All Browsers Hijacked to Yahoo.Search

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by trisha, Mar 16, 2013.

  1. trisha

    trisha Corporal

    All browsers, FF, Chrome and IE were all hijacked. I first ran the suggestions in the sticky for Hijacked Browsers and some things were found in some of the logs. I have attached those logs. I also ran the Read and Run Me First programs and have attached those logs as well. Help is much appreciated.
     

    Attached Files:

  2. trisha

    trisha Corporal

    Additional log file
     

    Attached Files:

  3. trisha

    trisha Corporal

    I wanted to elaborate more on this. All browser home pages were hijacked to Yahoo.Search. Hope this makes it clearer. I have read some of the other posts regarding the hijacking and it appears just the search engines were hijacked. I believe a hijacked home page might mean a different thing. :confused
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You used the work "were" as in past tense. Do you mean this is no longer the case?
    Also, did you simply try setting your homepages back to what you want? Doesn't that work?

    There does not seem to be any malware in your logs. It just looks like you somehow have managed to changed your home page and also your default search engine to Yahoo. Probably you installed some software with a toolbar that caused this. I see the below in your logs that is typical of installing a toolbar meaning you may not have read some license agreement or some other popup that asked about installing the tool
    The below registry patch should set the default for IE back to Google if that is what you want.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    You will have to change the others yourself manually. The below may or may not help adjust some items back to defaults.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    Last edited: Mar 18, 2013
  5. trisha

    trisha Corporal

    No, they are changed to Yahoo.Search. The homepage used to be MSN.com.

    Hitman Pro showed some stuff as well as the MBR program. FF and Chrome are never used, only IE. I checked to see if those browsers had any changes and that is when I discovered their Homepages are the same as the changed IE.

    I did not think to change the homepages back because I thought there might be a virus or malware that made the changes.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So try it. Also please finish the rest of my last instructions.
     
  7. trisha

    trisha Corporal

    thanks for the help. as soon as I access my friend's computer I will do what you have recommended.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Okay we will be here. You also have to perform final instructions before we are finished with our work. We will post those once everything is cleaned up.
     
  9. trisha

    trisha Corporal

    Hi chas...

    I ran the fixme.reg file you posted and it said it was successful.

    I ran the junkfix program and the file is attached.

    I manually changed the homepage in IE back to MSN because after running the two above the homepage was still Yahoo.search.

    I also noticed something when the junkfix was running. It said it deleted a file called spigot.

    While changing the homepage back to MSN.com I noticed the yahoo link hand and ending of spigot.

    here is the link it defaults to and still defaults to in Chrome and I will take a guess it is still the same in FF.

    http://search.yahoo.com/?type=668083&fr=spigot-yhp-ch

    Additonally, how many svchost.exe are supposed to running in the processes list. There are about 10. Also, what is RichVideo.exe? I don't recall seeing this process running on this computer before.
     

    Attached Files:

    • JRT.txt
      File size:
      1.3 KB
      Views:
      3
    Last edited: Mar 24, 2013
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated earlier, you need to just change your home page to whatever you want them to be in each browser.

    The amount seen will be based on your system and exactly what you are running, but 10 is quite typical.

    Part of your Cyberlink PowerDVD software.
     
    Last edited: Mar 26, 2013
  11. trisha

    trisha Corporal

    OK, so are we done?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. .
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds