Author Topic: search bar hijack (apparently) YAHOO  (Read 3909 times)

0 Members and 1 Guest are viewing this topic.

womble

  • Guest
search bar hijack (apparently) YAHOO
« on: October 03, 2011, 06:40:43 PM »
last night i installed yahoo messenger. and during installation i told it NOT to install searh bar/toolbar.
however, this morning i have what appears to be yahoo search added to my firefox browser.
 so i loaded my revo uninstaller, and it had dificulty (unusual for revo, its been very very good so far) with the search bar uninstaler. but seemed to have removed the pathways, folders  and regisatry items associated with it.

but it was still there.
next, and i may have been wrong to to do this, i deleted the yahoo ccompanion folders, as i believe that would be wheree the broswer extension - yahoo search bar- would be located. and the updater (i may be wrong but i dont want an unwated search bar being updated!).

but it is still there and still active and has even tried to hog searches in do with my google search bar!

i looked in the firefox addons section of my browser, and looked in plugins, and there it was, and maybe i found why revo uninstaller couldnt uninstal it, the uninstal button was disabled! it is inactive. i have disable the search bar, but am worried it is not a legit yahoo search bar. and also, even if it was, i stil wouldnt want it, yahoo search is total pants!

my pc is:
windows XP professional, version 2002, SP3

browser: firefox
antivirus: avast free (up to date)
hijackthis logfile is thus:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:24:00 PM, on 10/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17099)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\T-Mobile\InternetManager_H\DataCardMonitor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Labtec\WebCam10\WebCam10.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\DCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\T-Mobile\InternetManager_H\T-Mobile Internet Manager.exe
C:\Program Files\T-Mobile\InternetManager_H\bmsdk.exe
C:\Program Files\T-Mobile\InternetManager_H\bmctl.exe
C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\T-Mobile\InternetManager_H\bmop.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IObit\Advanced SystemCare 4\AutoUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\paul.DREADS\Desktop\jackhihthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (file missing)
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\InternetManager_H\DataCardMonitor.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [Creative Detector U] "C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"  /MINIMIZED
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "C:\Program Files\T-Mobile\InternetManager_H\UpdateDog\ouc.exe"
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\paul.DREADS\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5A753D5-5CFA-454C-BE7D-06773D9AE06E}: NameServer = 149.254.230.7 149.254.192.126
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DCService.exe - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\DatacardService\DCService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 7485 bytes


THANK YOU FOR YOUR TIME >:(

womble

  • Guest
Re: search bar hijack (apparently) YAHOO
« Reply #1 on: October 03, 2011, 06:43:33 PM »
further more, in my addons page, the uninstal button was inacitve BEFORE i deleted the companion and updater folders!

and though no expert, the above log appears to be fine (notice due my my deleting the said folders, that is says "files missing". to be expcted, i suppose!
again, thanx, womble

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user

YoKenny

  • Guest
Re: search bar hijack (apparently) YAHOO
« Reply #3 on: October 04, 2011, 03:23:15 PM »
It is also not good that you are running IObit Advanced SystemCare: 
O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe