Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • Please log in to reply
12 replies to this topic

#1 hunnybunny

hunnybunny

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 13 December 2014 - 05:55 PM

Windows XP
AVG Free

Firefox redirecting to the Yahoo homepage even after resetting Firefox.

 

No detection with MBAM and ADWcleaner.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 13 December 2014 - 07:10 PM

Look in the Add/ Remove listing of programs and uninstall anything that mentions Yahoo.

 

Install CCleaner. Pay attention while installing and UNcheck any offers of toolbars...especially Google.

After installing and running the cleaner by clicking on the button in the bottom right corner, click on Tools.

Choose startups. On that page you will see Windows Startups listed. At the bottom right is a button

when clicked will allow you to copy and paste that list in your next reply.

Now click on the buttons at the top of that page for Firefox and Tasks and post those lists of startups.

CCleaner - PC Optimization and Cleaning - Free Download

 

It may be a fake Yahoo, too.

 

Run a scan using Eset online scanner and JRT.

 

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

 

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 13 December 2014 - 07:21 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 13 December 2014 - 07:40 PM

No        CTFMON.EXE        
No        HotKeysCmds        
No        IgfxTray        
No        Persistence        
No        QuickTime Task        
No        TkBellExe        
Yes    HKCU:Run    AVG-Secure-Search-Update_0214c        C:\Documents and Settings\Sharon\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0214c
Yes    HKCU:Run    AVG-Secure-Search-Update_0814av        C:\Documents and Settings\Sharon\Application Data\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0814av
Yes    HKCU:Run    AVG-Secure-Search-Update_1214av    AVG Technologies    C:\Documents and Settings\Sharon\Application Data\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=1214av
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
Yes    HKCU:Run    ctfmon.exe    Microsoft Corporation    C:\WINDOWS\system32\ctfmon.exe
Yes    HKLM:Run    APSDaemon        "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
Yes    HKLM:Run    AVG_UI    AVG Technologies CZ, s.r.o.    "C:\Program Files\AVG\AVG2014\avgui.exe" /TRAYONLY
Yes    HKLM:Run    LWS    Logitech Inc.    C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
Yes    HKLM:Run    QuickTime Task    Apple Inc.    "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Yes    HKLM:Run    SoundMAXPnP    Analog Devices, Inc.    C:\Program Files\Analog Devices\Core\smax4pnp.exe
Yes    HKLM:Run    WorldClock        C:\Program Files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe
Yes    Startup User    Adobe Gamma.lnk    Adobe Systems, Inc.    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 



#4 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 13 December 2014 - 07:49 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Microsoft Windows XP x86
Ran by Sharon on 13/12/2014 at 16:45:19.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/12/2014 at 16:47:18.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#5 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 13 December 2014 - 08:07 PM

What about the startups for Firefox? Have you checked the Extensions installed in Firefox for any you did not installed or don't know what they are?

Did you check in the Add/ Remove lists for Yahoo? Though I suspect it isn't really a Yahoo listing causing this. But need to make sure.

You may see AVG Secure Search listed in the Extensions for Firefox. If it is there disable or uninstall if offered. Those Secure Search extensions are adware.

 

disable these:

 

Yes    HKCU:Run    AVG-Secure-Search-Update_0214c        C:\Documents and Settings\Sharon\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0214c
Yes    HKCU:Run    AVG-Secure-Search-Update_0814av        C:\Documents and Settings\Sharon\Application Data\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0814av
Yes    HKCU:Run    AVG-Secure-Search-Update_1214av    AVG Technologies    C:\Documents and Settings\Sharon\Application Data\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=1214av
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR

Yes    Startup User    Adobe Gamma.lnk    Adobe Systems, Inc.    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 


Edited by buddy215, 13 December 2014 - 08:09 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 13 December 2014 - 08:29 PM

ESET log:

 

C:\Documents and Settings\Sharon\My Documents\Downloads\ccsetup500.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
 



#7 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 13 December 2014 - 08:32 PM

What about the startups for Firefox? Have you checked the Extensions installed in Firefox for any you did not installed or don't know what they are?

Did you check in the Add/ Remove lists for Yahoo? Though I suspect it isn't really a Yahoo listing causing this. But need to make sure.

You may see AVG Secure Search listed in the Extensions for Firefox. If it is there disable or uninstall if offered. Those Secure Search extensions are adware.

 

disable these:

 

Yes    HKCU:Run    AVG-Secure-Search-Update_0214c        C:\Documents and Settings\Sharon\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0214c
Yes    HKCU:Run    AVG-Secure-Search-Update_0814av        C:\Documents and Settings\Sharon\Application Data\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=0814av
Yes    HKCU:Run    AVG-Secure-Search-Update_1214av    AVG Technologies    C:\Documents and Settings\Sharon\Application Data\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe /PROMPT /mid=f05f92eab78847d28be3d1574d46c84a-52a8bc5ba6ac66ded886c10caff6fd6aa840208d /CMPID=1214av
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR

Yes    Startup User    Adobe Gamma.lnk    Adobe Systems, Inc.    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

 

Juggling too many things at once tonight -- must have missed that portion of instructions. Have to log off now, will continue tomorrow.
 



#8 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 13 December 2014 - 10:02 PM

Your browser short cuts/ desktop browser icons could of been hijacked. Do this, close browsers and right click on

the Firefox desktop icon(s) and delete. There could be one in the start menu, too. After deleting all of the Firefox icons/ shortcuts

create a new one. If that works for removing the Yahoo search then do the same for any other browser including IE.

 

Another way to clear the shortcut:

 

right-click on the browser shortcut from the Taskbar, desktop and start menu, then right-click again on the browser icon as see in the below image.
taskbar-shortcuts-hijack.jpg

  1. In the Shortcut tab, in the Target field, remove the http:xxxxxx.com. Basically, there should be only the path to browser executable file. Nothing more.
    These are the default shortcut path that should be in your Target box, if thexxxxxxxx.com argument is there, then you should remove it.
  2. The xxxxxxxx represents whatever is added. There are several addresses for this type of hijack.

 

In the IE properties you should only see this C:\Program Files\Internet Explorer\iexplore.exe. Remove whatever else is on that line by highlighting and delete.

In Firefox you should only see this: C:\Program Files\Mozilla Firefox\firefox.exe for Windows 32-bit OR C:\Program Files (x86)\Mozilla Firefox\firefox.exe for Windows 64-bit

 

Example if the Target box has added url for Key-Find.....it could be one of several others.

 

key-find-com-hijack.jpg


Edited by buddy215, 13 December 2014 - 10:03 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 14 December 2014 - 11:34 AM

Couldn't find Yahoo listed anywhere. I will have to come back to this later today and will have to work on FF shortcuts. The AVG secure search issue has been another issue testing my sanity.

 

Later....



#10 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 14 December 2014 - 12:03 PM

We'll keep a light on for ya... :wink:


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 14 December 2014 - 04:42 PM

Cleaned up the targets for FF & IE and they seem to direct correctly and appear clean. I did find a number of things in Firefox/searchplugins: Amazondotcom.xml, eBay.xml, google.xml, twitter.xml and yahoo.xml. I deleted "yahoo.xml". Would it be safe to delete these others?

I won't be able address the AVG search update files at the moment, is there an simple way to find them and remove? Obviously my search skills aren't what they should be :-(

 

TTYL Buddy
 



#12 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 14 December 2014 - 04:57 PM

So, the shortcuts/ icons were the problem and you fixed them....great!

 

Just open CCleaner up and disable the AVG items I listed or uninstall if that option is offered. You've checked

Firefox's list of Extensions and there is no Extension there for AVG adware/ Secure Search....right?

 

Yes, it is safe to remove all the search plugins. You may want to keep Google or whatever your default preference is.

 

I think you have done all that is needed to rid the comp of adware.

 

I am curious to know what URL was added to the browsers' shortcuts.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 hunnybunny

hunnybunny
  • Topic Starter

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 15 December 2014 - 11:13 AM

To be honest, I deleted & deleted the shortcut path without noting the URL - one of those knee jerk moments.

 

I'll use CCleaner to disable the AVG items.

 

Thanks for your patient assistance, Buddy! :flowers:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users