a king among men. :thumbsup: