Jump to content

Infected-Spigot Yahoo redirect toolbar from Iobit


Recommended Posts

I have tried every trick I know and tried everything I read online about this nasty beast but can't get rid of it. I got it when I was downloading an update to Iobit Malware Remover. Ha. I found the Spigot folder under C/Programs/Common Files, run AntiMalware Bytes Pro numerous times, run Kaspersky AV 2013 numerous times, created another user on my laptop and did scans, etc. Nothing is working. I've looked for the search settings.exe file everyone talks about but can't find it. If you can help I would sure appreciate it.DDS and Attach files are attached.

Thank you!

DawnAttach.txtDDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please stay with this post, don't start any others!

~~~~~~~~~~~~~~~~~

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thank you, MrC. Done. Report s pasted here as I am not sure how to attach to my reply:

RogueKiller V8.4.3 [Jan 8 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Scan -- Date : 01/08/2013 19:16:35

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[sTARTUP][sUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++

--- User ---

[MBR] 4539bd1bc235af49594e0bb67a4649b7

[bSP] 9027902206de9a46c7ad8360d6e3d50a : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464023 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 953393152 | Size: 11416 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01082013_02d1916.txt >>

RKreport[1]_S_01082013_02d1916.txt

Link to post
Share on other sites

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for adware, toolbar and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

OK, here's the log file. Other than the Best Buy PC app, I have no idea what that other stuff is or if it's anything I need. Doubt it. If you don't mind explaining why that list of stuff shouldn't be on my computer, I would appreciate it.

# AdwCleaner v2.105 - Logfile created 01/08/2013 at 19:28:53

# Updated 08/01/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Owner - OWNER-PC

# Boot Mode : Normal

# Running from : C:\Users\Owner\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\Partner

Folder Found : C:\Users\Owner\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

Key Found : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v6.0 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\h64r8vk5.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1072 octets] - [08/01/2013 19:28:53]

########## EOF - C:\AdwCleaner[R1].txt - [1132 octets] ##########

Link to post
Share on other sites

Did you run this program before??

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then..............

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Link to post
Share on other sites

Here's the logfile from the new AdwCleaner:

# AdwCleaner v2.105 - Logfile created 01/08/2013 at 19:36:49

# Updated 08/01/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Owner - OWNER-PC

# Boot Mode : Normal

# Running from : C:\Users\Owner\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner

Folder Deleted : C:\Users\Owner\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

Key Deleted : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v6.0 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\h64r8vk5.default\prefs.js

C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\h64r8vk5.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1199 octets] - [08/01/2013 19:28:53]

AdwCleaner[R2].txt - [1259 octets] - [08/01/2013 19:36:14]

AdwCleaner[s1].txt - [1298 octets] - [08/01/2013 19:36:49]

########## EOF - C:\AdwCleaner[s1].txt - [1358 octets] ##########

Link to post
Share on other sites

When I tried to download the Junkware Removal Tool, I got a message telling me that the file appears malicious and asks me if I want to discard it. Should I ignore that message? Also, when Google Chrome opened after the AdwCleaner scan, I got a popup in the right corner telling me some Content Blocker extension has been added to Chrome. I believe that's another Spigot issue.

-- Dawn

Link to post
Share on other sites

MrC, here's the logfile from the Junkware Removal Tool scan:

Junkware Removal Tool (JRT) by Thisisu

Version: 4.4.2 (01.08.2013:1)

OS: Windows 7 Home Premium x64

Ran by Owner on Tue 01/08/2013 at 19:52:35.28

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-581623108-381344596-3336794620-1000\software\microsoft\internet explorer\main\\Start Page

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"

Successfully deleted: [Folder] "C:\Users\Owner\appdata\local\best buy pc app"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 01/08/2013 at 20:04:52.32

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

Lets have a look............

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Here's what shows: (the one in red is what you just posted)

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=800236"

FF - prefs.js..browser.search.selectedEngine: "Yahoo"

FF - prefs.js..browser.startup.homepage: "http://search.yahoo.com?type=800236&fr=spigot-yhp-ff"

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=800236&p="

FF - user.js - File not found

So there's 5 with Yahoo in them, I suggested we replace them all.

OK?? MrC

Link to post
Share on other sites

Please do this:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in bold:

:OTL

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=800236"

FF - prefs.js..browser.search.selectedEngine: "Yahoo"

FF - prefs.js..browser.startup.homepage: "http://search.yahoo.com?type=800236&fr=spigot-yhp-ff"

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=800236&p="

FF - user.js - File not found

:Commands

[EMPTYJAVA]

[emptytemp]

[EMPTYFLASH]

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Here is the new log file:

All processes killed

========== OTL ==========

Prefs.js: "Yahoo" removed from browser.search.defaultenginename

Prefs.js: "chr-greentree_ff&ilc=12&type=800236" removed from browser.search.param.yahoo-fr

Prefs.js: "Yahoo" removed from browser.search.selectedEngine

Prefs.js: "http://search.yahoo.com?type=800236&fr=spigot-yhp-ff" removed from browser.startup.homepage

Prefs.js: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=800236&p=" removed from keyword.URL

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Deletespigot

User: Owner

->Java cache emptied: 1048243 bytes

User: Public

Total Java Files Cleaned = 1.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Deletespigot

->Temp folder emptied: 145249 bytes

->Temporary Internet Files folder emptied: 2238666 bytes

->Flash cache emptied: 456 bytes

User: Owner

->Temp folder emptied: 634522294 bytes

->Temporary Internet Files folder emptied: 1008656 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 44382498 bytes

->Google Chrome cache emptied: 29300662 bytes

->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2669302 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes

RecycleBin emptied: 7050542 bytes

Total Files Cleaned = 688.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Deletespigot

->Flash cache emptied: 0 bytes

User: Owner

->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01082013_213642

Files\Folders moved on Reboot...

C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Firefox no longer goes to the Spigot Yahoo toolbar page. YESS!!!! There is no way a novice such as myself could have repaired the infection. It looks like I'm rid of the beasties. MrC, do you know what the problem was so that I can avoid making the same mistakes? I still see the Best Buy PC app on my desktop, but I don't want to click on it for fear that my computer will implode. Kidding. Whatever suggestions you have would be appreciated. Also, should I periodically run scanners like AdwCleaner and Junkware Removal or only bring out those big guns when needed?

Thank you so much for all your help. I'll be adding to the "till" for your time. It's the least I can do.

Dawn

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.