X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Is search.us.com a part of FireFox?

Posted

Is search.us.com a part of FireFox? If so, please help me remove it from my computer. I have deleted it from my add-ons and I have deleted it as a program through Control Panel>Add or Remove Programs. I have repeatedly chosen different home pages, but it keeps coming back. It has taken over my computer. Thank you.

Chosen solution

  • First of all: 'Firefox isn't affiliated nor has any relationship with Search.us.com as far as I know.
  • Moreover, you have accidentally installed adware on your computer. Adware is software installed on your computer with your accidental consent (for example, during the installation of many programs, you have to uncheck a checkbox to prevent these softwares to install) for commercial purposes. These programs change your default homepage, your search engine and commonly they install a toolbar.

How to remove this adware:

  1. Go to your program Manager. In Windows XP go to Start, Control Panel, Add or remove programs. In Vista, 7 and 8 go to Start, Control Panel, Programs and Features.
  1. Find a program called Search.us.com Toolbar or similar names and uninstall it.
  1. Open a administrator command line and type the following (Enter each time):

cd %windir% & cd system32

reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCR\CLSID\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

  1. Close the command prompt and restart your computer.
Read this answer in context 5

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.3 r300
  • Adobe PDF Plug-In For Firefox and Netscape "9.5.2"
  • RealJukebox Netscape Plugin
  • RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In
  • RealPlayer(tm) HTML5VideoShim Plug-In
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • 4.1.10329.0
  • Facebook Video Calling Plugin
  • iTunes Detector Plug-in
  • HP Product Detection Plugin
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • HP Active Check Plugin
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Office Live Update v1.5
  • NPWLPG
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

Application

  • User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

More Information

Windows XP, I hve been using FireFox for years and prefer it. I hope it is not a part of your program as this "take-over" does not seem like your way of doing things. But, if you have a solution I would like to have it.

Marc Sances 22 solutions 242 answers

Chosen Solution

  • First of all: 'Firefox isn't affiliated nor has any relationship with Search.us.com as far as I know.
  • Moreover, you have accidentally installed adware on your computer. Adware is software installed on your computer with your accidental consent (for example, during the installation of many programs, you have to uncheck a checkbox to prevent these softwares to install) for commercial purposes. These programs change your default homepage, your search engine and commonly they install a toolbar.

How to remove this adware:

  1. Go to your program Manager. In Windows XP go to Start, Control Panel, Add or remove programs. In Vista, 7 and 8 go to Start, Control Panel, Programs and Features.
  1. Find a program called Search.us.com Toolbar or similar names and uninstall it.
  1. Open a administrator command line and type the following (Enter each time):

cd %windir% & cd system32

reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks" /v "{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

reg delete "HKCR\CLSID\{CD3FEA81-A221-4e47-983E-F7DA6E62B59D}" /f

  1. Close the command prompt and restart your computer.
Tyler Downer
  • Administrator
  • Moderator
1165 solutions 6640 answers

Helpful Reply

You can also, after removing the program, simply use the Firefox Reset Feature to remove this from Firefox :) Reset Firefox – easily fix most problems

jscher2000
  • Top 10 Contributor
2365 solutions 20923 answers

Helpful Reply

On another forum, this was mentioned as a "freebie" that might be included in some installs of OpenOffice.org.

You also might try supplemental scanners if your security software doesn't pick it up. These two tools are highly regarded:

Malwarebytes Anti-malware : http://www.malwarebytes.org/products/malwarebytes_free

SUPERAntiSpyware : http://www.superantispyware.com/

Modified by jscher2000

JimColli 0 solutions 1 answers

(Support dot us dot com) apparently hijacked my Mozilla and IE browsers in a moment of inattention on my part. Their application is complete crap. I've avoided writing their name which would result in a hyperlink here.

I think I remedied the problem by (a) restoring Google as my home page, as it had been formerly before the crap-ware hikjacked the page, and (b) removed it from my FireFox add-on list.

Accomplished (a) by dragging a Google icon on title FireFox title bar to the Home symbol. Accomplished (b) by expanding the Firefox dropdown box on upper left corner of FF browser window and selecting Add-Ons. I was in a very foul mood when I performed these two steps and may've forgotten a detail. But I will say the presence of parties like (support dot us dot com) are why we need gun control.

Modified by JimColli

Marc Sances 22 solutions 242 answers

Yes, you forgot to uninstall the toolbar from Program Files, you should have uninstalled it because sometimes they install a tracker that checks you don't remove their bar and install it again if so.

jerry1937 0 solutions 1 answers

after removing the program and reloading firefox several times I still had to reset firefox using help tab....troubleshoot ....reset firefox.... it is finally gone ..

ylomanov 0 solutions 1 answers

Find Profile Directory (Help - Troubleshooting Information - Application Basics - Profile Directory - Show Folder). Edit user.js file by deleting all unnesessary records including start.search.us.com records. Or you can replace start.search.us.com with the file you want to be a start page no matter what. Or you can delete all the records, or delete the whole file user.js. This file updates prefs.js and causes all the start.search.us.com trouble..

rprickett 0 solutions 37 answers

All of these seem to believe you can just "uninstall", or "delete" or "remove" search.us.com. Sorry, no, not that simple. This hijacking is tied to the file, "TNT2User.exe" which is peppered throughout the reg. In normal windows more, you cannot unstall or stop this thing in add/remove or task manager. It will not let you unstall or stop the file.

In safemode, I managed to kill every reference to these files or triggers, including those noted on this site. But my FF is still hijacked by search.us.com, and new tabs are also set to TNT2User, even though I have deleted all files and reg strings.

I am really looking for help--I've run out of steps.

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

You can check for problems with preferences and try to rename or delete the prefs.js file and possible numbered prefs-##.js files and a possible user.js file to reset all prefs to the default values.

Start Firefox in Safe Mode to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).

  • Do not click the Reset button on the Safe mode start window or otherwise make changes.
rprickett 0 solutions 37 answers

Many thanks and i'm reading those links. One truly odd thing: I use "locate32" to find everything, and sure enough, it shows a file, "user.js" created at the precise time the problem started. Typical path: users\bob\appdata\local\mozilla\profiles\7yv8o4ot.default\user.js

Great, now I can kill it. But in Explorer, the file does not exist. HIdden files are set to view.

I have virus s/w running now so don't want to attempt a delete, this is odd.

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

Your second screenshot is in the wrong location.

Your first screenshot show the main Firefox Profile Folder in AppData\Roaming.

  • C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\

Your second screenshot shows the location of the cache and other files in AppData\Local.

  • C:\Users\<user>\AppData\Local\Mozilla\Firefox\Profiles\<profile>\

You can use this button to go to the Firefox profile folder:

  • Help > Troubleshooting Information > Profile Directory: Show Folder
rprickett 0 solutions 37 answers

OMG! I can't believe I did that, but glad I added the snapshots. Many thanks.

I think you have solved the hijacking: opening that file in notepad shows the exact problem I'm having:

user_pref("keyword.URL", "http://search.us.com/serp/1/?guid={82671E9E-4FF3-4FB3-8801-89D899218B71}&action=default_search&k="); user_pref("browser.startup.homepage", "http://start.search.us.com?guid={82671E9E-4FF3-4FB3-8801-89D899218B71}&serpv=1"); user_pref("browser.startup.page", "1"); user_pref("browser.newtab.url", "file:///C:\Users\bob\AppData\Local\TNT2\2.0.0.1373\pinnedSearch.htm");

MANY thanks! Can't kill it now, running long time virus search

more: YOU DID IT...!

I closed FF, deleted the file and reopened FF and reset home pages and links. Perfect! Can I give you more than five stars?

i've spent the last two days chasing this, and have run every online and onboard virus program I could find. Zero results, and i guess hijacking a home page is not considered a viurs?

Modified by rprickett

rprickett 0 solutions 37 answers

Well this sucks. As noted above, killed that file and reset home page and blank page tab. It was directing me to a 'TNT2user.exe' file that kept installing the hijack. All was perfect, but closed FF then reopened, and the hijack is back. Worse, I used 'about:config' to change the new tab setting to 'about:blank;, closed and reopened FF.

The hijacked page is back and so is new tab setting to TNT2User.

Modified by rprickett

rprickett 0 solutions 37 answers

This won't let me add the snap of the hijacked home page--added here

jscher2000
  • Top 10 Contributor
2365 solutions 20923 answers

I assume you've scoured the Windows Control Panel to remove the software that created the path:

C:\Users\bob\AppData\Local\TNT2\

In a screen shot on one site, it showed up as a program named "Unknown".

Or perhaps you can manually delete the files in that folder. If Windows won't let you delete because something is in use, you might need to start up in Windows Safe Mode or "kill" some processes in order to clear that folder.

rprickett 0 solutions 37 answers

"I assume you've scoured the Windows Control Panel to remove the software that created the path: "

I've lost track, but probably changed it about 25 times over the past three days. i change new tab to about:blank, save it, and cycle FF close\open.

It's back, every time. I found a way to kill every ref to TNT2User, along with user.js and profs.js. The hijack returns every time

jscher2000
  • Top 10 Contributor
2365 solutions 20923 answers

Sorry I wasn't clear. By Windows Control Panel, I meant "Add/Remove Programs" (Windows XP) or "Programs and Features" (Windows 7). You need to root out the ultimate source of the problem.

Edit: Also, when I referred to manually deleting files, I meant on disk, and not in Firefox settings.

Modified by jscher2000

rprickett 0 solutions 37 answers

Sorry, my answer was also not clear. Yes, booted to safemode, which was the only way Add/Remove would allow this, and removed the programs. In fact, removed everything installed in the last week, figuring the problem was somehow attached. Yes, user 'locate32. which is very thorough, and found every reference to TNT2User and user.js and profs.js.

These were in several places and remove them all. Also deleted every string to TNT2User in the registry, along with strings to the hijacking site.

more: I don't pretend to know much about these things, but have learned some. A file like TNT2User might be vicious, but it's harmless until something triggers the file and tells it to run. This is why I did a detailed search in the reg and in the FF profiles, and found several that indeed tell TNT to run. I figured by deleting that file along with any trigger telling it to run would solve it.

I still believe that is true, but missing something.

Modified by rprickett

jscher2000
  • Top 10 Contributor
2365 solutions 20923 answers

I haven't experienced this problem, fortunately, but noticed in a HijackThis log posted on another site that at least one user had a rogue plugin. If you haven't already checked both extensions and plugins in Firefox:

orange Firefox button or classic Tools menu > Add-ons > Extensions category
orange Firefox button or classic Tools menu > Add-ons > Plugins category

I suggest disabling everything you don't know to be essential.

rprickett 0 solutions 37 answers

Good idea. I have posted this problem to several anti-virus sites, and it seems to have exploded in the past 12 days. LIke me, many users are frustrated and those sites explain how to get rid of virus's, and I've tried them all. I've run every virus prog i can find, and nothing works.

Since having this problem, i'v had probably 20 blocked sites by my norton sercurity suite, and this never happened before, so I know this thing is dangerous. But i can't kill it and tried this site, just in case.

I have been running "stopzillaAVM2013' for the past 16 hours, very indepth scan, and it's turned up four virus's, including "Hijacker.win32.SearchHijackerig'. Another virus site says this is extremely dangerous and can add a keystroke logger and redirect sites that claim to be one thing, like a bank, and ask for name/pw.

So, I am taking this very seriously. Thanks for you help.