Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Spigot - Am I still infected?


  • Please log in to reply
6 replies to this topic

#1 kidkillspiano

kidkillspiano

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 April 2014 - 02:05 PM

Hi all, thanks in advance.
 
I downloaded bittorrent and it added this yahoo spigot page onto my computer taking  over my browsers
 
hxxp://uk.search.yahoo.com/?type=586383&fr=spigot-yhp-ch
 
I have since uninstalled bit torrent.  The yahoo page extension has stopped, but do I still have a virus?
 
Any ideas?

Edited by Orange Blossom, 12 April 2014 - 02:12 PM.
Moved to AII from Windows 7, Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 kidkillspiano

kidkillspiano
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 April 2014 - 02:22 PM

Just restarted computer - it is still there :(



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:11 PM

Posted 13 April 2014 - 01:17 AM

Hello -

Please start by looking at Add-Ons or Extensions to remove -

Based on what you describe, the next thing I would have you do is to check and remove / disable browser extensions.

If you are still having issues after that, the next step is to try resetting browser settings to default.
How to reset your browser settings to default in Internet Explorer, Firefox, Google Chrome, Opera, Safari

 

 

Next -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.

 

 

Now -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

NOTE - If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

Note :Do not reboot your computer yet .................

 

Next -

Download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
Vista / Windows 7 / 8 users right-click and select Run As Administrator
• Click on the Scan button (only once)
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review.
•If you're ready to clean it all up.....click the Clean button (only once)

- Click OK to agree and OK to Reboot the system.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted (if necessary):
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.



#4 kidkillspiano

kidkillspiano
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 13 April 2014 - 04:58 AM

Hi noknojon,

 

Thanks a lot for your help.  I've posted the logs below (I couldn't work out how to attach to the post).  When I opened chrome after the reboot the yahoo spiogt page still opened.  I've changed my home page now too.

 

Hope all good now...

 

----

 

Results of screen317's Security Check version 0.99.81  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java™ 6 Update 14  
 Java 7 Update 51  
  Adobe Flash Player 11.6.602.180 Flash Player out of Date!  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome 33.0.1750.154  
 Google Chrome 34.0.1847.116  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe 
 Windows Defender MSMpEng.exe 
 Toshiba Toshiba Online Product Information TOPI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 
 
----------------------------
 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/13/2014 10:33:14 AM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 04/13/2014 10:35:48 AM
Execution time: 0 hours(s), 2 minute(s), and 33 seconds(s)
 
----------------------------------------
 

# AdwCleaner v3.023 - Report created 13/04/2014 at 10:45:40
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : Richard - RICHARD-TOSH
# Running from : C:\Users\Richard\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\ProgramData\uniblue
Folder Deleted : C:\Program Files\Notation
Folder Deleted : C:\Program Files\vShare
Folder Deleted : C:\Users\Richard\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Richard\AppData\LocalLow\vShare
Folder Deleted : C:\Users\Richard\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\Richard\AppData\Roaming\Search Protection
File Deleted : C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\n6qe2c46.default\searchplugins\Askcom.xml
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\vShare
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vShare
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16521
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\n6qe2c46.default\prefs.js ]
 
Line Deleted : user_pref("browser.search.order.1", "Ask.com");
Line Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Line Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
 
-\\ Google Chrome v
 
[ File : C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [6091 octets] - [13/04/2014 10:40:53]
AdwCleaner[S0].txt - [6058 octets] - [13/04/2014 10:45:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6118 octets] ##########
 
 
 


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:11 PM

Posted 13 April 2014 - 07:11 AM

(I couldn't work out how to attach to the post).

Thanks -

I did not say Copy and Paste logs, but that is what I meant - Copy and Paste Tutorial

 

 Java™ 6 Update 14 <= Delete old versions of Java, as they will attract infections.

 Java 7 Update 51  <= This is current.

 

 

 

AdwCleaner pulled a lot of minor infections, and helped a bit

 

 

Clear Cache / Temp Files
Download TFC by OldTimer to your desktop
• Please double-click TFC.exe to run it.
• For Vista, Win 7 / 8 right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process.
• Once it's finished it may reboot your machine.
• If it does not, please manually reboot the machine yourself to ensure a complete clean.

- No log is produced or expected -

 

 

Please always update us on the computer problems.



#6 kidkillspiano

kidkillspiano
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 13 April 2014 - 07:37 AM

Thanks again,

 

I've done the following, but the Yahoo page is still coming up every time I open chrome.

 

Am I still infected?

 

Do I need to uninstall and reinstall my internet browsers?



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:11 PM

Posted 13 April 2014 - 05:29 PM

If you are still having issues after that, the next step is to try resetting browser settings to default.
How to reset your browser settings to default in Internet Explorer, Firefox, Google Chrome, Opera, Safari

 

Try the above settings for a Home Page reset.

 

Remember that you are not "infected", just being annoyed by this pest of a program.

 

 

Please Reset Hosts file as per below =>

To reset the Hosts file back to the default automatically, click the link.

Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.  http://go.microsoft.com/?linkid=9668866

 

 

Scan with ESET Online Scan
1. Please go to Here to run the online scannner from ESET.
2. Temporarily Disable Your Anti-virus while performing the online scan
3. Tick the box next to YES, I accept the Terms of Use.
4. Click Start
5. When asked, allow the "ActiveX" control to install
6. Click Start
7. Make sure that the option Remove found threats is ticked
8. Click on Advanced Settings and ensure these options are ticked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

9, Click Scan
10. Wait for the scan to finish. This can take quite a while to download the program and then updates for a first scan. (2 hours or more is not unusual)
11. If any threats were found, click the 'List of found threats' , then click Export to text file....
12. Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

If no problems are found, please just tell me -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users