Fighting off Search.US.com browser hijacker

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
Have been hit by search.us.com browser hijacker malware.

Have performed
removal of search.US.com via the control panel, & Malwarebytes quick & full scans. Unfortunately the malware still runs.

Based on previous advice here

http://tinyurl.com/lfb78xe

I think that I need to make some adjustments to my Firefox browser shortcut. It has been suggested that I right click my shortcut, & delete the target--in this case, what is the target?? Where specifically do I find it?

If this doesn't work, then I think I should try Adwcleaner.

Again, if this doesn't work, I think that as last resort I should try via the FF search reset--is this the same as affecting the firefox.js file?

Some I have read have described the .js file alteration as the 'nuclear option'. How extensive is the loss of data when utilising this option?

Thanks



 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
Have proceeded on first step, yet need to clarify, just to be on the safe side.

In the case of a stand-alone box, is there any difference between booting in 'Safe Mode', vs. 'Safe Mode with Networking'?
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
Have performed a full scan with an update version of Malwarebytes-12 items retrieved, but report states 'no action taken'. Previous scans had indicated 'action required' & those files deleted.

Have performed a full scan with Combofix. This was a little difficult for me to understand, so you may have to fill me in. It had listed Malwarebytes in 3 entries, but unsure of what to look for.It had also initially requested that MS Security Essentials antivirus & intrusion prevention files be disabled before I activated Combofix--I was prepared to cease & ask here what to do, but somehow the software went into auto mode, & the report indicated that, from my understanding, had both updated & 'gone around' the indicated Essential files.

It completed 50 stages, & removed some 'orphans' (some residual files from previously deleted software it looks like), & Combofix's supplementary scan had performed on the Firefox application & identified the FF prefs. js keyword URL search.us.com. It had gone on to quarantine some files, but it is not clear to me exactly what those are.

I am now ready to download & install CCleaner, but given the sensitivity of the registry (as I have read), I think that I ought to be particularly careful, & back it up. I have never done this, & would seek some guidance on how to do this. This I will proceed to download, install & scan.



 

aford10

Distinguished
Good, it sounds like it's found and removed some infections. If malwarebytes has found some threats, you can choose to delete them. Click the 'show results' button, and you can delete them there.

Combofix is an automated scan, and will remove anything it deems as a threat. And yes, it's normal for combofix to want you to close your antivirus active shield.

You can backup your registry if you feel it necessary. Go to the start menu-->in the search box type regedit and press enter-->click on computer-->file menu-->export. I can understand being cautious with the registry. However, I assure you, ccleaner is safe.
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
A question about Combofix supplementary scan & the Firefox data (which had prompted my OP).

By identifying the FF prefs. js keyword URL search.us.com, (along with some other Firefox items) does this mean that it has been quarantined? If so, how to identify it & ensure that the trouble has been rooted out?
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
Have just finished running CCleaner. Unfortunately, after clicking on the shortcut, I was again taken to search.us.com. I then turned the computer off, then turned it back on. Checked the shortcut, & search.us.com is still there. I went to the C drive, & found the FF exe & attempted to open from there. Not sure if this was right or wrong, but the result was the same. I then chose to permanently delete the FF shortcut. The target indicated was C drive Firefox.exe.

Was particularly careful with the CCleaner Windows selection, & chose to keep the history for both Windows & in the Applications section, Firefox web history. My main concern though, was Firefox history. Given my extensive research, I every so often forget some links or despite careful indexing for material placed in my HDD, sometimes I am unable to find a file or link, so I will check in FF browser history as an 'aide de memoire', as they say in French.Nine times out of ten this has been useful. This may have contributed to its retention, I don't know.

Where do we go from here? Should I retain my registry data backup or not?
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
@aford 10 The difficulty lies in the fact that I am unable to get to FF--& most certainly not via my shortcut--given the problems caused by search.us.com. Unless there is someway I can undertake what you've suggested while bypassing the shortcut, & doing this directly on the application in C drive. But I suspect that this is not possible. Is it? I do not know.

Otherwise, I am coming to the view that the easiest & most direct solution is to simply uninstall/remove FF & then re-install it.
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
While attempting to resolve an issue that has arisen & appears to be linked to this present one, I came across a possible solution to the one raised in my OP.

When I go to the control panel>internet options, it takes me to the internet properties window, & on the 'General' tab, the first line shown is 'Home Page' & under the printed instructions- 'To create home page tabs, type each address on its own line'--I find the following--http://start.search.us.com/?guid={51EA9B3F-9829-4455-B401-D3............}.

Is this anything significant? Will removing this & replacing it manually with the relevant FF information have the desired effect?Can I manually replace this start.search.us.com data?
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
After further research, I have found that the sudden disappearance of the 2 anti-malware software shortcuts (placed in my folder & in turn placed on my desktop) appears very likely related to the attempt to fix the search.us.com malware issue & very probably via the regedit.

 

aford10

Distinguished


Yes, you can replace that with the home page you want it to start up with.

Other than that, does it seem to be back to normal?

 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580


I will try replacing the search.us.com information with FF as homepage. Is it at all possible to remove the search.us.com data & leave this 'Home Page' line blank? Even if so, I wonder if it will actually get rid of search.us.com? I don't wish for any subsequent issues to arise--will my proposed move have any problems created in its wake?

Unfortunately, things are not back to normal as yet. See my earlier post ("Additional research...") for an insight into the matter that has arisen following the creation of shortcuts for malwarebytes & CCleaner...This is not a 'new' issue, but as I have found, it is certainly particularly common for Windows 7 OS.
 

aford10

Distinguished
Any physical files, such as adware, or tracking cookies, etc.. would have been removed by the malware scans done earlier. The current home page of search.us.com is just that, an address that your browser opens up to. You can edit that address to whatever you prefer to be your homepage. You can always run a few more scans if you are worried something is still hanging around, as well as manually search windows and the registry for search.us.com.

I see you mentioned that two shortcuts are missing. Can you describe the issue in more detail? Are other things missing? Are they in the recycle bin? Are the programs still installed? etc....
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
Editing/changing the address in the home page didn't work. Unfortunately, complete removal of the search.us.com url was met with the details in the brackets as I have shown above now appearing in the URL in the hijacked FF browser (search.us.com browser).
 

ATP_1

Distinguished
Jul 20, 2009
39
0
18,580
I have solved the problem mentioned in my OP!! What a relief. I will now observe this for the next week, & if the solution has been entirely effective, I will return & report it here.

Thank you very much aford10 for sticking with me throughout what has been for me a 4.5 day ordeal. And of course, as always, thank you Tomshardware for providing the basis for this to happen.

Now to see about resolving the second & supplementary problem connected with Windows 7.