MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-13, 20:49
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default All Browsers Hijacked to Yahoo.Search

All browsers, FF, Chrome and IE were all hijacked. I first ran the suggestions in the sticky for Hijacked Browsers and some things were found in some of the logs. I have attached those logs. I also ran the Read and Run Me First programs and have attached those logs as well. Help is much appreciated.
Attached Files
File Type: txt MBRCheck_03.16.13_17.45.25.txt (9.2 KB, 1 views)
File Type: zip MGlogs.zip (255.6 KB, 3 views)
File Type: txt RKreport[1]_S_03162013_02d1726.txt (2.5 KB, 1 views)
File Type: txt GooredFix.txt (1.8 KB, 1 views)
File Type: log HitmanPro_20130316_1838.log (1.3 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 03-16-13, 20:54
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Additional log file
Attached Files
File Type: txt mbam-log-2013-03-16 (16-50-37).txt (1.8 KB, 2 views)
Reply With Quote
  #3  
Old 03-17-13, 15:24
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Quote:
Originally Posted by trisha View Post
All browsers, FF, Chrome and IE were all hijacked. I first ran the suggestions in the sticky for Hijacked Browsers and some things were found in some of the logs. I have attached those logs. I also ran the Read and Run Me First programs and have attached those logs as well. Help is much appreciated.
I wanted to elaborate more on this. All browser home pages were hijacked to Yahoo.Search. Hope this makes it clearer. I have read some of the other posts regarding the hijacking and it appears just the search engines were hijacked. I believe a hijacked home page might mean a different thing.
Reply With Quote
  #4  
Old 03-18-13, 22:12
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Quote:
Originally Posted by trisha View Post
All browser home pages were hijacked to Yahoo.Search. Hope this makes it clearer.
You used the work "were" as in past tense. Do you mean this is no longer the case?
Also, did you simply try setting your homepages back to what you want? Doesn't that work?

There does not seem to be any malware in your logs. It just looks like you somehow have managed to changed your home page and also your default search engine to Yahoo. Probably you installed some software with a toolbar that caused this. I see the below in your logs that is typical of installing a toolbar meaning you may not have read some license agreement or some other popup that asked about installing the tool
Quote:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D8A3A727-24FB-4B36-9973-DC58515F46F8}]
"DisplayName"="Yahoo! Search"
"URL"="http://search.yahoo.com/search?fr=ch...p={searchTerms}"
"ShowSearchSuggestions"=dword:00000001
"SuggestionsURL"="http://ie.search.yahoo.com/os?comman...s}&appid=chrie"
"OSDFileURL"="file:///C:/Program%20Files/Common%20...s/yahoo_ie.xml"
The below registry patch should set the default for IE back to Google if that is what you want.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D8A3A727-24FB-4B36-9973-DC58515F46F8}]
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

You will have to change the others yourself manually. The below may or may not help adjust some items back to defaults.

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Attach JRT.txt to your next message.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 03-18-13 at 22:21..
Reply With Quote
  #5  
Old 03-18-13, 22:18
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

No, they are changed to Yahoo.Search. The homepage used to be MSN.com.

Hitman Pro showed some stuff as well as the MBR program. FF and Chrome are never used, only IE. I checked to see if those browsers had any changes and that is when I discovered their Homepages are the same as the changed IE.

I did not think to change the homepages back because I thought there might be a virus or malware that made the changes.
Reply With Quote
Sponsored links
  #6  
Old 03-21-13, 00:14
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Quote:
Originally Posted by trisha View Post
I did not think to change the homepages back because I thought there might be a virus or malware that made the changes.
So try it. Also please finish the rest of my last instructions.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 03-21-13, 01:37
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

thanks for the help. as soon as I access my friend's computer I will do what you have recommended.
Reply With Quote
  #8  
Old 03-24-13, 15:35
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

You're welcome. Okay we will be here. You also have to perform final instructions before we are finished with our work. We will post those once everything is cleaned up.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 03-24-13, 17:30
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Hi chas...

I ran the fixme.reg file you posted and it said it was successful.

I ran the junkfix program and the file is attached.

I manually changed the homepage in IE back to MSN because after running the two above the homepage was still Yahoo.search.

I also noticed something when the junkfix was running. It said it deleted a file called spigot.

While changing the homepage back to MSN.com I noticed the yahoo link hand and ending of spigot.

here is the link it defaults to and still defaults to in Chrome and I will take a guess it is still the same in FF.

http://search.yahoo.com/?type=668083&fr=spigot-yhp-ch

Additonally, how many svchost.exe are supposed to running in the processes list. There are about 10. Also, what is RichVideo.exe? I don't recall seeing this process running on this computer before.
Attached Files
File Type: txt JRT.txt (1.3 KB, 2 views)

Last edited by trisha; 03-24-13 at 17:32.. Reason: updating information
Reply With Quote
  #10  
Old 03-25-13, 19:37
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

Quote:
Originally Posted by trisha View Post
here is the link it defaults to and still defaults to in Chrome and I will take a guess it is still the same in FF.
As stated earlier, you need to just change your home page to whatever you want them to be in each browser.

Quote:
Originally Posted by trisha View Post
Additonally, how many svchost.exe are supposed to running in the processes list. There are about 10.
The amount seen will be based on your system and exactly what you are running, but 10 is quite typical.

Quote:
Originally Posted by trisha View Post
Also, what is RichVideo.exe? I don't recall seeing this process running on this computer before.
Part of your Cyberlink PowerDVD software.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 03-26-13 at 14:29.. Reason: Fix broken quote
Reply With Quote
Sponsored links
  #11  
Old 03-25-13, 23:57
trisha trisha is offline
Senior Member
 
Join Date: Sep 2006
Posts: 139
Thanks: 14
Thanked 0 Times in 0 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

OK, so are we done?
Reply With Quote
  #12  
Old 03-31-13, 03:04
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: All Browsers Hijacked to Yahoo.Search

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
  7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  8. .
  9. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Browsers have been hijacked SuperiorBuff Malware Removal 9 02-25-11 13:51
Google search hijacked by Yahoo!! sheena Software 6 07-12-09 17:21
hIJACKED Browsers alla1987 Malware Removal 1 02-11-07 16:42
Yahoo Launchcast and alternative browsers BrokenArrows The Lounge 0 08-22-05 09:11
IE and Yahoo browsers POP-UPS Cherubashe Hardware 0 01-23-05 11:31


All times are GMT -5. The time now is 11:18.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger