Hello,
I recently installed a program and flew through the install too quickly. I think I may have installed some adware but I am not sure. My Chrome now opens on http://search.yahoo.com/?type=994519&fr=spigot-yhp-ch I could deal with this but I am concerned that there could be something more sinister happening in the background. Do you know how I could go around fixing this?
Thanks
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Found : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\Extensions{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}
Folder Found C:\Program Files (x86)\BSP DB Toolbar
Folder Found C:\ProgramData\Uniblue\DriverScanner
Folder Found C:\Users\Paul\AppData\Local\Temp\CT3225826
Folder Found C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\CT3225826
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\AppDataLow\Software\smartbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Found : HKLM\SOFTWARE\Classes\CLSID{64697678-0000-0010-8000-00AA00389B71}
Key Found : HKLM\SOFTWARE\Classes\driverscanner
Key Found : HKLM\SOFTWARE\Classes\Interface{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BSP DB Toolbar
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface{2BEF239C-752E-4001-8048-F256E0D8CD93}
***** [ Browsers ] *****
-\ Internet Explorer v10.0.9200.16720
-\ Mozilla Firefox v24.0 (en-US)
[ File : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\prefs.js ]
Line Found : user_pref(“CT3225826.FF19Solved”, “true”);
Line Found : user_pref(“CT3225826.UserID”, “UN30946557701211712”);
Line Found : user_pref(“CT3225826.fullUserID”, “UN30946557701211712.IN.20131026102007”);
Line Found : user_pref(“CT3225826.installDate”, “26/10/2013 10:20:12”);
Line Found : user_pref(“CT3225826.installSessionId”, “-1”);
Line Found : user_pref(“CT3225826.installSp”, “FALSE”);
Line Found : user_pref(“CT3225826.installerVersion”, “1.7.0.9”);
Line Found : user_pref(“CT3225826.searchRevert”, “FALSE”);
Line Found : user_pref(“CT3225826.searchUserMode”, “1”);
Line Found : user_pref(“CT3225826.versionFromInstaller”, “10.20.0.13”);
Line Found : user_pref(“CT3225826.xpeMode”, “0”);
Line Found : user_pref(“extensions.wrc.SearchRules.ask.com.style”, ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url("I[…]
Line Found : user_pref(“extensions.wrc.SearchRules.ask.com.url”, “^hxxp(s)?\:\/\/(.+\.)?ask\.com\/.*”);
Line Found : user_pref(“extensions.wrc.SearchRules.rambler.ru.style”, “.WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url("IMAGE") right no-repeat}”);
Line Found : user_pref(“smartbar.machineId”, “B7B6HAEXWWRUB6EYOLTQULXG6QMD05MBBONKPMEW5NUQBN5UI/YKJ3DKOO3MLKKD1U0TXTELTC6DEWFH64RUQW”);
-\ Google Chrome v30.0.1599.101
[ File : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\preferences ]
AdwCleaner[R0].txt - [4097 octets] - [26/10/2013 10:54:07]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4157 octets] ##########
Unfortunately I do not have time to run and post any more logs just now but I will do so later on today.
Run AdwCleaner again and this time click clean…
Also run Malwarebytes quick scan…post log here
Here is the report after cleaning and rebooting
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\Uniblue\DriverScanner
Folder Deleted : C:\Program Files (x86)\BSP DB Toolbar
Folder Deleted : C:\Users\Paul\AppData\Local\Temp\CT3225826
Folder Deleted : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\CT3225826
Folder Deleted : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\Extensions{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BSP DB Toolbar
***** [ Browsers ] *****
-\ Internet Explorer v10.0.9200.16720
-\ Mozilla Firefox v24.0 (en-US)
[ File : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\xv76wpvr.default\prefs.js ]
Line Deleted : user_pref(“CT3225826.FF19Solved”, “true”);
Line Deleted : user_pref(“CT3225826.UserID”, “UN30946557701211712”);
Line Deleted : user_pref(“CT3225826.fullUserID”, “UN30946557701211712.IN.20131026102007”);
Line Deleted : user_pref(“CT3225826.installDate”, “26/10/2013 10:20:12”);
Line Deleted : user_pref(“CT3225826.installSessionId”, “-1”);
Line Deleted : user_pref(“CT3225826.installSp”, “FALSE”);
Line Deleted : user_pref(“CT3225826.installerVersion”, “1.7.0.9”);
Line Deleted : user_pref(“CT3225826.searchRevert”, “FALSE”);
Line Deleted : user_pref(“CT3225826.searchUserMode”, “1”);
Line Deleted : user_pref(“CT3225826.versionFromInstaller”, “10.20.0.13”);
Line Deleted : user_pref(“CT3225826.xpeMode”, “0”);
Line Deleted : user_pref(“extensions.wrc.SearchRules.ask.com.style”, ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url("I[…]
Line Deleted : user_pref(“extensions.wrc.SearchRules.ask.com.url”, “^hxxp(s)?\:\/\/(.+\.)?ask\.com\/.*”);
Line Deleted : user_pref(“extensions.wrc.SearchRules.rambler.ru.style”, “.WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url("IMAGE") right no-repeat}”);
Line Deleted : user_pref(“smartbar.machineId”, “B7B6HAEXWWRUB6EYOLTQULXG6QMD05MBBONKPMEW5NUQBN5UI/YKJ3DKOO3MLKKD1U0TXTELTC6DEWFH64RUQW”);
-\ Google Chrome v30.0.1599.101
[ File : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\preferences ]
AdwCleaner[R0].txt - [4249 octets] - [26/10/2013 10:54:07]
AdwCleaner[S0].txt - [4164 octets] - [26/10/2013 11:01:22]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4224 octets] ##########
Had enough time to run the MBAM one too, here is the report:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.10.26.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Paul :: PAUL-PC [administrator]
26/10/2013 11:07:50
mbam-log-2013-10-26 (11-07-50).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256582
Time elapsed: 11 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\Users\Guest\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
Files Detected: 4
C:\Users\Paul\AppData\Local\Temp\Lk31b7b9.exe.part (PUP.Optional.Installex) → Quarantined and deleted successfully.
C:\Users\Paul\AppData\Local\Temp\PhJQQvTk.exe.part (PUP.Optional.Installex) → Quarantined and deleted successfully.
C:\Users\Paul\AppData\Local\Temp\U3zV6J5e.exe.part (PUP.Optional.Amonetize.AS) → Quarantined and deleted successfully.
C:\Users\Guest\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
(end)
And now the question is… did it help 
?
If not, you need to attach (not copy and paste) OTL diagnostic log
I’ll be able to check tonight. Even if Chrome is back to normal, should I continue with the rest of the scans to make sure there is nothing else lurking in the background?
Thanks
Yes you mat do that…
Monitoring
The problem is still ongoing. Here is the OTL log, there is no extras log.
If Chrome shows Yahoo as Home Page, if you think logically … where you could set & adjust chrome’s home page?
https://support.google.com/chrome/answer/95314?hl=en
Anyway, posted logs are malware free. Previous tools are just been detected a bunch of junk files …
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
Final log posted. I’ve changed Chrome back to open with a new tab in settings, just making sure all is ok. Thanks a lot for looking into this for me.