Cannot Find Yahoo Install

[FeeDee]

Hi to all.I have recently had my "New Tab" google page hijacked by yahoo.what i mean is i have my "on start up" page set to open chrome which is fine but any other page i open conducts a yahoo search.it has also changed my bookmarks icons to what i presume is their own choice icons eg:youtube,booking.com,amazon,gearbest,ebay etc which cannot be removed,as in there is no "X" to clear them.my internet security also showed up a program called w32 Fakedoc with some letters/numbers which i cannot find right now,and i apologise for that.i have scoured my win 7 computer trying to find where those items are hiding and if they are connected.can you please shed some light on this for me.may i add i did download 1/2 files which scanned safe.your help would be most appreciated,and thank you in advance for any help offered.EDIT:I would like to add that i have removed this yahoo from my browser settings page on three seperate occasions but it keeps re-installing.

Edited November 11, 2017 by FeeDee

[Aura]

Hi FeeDee 

Do you still need assistance with this issue? Since your thread is old, it'll be closed if I don't hear back from you within 3 days.

Thank you!

[FeeDee]

Thank you so very much Aura for your contact it is very much appreciated.Yes i very much want your help as i am still in the same predicament,All scans still showing up clear so still dont know where this all came from.Looking forward to your help and your reply.Thank you again.

[Aura]

Good. Let's start by getting some logs.

Farbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

• Download the right version of FRST for your system:
  
  • FRST 32-bit
  • FRST 64-bit
    Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
    
• Move the executable (FRST.exe or FRST64.exe) on your Desktop
• Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
• Make sure the Addition.txt box is checked
• Click on the Scan button
  
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
• Copy and paste the content of both FRST.txt and Addition.txt in your next reply
  

[FeeDee]

Hi Aura i really have to apologise to you right now because i have to leave my computer in order to complete another task.i will do all you asked as soon as possible and post on results to you.please bear with me as it will probably be 12/15hrs before i can return.I am really very sorry for this.Hope you find this acceptable somehow.

[Aura]

All good FeeDee, no worries I'll be waiting for your reply.

[FeeDee]

Hi Aura sorry for the rather abrupt departure and for your understanding.As requested i have completed the scan and I have included both the FRST +Addition files below.I really hope you find the necessary info for a result.Good luck and look forward to hearing from you as soon as possible.

 

Addition.txt      FRST.txt       

[Aura]

Did you obfuscate your Windows username in the logs by any chances? If so, I'll need the logs without your username being replaced, otherwise the fix I'll make won't work.

[FeeDee]

Hi Aura thank you for your reply.My apologies for that....just me thinking security.Please find the original files attached.I will leave this with you and get back when you have sufficient time to do your work on them.

Addition.txt

FRST.txt

[Aura]

Sorry for the delay! Follow the instructions below.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Fix button
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
• Copy and paste its content in your next reply
  

fixlist.txt

[FeeDee]

Hi Aura dont worry about the delay.Thank you for your contact.Please find attached the requested file lets hope it helps.

Fixlog.txt

[Aura]

Now, follow the instructions below.

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
  

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply
  

Your next reply(ies) should therefore contain:

• Copy/pasted AdwCleaner clean log
• Copy/pasted RogueKiller clean log
  

 

[Aura]

Hi FeeDee,

Are you still with me?

[FeeDee]

Hi Aura thank you for your contact,and,yes i am still with you.Sorry for lack of contact,long story.I have completed the ADW scan but have yet to complete the Roguekiller scan tasks and i would like to send both together.I hope you can bear with me for a few more hours while i complete the scan(s).Thank you.

[FeeDee]

Hi Aura thanks again for your patience.Please find requested logs attached.

ADWCleaner clean log.txt

Roguekiller Clean log.txt

[Aura]

All good, no worries

Now, is the Yahoo! hijack still there, or not?

[FeeDee]

Hi Aura sadly nothing has changed.whatever the problem is seems more problematic now than before.when i open new tab mbam now blocks whatever it is i am searching for.it gets curiouser and curiouser.sorry man gonna have to let you work your magic again.Thanks again for all your help.

[Aura]

If you run a scan with Malwarebytes, does it detect anything?

Also, can you follow the instructions in the thread below? Mostly the ones in the second post (manually cleaning Google Chrome settings).

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

 

[FeeDee]

Hi Aura and thank you for the link.Firstly to answer your question NO; mbam comes up clean everytime.I say everytime because it is set to a schedule daily.The first post does not really apply because i do not have any pages synced.I did notice it stated to make sure mbam is up to date(currently 3.3)I mention this because I am running 3.2.2.The first thing it does is search for updates so i am just curious.As regards your post, my Google settings are pretty much as advised in your post.The one thing I noticed was,under Search Engine/Search Engine used in address bar,the "down" arrow is greyed out???One more thing I want to mention is in control panel under programs & features i see two Google installs.One is from 2011 and I am unable to uninstall, while the other is just quite recent.Just wondering if you have any ideas on that.I mention this because I was thinking of uninstalling and reinstalling Google to see if it would make a difference.I look forward to your reply,and,as always my thanks for all your much appreciated help.

[Aura]

What happens when you try to uninstall the Google Chrome for 2011?

Also, if you click on "Manage search engines"', do you see any search URLs from Yahoo? Can you give me a screenshot of what you see?

[FeeDee]

Hi Aura regardless of how many times I click uninstall on the "old" Google there is a less than brief attempt to remove it.As for "Manage search engines" as mentioned in my very first post I found Yahoo there as well as some other gunk.I removed them on three different occasions and after the third time it has not returned.This was all prior to your first post to me.and as I take the screenshot it remains the same.What is confusing me now is when i use Google on some sites which i use all the time for football results etc mbam starts flashing what i presume are warning messages which are gone before i can get a screenshot.Please find the other requested screenshot(s) attached.

[Aura]

I see what the issue is for the search engine. Click on the little three dots on the right of "Google", and select "Make default". Once done, delete the "Web" one (chromesearch.today).

This should stop the hijacks. Afterwards, we'll work on uninstalling the old Google Chrome version.

[FeeDee]

Thanks for the advice Aura but i have a problem executing it because when i click on the three dots i get the options either edit or remove from list there is no option to "make default".Having said that farther down on the settings page it tells me Google is my default search engine.As for the top setting (chromesearch.today)clicking on that gives no responce(just like the Google 2011).I really hope you can make sence of all that.Screenshots added.

[Aura]

Then we really need to uninstall it manually.

Registry - Export Uninstall Keys

• On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
• On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
• On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
• Enter the following commands, one after the other. You'll know when you're ready to input the next command when a new line with a blinking cursor will appear under the precedent one:
  Note: You can copy and paste these commands instead of typing them. To copy a command inside the command prompt, move your mouse over the blinking cursor, right-click and select Paste. You must have copied the command prior to that (via Ctrl + C or left-click and Copy).
  

  reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s > "%userprofile%\Desktop\hkcu_uninstall.txt"
  

• Once you're done running the commands, a file will have appeared on your desktop:
  
  • hkcu_uninstall.txt
    
• Create a new folder on your Desktop and the hkcu_uninstall.txt file inside it. Once done, archive (.zip) the folder (right-click on it, select Send to... and select Compressed archive (.zip));
• Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
  

[FeeDee]

Sorry for delay Aura but things getting slightly confused for me here.Firstly i have not entered the right syntax according to cmd and yet there is a file on my desktop called HKCU_uninstall.txt which i dont want to send in case i'm wasting your time.Just to be sure can you tell where the first command ends please purely  to be clear.sorry to be so negative.