Browser/Window Hijacker (Spigot?)

Well this is weird i wonder if im dealing with a super high end malware virus. I just registered an account an hour ago and when i tried to make a new post, it got eaten and then it said that i have no registered account, when i have the original activation registration email, in which i tried to reclick and it said i’ve no account… disheartenig. Anyway, teaches me to not copy save my posts.

Hello, i’ve got a nasty browser/window hijacker. The borders of the window of whatever program (firefox, MS Word, VLC, hell even the restart/shutdown window, etc) i have open flashes every few seconds from blue to white back to blue. Whatever input im making it gets ignored when it does the flash shift.

After closing and reopening my browser i go to a search yahoo page, instead of my homepage, and i noticed the word spigot in the url bar.

I did research on it and figured i got hit with the Spigot hijacker. I updated my malwarebytes and avast ran scans with both and got nada. I went digging into my computer looking for the spigot folder/files and searchsettings64.exe process which people say are where the offending malware resides, but i cant find either of them.

Also downloaded and ran roguekiller and adwcleaner and neither one found anything either.

Im at my wits end and am about to reformat, but i really dont want to do that if i dont have to (ive got an ssd).

The revelation i got where my avast account got suddenly canceled has me very very worried im dealing with something quite extreme in protecting itself.

run OTL and attach diagnostic log. … not copy and paste. http://forum.avast.com/index.php?topic=53253.0

And done.

Interesting program.

malware removers are notified… should be here soon

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com?type=714647&fr=spigot-yhp-ie
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3101810&SearchSource=3&q={searchTerms}&CUI=UN99901993429234251"
CHR - homepage: http://search.yahoo.com?type=714647&fr=spigot-yhp-ch

:FILES
C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\jd3szh4x.default\extensions\{285ACFBB-8E53-4feb-90E6-F02A128927F3}.xpi
C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\jd3szh4x.default\searchplugins\conduit.xml

:COMMANDS
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log


====== next =======

Please download zoek.exe and save it to your desktop.

[list]
[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:

createsrpoint;
StandardSearch;
installer-list;
installedprogs;
uninstall-list;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Sadly didnt seem to have done the trick :cry:

Reports attached

Hi,

First from Control Panel > Programs and Features you need to find and remove/uninstall Search Protection. Also I recommend to remove “AVG SafeGuard toolbar” too from your system. This isn’t AVG AntiVirus but its component, software. I honestly do not see the point to be loaded with your system, but of course it’s your will.

To enter in control panel, from Windows 8 user interfaces ( metro ) type control panel for search and enter.


Re-run zoek.exe as you did before with this script:

emptyclsid;
Search Protection;u
jhbicckmeogemnamjhgbfbhelblnkjlp;CHR
jhbicckmeogemnamjhgbfbhelblnkjlp;CHR
CHRdefaults;
C:\Users\William\AppData\Local\CRE\jhbicckmeogemnamjhgbfbhelblnkjlp.crx;f
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection];r
ipconfig /flushdns >> %temp%\log.txt;b
emptyalltemp;
autoclean;

What a while for zoek to finish his work, it will reboot your system and then attach here fresh created zoek log.

Uh oh, this thing is starting to get craziera nd more aggressive. I’m getting heavy slowdowns and lag just from opening firefox and making these posts now. Its like it knows i’m trying to kill it and its going on overdrive. The flashes are becoming more frequent now.

Odd, i didnt notice search protection spigot file my first run through trying to clean my system.

Ok, create fresh Zoek log. You will run zoek with this script:

filesrcm;
startupall;
firefoxlook;
chromelook;

We will continue tomorrow. :wink:

People who make malware/viruses like this all need to be strung up by their balls and killed in the most excruciating painful fashion. Ehhmm, yes, anyhoo, at this point im kinda curious at why this bastard is so resilient. I wonder if there are any other threads who have suffered similar isuses as myself, since this isnt as simple as getting rid of the spigot files.

Hi,

What makes you think you have a spigot files? What current problems you experience?

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

When i first encountered the problem when i opened up a new firefox browser the new homepage url was search yahoo and had the word spigot in there.

Also when you had me uninstall search protection a few posts up, the program said spigot inc.

So thats how i figured it was spigot… although u seem to have given me the kill code for it… so its really weird, instead now the intensity of the redirects went from like every 8 secs to 3 secs now, with more lag

Scans attached.

Maybe i should download the spigot stuff from their website and then try to uninstall… hmm

Still I can’t understand what you see. Yahoo is legit webpage. In posted logs I don’t see malware activities or spigot related files. Your PC is clean.

I can’t fix something I don’t see. Attach screenshot here what you see, then might be a little clearer.

Are you familiar with “C:\Program Files (x86)[b]WinToFlash Suggestor[/b]” ?

Also, run this zoek script and attach here created zoek log. Perhaps this will show of what you see.

spigot;z
spigot;a
spigot inc;z
spigot inc;a
shortcutfix;

Magna86, thank you so much for your patience and help. Sadly this malware/trojan/virus (im gonna upgrade the threat level now) has done something that has totally freaked me. It’s now attempting to turn off my avast anti virus program, once something has gone THERE, there’s no going back imho. I’ve decided to use the Win8 refresh feature, and it seems to have cleared up the problem, sadly i think its wiped my IP and i cant connect to the internet despite the refresh not uninstalling my wifi drivers. Well that’s another problem for another forum. It pisses me off how this goddamn bug has wasted several days of my time and hours of yours.

Again thank you for your help.