Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Spigot, auto opens yahoo search...help!


  • Please log in to reply
8 replies to this topic

#1 haekwan

haekwan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 13 December 2013 - 02:38 PM

I got this Malware, or whatever it is, by installing utorrent and was inattentive during the installation process where Spigot was bundled.

 

So like I said every time I open chrome, yahoo search appears with a web address of: 

 

http://search.yahoo.com/?type=293224&fr=spigot-yhp-ch

 

I should also mention that I attempted to get rid of this by deleting anything malicious in my processes under windows task manager, and found something called search protection. I then uninstalled it via control panel, which didn't help at all because my chrome still opens the "Spigot" yahoo search site. Even if I change my default search engine  to Google, Yahoo still appears.

 

Any help would be much appreciated in getting rid of this annoying Spigot!



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:10 PM

Posted 13 December 2013 - 03:10 PM

Hi haekwan,
 
Run these for me:
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

----------
 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

----------
 
Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions
  • for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 haekwan

haekwan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 13 December 2013 - 03:43 PM

Log for adware cleaner:

 

# AdwCleaner v3.015 - Report created 14/12/2013 at 12:18:38
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Haekwan - HAEKWAN-PC
# Running from : C:\Users\Haekwan\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Google Chrome v31.0.1650.63
 
[ File : C:\Users\Haekwan\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [764 octets] - [14/12/2013 12:15:09]
AdwCleaner[S0].txt - [686 octets] - [14/12/2013 12:18:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [745 octets] ##########
 
Log for JRT
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Ultimate x64
Ran by Haekwan on Sat 12/14/2013 at 12:21:48.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/14/2013 at 12:25:27.74
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Log for mbam:
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.13.07
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
Haekwan :: HAEKWAN-PC [administrator]
 
12/14/2013 12:38:12 PM
mbam-log-2013-12-14 (12-38-12).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205431
Time elapsed: 1 minute(s), 10 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 5
C:\Users\Haekwan\AppData\Local\Temp\bitool.dll (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Haekwan\AppData\Local\Temp\GreatArcadeHits.exe (PUP.Optional.GreatArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Haekwan\AppData\Local\Temp\newsetup.exe (PUP.Optional.GreatArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Haekwan\Downloads\DTLite4481-0347.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Haekwan\Local Settings\Temporary Internet Files\Content.IE5\ZSU2OZ38\BiTool[1].dll (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
 
(end)
 
My Chrome still opens up the yahoo search. :(
 

Edited by haekwan, 13 December 2013 - 03:45 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:10 PM

Posted 13 December 2013 - 03:54 PM

Hi haekwan,

 

We need to fix some settings in Google Chrome:

  • Open Google Chrome
  • Click on the three lines in the top-right for the Chrome Menu
  • Click Settings
  • Under the On Startup section, a radio button Open a specific page or set of pages should be set
    (if your version of Google Chrome does not have this option please let me know)
  • Click on the Set Pages link
  • Enter the home page you want to use, delete any others by clicking the X to the right of the page
  • Click Ok to save the change
  • Under the Search section, click on the Manage Search Engines... button
  • Verify that Google is set as your default by hovering over it, a button will appear
  • Delete any other search engines you do not recognize or use
  • Click Ok to save the change

Close and then open Chrome, and tell me if you still get those pages.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 haekwan

haekwan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 13 December 2013 - 04:12 PM

Yes that fixed it! Thank you!

 

So am I "in the green?" in terms of malware?



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:10 PM

Posted 14 December 2013 - 03:25 PM

Hi haekwan,
 
Glad to hear that, we can do some more scans if you want? I'd say that you are pretty clean, most of this stuff was PUPs (potentially unwanted programs) and adware. Otherwise, this will be the last one to see if you are updated:
 
Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

xXToffeeXx~


Edited by xXToffeeXx, 14 December 2013 - 03:28 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 haekwan

haekwan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 14 December 2013 - 04:23 PM

No problem~ Here is the log:

 

 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Adobe Reader XI  
 Google Chrome 31.0.1650.63  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 3% 
````````````````````End of Log`````````````````````` 
 
Any problems?


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:10 PM

Posted 14 December 2013 - 04:28 PM

Hi,

No, all looks good there. I assume all is well?

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 haekwan

haekwan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 14 December 2013 - 04:51 PM

Yes very much so. :)

 

Thank you for the help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users