Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Charmsearching browser hijack

Inactive 
1K views 28 replies 3 participants last post by  DR.M 
#1 ·
I'm surprised I didn't find anything about this one on the forum here. I've searched it online and get a bunch of vague directions, none of which seem to work.

Wondering if anyone has run across the Charmsearching browser hijack? Any search to Google (whether from google.com itself or from the Chrome address bar) jumps to charmsearching.com and then on to bing.com

I did a Chrome browser reset, as one site suggested, and that got rid of it... temporarily. I suspect it's an installed extension, but Chrome's own internal malware scan doesn't pick anything up.

Malwarebytes consistently finds and quarantines 16-18 threats that seem to keep appearing. Windows Defender (Win10) doesn't find anything.

Spybot found a couple of potential threats (specifically a possibly harmful Amazon extension) but crashed out trying to clean the system. I manually removed the Amazon extension but to no avail.

I added '127.0.0.1 charmsearching.com' to the hosts file, so at least it's not going anywhere, but it would be nice to get my regular function back.

Any thoughts?
 
See less See more
#4 ·
There was nothing there that shouldn't be, nothing that I hadn't added long ago. Chrome has actually thrown a couple of notifications in the past (like, weeks ago) that one of my extensions (The Great Suspenser) had malware and would be disabled. I let it do that, and then removed the extension entirely. This problem just cropped up in the last couple of days.

Please read the log posting instructions here and post the requested logs.
Will do, thanks.
 
#7 ·
Hi, Soundy.

Welcome to TSG Forums.


I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

=============================

In addition to the above logs, can you please post the Malwarebytes report too?
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
 
#8 · (Edited)
Hi, Soundy.

1. Uninstall Spybot - Search & Destroy
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
Code:
Spybot - Search & Destroy
  • Select the above program and click Uninstall.
  • Restart the computer.

2. Stop Google Drive Sync at start-up

If Google Drive is set up to sync at startup, specific files in the TEMP folder are created every time you start your computer. We are going to delete them now, but they will continue to be created at every startup. Stop Google Drive from syncing at startup will prevent this.
  • Click Backup & Sync in your Taskbar/Notification area using Cloud icon.
  • Click the 3 dots to open Settings.
  • Click the Preferences option - usually the 5th one down from the top.
  • Select the Settings section located on the right side of the popup.
  • Clear that checkbox for Open Backup & Sync on system startup, save the changes and reboot.
You can also check i the Google drive sync is enabled at start up if you do the following:
  • Right click anywhere on your Taskbar and choose Task Manager.
  • If you don't see the tab Start-up, click More Details.
  • Choose the Start-up tab.
  • Check in the list if Google Drive Sync is enabled. If yes, click on it and choose Disable.

3. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
BootExecute: autocheck autochk * sdnclean64.exe
CHR DefaultSearchURL: Default -> hxxps://ssl.gstatic.com/images/branding/product/1x/messages_96dp.png
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FirewallRules: [{03DC3A62-E486-40D8-A465-9F32D7DF88CF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{F40B9929-EE65-4E36-9E5B-934DA59FC339}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{50A8C14B-1214-45E5-A428-7EB371908639}] => (Allow) C:\Users\sound\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{9319F345-4C3E-42B4-846F-EE96EFB31BF0}] => (Allow) C:\Users\sound\AppData\Roaming\Zoom\bin\airhost.exe => No File
hosts:
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

4. Run AdwCleaner

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Files tab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

5. Run Malwarebytes
  • Open Malwarebytes.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
#9 ·
Okay, requested reports pasted/attached.

Malwarebytes result:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/13/21
Scan Time: 8:19 AM
Log File: 3a11ea70-6e17-11eb-95fd-1cbfc027e026.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37073
License: Trial

-System Information-
OS: Windows 10 (Build 18363.1379)
CPU: x64
File System: NTFS
User: SoundyPavilion\sound

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 285384
Threats Detected: 18
Threats Quarantined: 0
Time Elapsed: 2 min, 11 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 5
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 1226, 454808, , , , , ,
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 15848, 838845, , , , , ,
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 15848, 838845, , , , , ,
PUP.Optional.Conduit, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 139, 454835, , , , , ,
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 1226, 454808, , , , , ,

File: 13
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 1226, 454808, , , , , 4605DEE75795FAA6444C7BD6516526D4, E950D5B3DD7F153B5F65C462B5A9B4EFCCD434175C0716E4273089AC8BEF7318
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000963.log, No Action By User, 1226, 454808, , , , , D28F23EFD958C905CAA0A972F0EF3A05, 283D956FB23B2B0EC011FF31A80ABACEA6E21E4D86927639AEE0A6EB40916CAF
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000965.ldb, No Action By User, 1226, 454808, , , , , DA3087DAAC3F14601BBA2B2C4FB3AFC5, CC330A15ED2BCB3F38A80D8BC385EEF306B20B32F41A03A531B155CB7116F8DB
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 1226, 454808, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 1226, 454808, , , , , ,
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 1226, 454808, , , , , 6F78C880F0DD167BA10AA8678122DF6B, 9DFC768F2A613608CCA5376FF369C7BD3E575B4E76A62FB24EACD41A4CAC0EF9
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 1226, 454808, , , , , B8A311E9F940E6FACBCE2D63552DFEDF, 6A049D1FDCB3FE74BB685F42BEAD8410888F9C6EC5B09949E50E78144021A360
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 1226, 454808, , , , , F5B39D560E9E63B873E61D2DA150BA9A, C233DEBC5C375DCF094B07B679069A616D6C33BF74978D62B56B8937AA8FD728
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 1226, 454808, 1.0.37073, , ame, , 6DFD7AF8195F8361387A4AF9F4018E6D, E864B1D4DB0D4B84CC689F4DFBBC2719C8621870130382CF58E7334FB7DEF1CA
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 15848, 838845, 1.0.37073, , ame, , 6DFD7AF8195F8361387A4AF9F4018E6D, E864B1D4DB0D4B84CC689F4DFBBC2719C8621870130382CF58E7334FB7DEF1CA
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 15848, 838845, 1.0.37073, , ame, , 6DFD7AF8195F8361387A4AF9F4018E6D, E864B1D4DB0D4B84CC689F4DFBBC2719C8621870130382CF58E7334FB7DEF1CA
PUP.Optional.Conduit, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 139, 454835, 1.0.37073, , ame, , 6DFD7AF8195F8361387A4AF9F4018E6D, E864B1D4DB0D4B84CC689F4DFBBC2719C8621870130382CF58E7334FB7DEF1CA
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 1226, 454808, 1.0.37073, , ame, , 6DFD7AF8195F8361387A4AF9F4018E6D, E864B1D4DB0D4B84CC689F4DFBBC2719C8621870130382CF58E7334FB7DEF1CA

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)
 

Attachments

#10 ·
Hi.

Thank you for the logs.

Many things have been found. Let's clean.

1. AdwCleaner (Clean mode)

Let me explain to you the log created by AdwCleaner:

The findings in Registry and Chromium parts of the log, are adware and PUPs which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed.

The section at the bottom under Preinstalled Software is software that was apparently installed when the device was new, which you may or may not use. It's your computer so your choice, but I would remove everything I don't use/need.

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all the boxes and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Run Malwarebytes (Clean mode)
  • Double click the program's icon on your Desktop, as you did before.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is unchecked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

3. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.

In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The Malwarebytes report
  3. Fresh FRST logs, FRST.txt and Addition.txt
 
#13 · (Edited)
Hi, Soundy.

You can ignore my previous post. Not necessary now, let's keep it for the last step below.

Actually you have Trovi browser hijacker.

Chrome sync is causing problems for your system. Malwarebytes removes bad entries from Chrome, sync puts them back.

In addition to stopping Google Drive from syncing at start up, make a fresh clean install of Chrome. Also make sure that you don't have Drive/Chrome sync setting on in other devices.

1. Backup your Bookmarks

If your Chrome Bookmarks are important do this first:
Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome and save them to your Desktop. Note the instructions can also be used to Import the bookmarks.

2. Get ready - Download Chrome installer

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

3. Reset Sync
  • Open Chrome and sign into your account.
  • Open a new tab and type or copy paste chrome://settings/syncSetup
  • Press Enter.
  • In the new window that opens "Sync everthing" will probably be selected. Scroll down and select "Managed sync data on Google Dashboard"
  • A new window will open. Scroll down and select "Reset Sync" that will clear synced data from Google Server.

4. Completely uninstall Chrome

5. Install Google Chrome
  • Install Google Chrome using the installer you have already downloaded.
  • Import your Bookmarks.

6. Malwarebytes scan

Do a Malwarebytes scan. I those items appear, delete them and then do another scan in Scan mode (not delete anything) as instructed here. Post the result in your next reply.

Please let me know what happens.
 
#14 ·
Yep, Malwarebytes shows the same crap.

Will proceed with the above instructions later this evening. Thanks for the assistance so far!

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/14/21
Scan Time: 4:22 PM
Log File: d31cba44-6f23-11eb-9218-1cbfc027e026.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37139
License: Trial

-System Information-
OS: Windows 10 (Build 18363.1379)
CPU: x64
File System: NTFS
User: SoundyPavilion\sound

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 297064
Threats Detected: 19
Threats Quarantined: 0
Time Elapsed: 2 min, 44 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 5
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 1226, 454808, , , , , ,
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 15848, 838845, , , , , ,
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 15848, 838845, , , , , ,
PUP.Optional.Conduit, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 139, 454835, , , , , ,
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 1226, 454808, , , , , ,

File: 14
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 1226, 454808, , , , , 19E95EE55E11CC35DC61D3A6452633A7, 69B4E0417849A877818E286F89AAD00E380002A0006D35104403005E10573D01
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000133.ldb, No Action By User, 1226, 454808, , , , , 89CA6B28F750C7303C742C4FBA4EB2B8, 12F33E87774C7DE80D83D815DDF0A9C1518086309D89E83175D8895AF107CE08
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000135.ldb, No Action By User, 1226, 454808, , , , , A65281A96389702706DCB07D39950A02, 52E7C1C8A8DC01E268A0E9FA1A7A0F2F3BD8D1EC378772C8BF29040EE1C21A8B
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000136.log, No Action By User, 1226, 454808, , , , , 0C1CFF85AF98A73264507E5FA80FAE63, 063CE9F2AD887EDBBD598F202B388F9E449FA40C489A18973CD8305C523E1C80
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000137.ldb, No Action By User, 1226, 454808, , , , , 45652E9362622958382B7CA15E3CBDF8, 021281F52864F1DF5518D180D4D91898BCF86D61FB1E4D0BA2FDA481161A5452
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 1226, 454808, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 1226, 454808, , , , , ,
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 1226, 454808, , , , , 5A1F2B7119933EE9C324ABFCB76FDB17, DA5D76A8C5A7B52C8E48580B9FFC788B4C887D7DF0FF0856A20BD4EB0D7145CA
PUP.Optional.Trovi, C:\Users\sound\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 1226, 454808, , , , , 46E0514206041B61E41C1A9136BE6C18, 63C16AA9BFFC3185E00F152D771CF2C918DB3DCCBF3AE5447056FE7F11097E00
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 1226, 454808, 1.0.37139, , ame, , 4BC07E8D79B954265D68AD244097E258, E1CBD7A905E8C3E6822C70B8D664E30B058EC486BAAC478660E2E61A561E6DE2
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 15848, 838845, 1.0.37139, , ame, , 4BC07E8D79B954265D68AD244097E258, E1CBD7A905E8C3E6822C70B8D664E30B058EC486BAAC478660E2E61A561E6DE2
PUP.Optional.PushNotifications.Generic, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 15848, 838845, 1.0.37139, , ame, , 4BC07E8D79B954265D68AD244097E258, E1CBD7A905E8C3E6822C70B8D664E30B058EC486BAAC478660E2E61A561E6DE2
PUP.Optional.Conduit, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 139, 454835, 1.0.37139, , ame, , 4BC07E8D79B954265D68AD244097E258, E1CBD7A905E8C3E6822C70B8D664E30B058EC486BAAC478660E2E61A561E6DE2
PUP.Optional.Trovi, C:\USERS\SOUND\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 1226, 454808, 1.0.37139, , ame, , 4BC07E8D79B954265D68AD244097E258, E1CBD7A905E8C3E6822C70B8D664E30B058EC486BAAC478660E2E61A561E6DE2

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)
 
#21 ·
Yippee!!!!


Now, please let me see fresh FRST logs, so we can deal with anything left behind.
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.
 
#23 ·
Hi, Soundy.

Thanks for the logs.

1. Stop Google Drive Sync at start-up

This option returned. As a result, specific files in the TEMP folder are created every time you start your computer, taking unnecessary space. Stop Google Drive from syncing at startup will prevent this.
  • Click Backup & Sync in your Taskbar/Notification area using Cloud icon.
  • Click the 3 dots to open Settings.
  • Click the Preferences option - usually the 5th one down from the top.
  • Select the Settings section located on the right side of the popup.
  • Clear that checkbox for Open Backup & Sync on system startup, save the changes and reboot.
You can also check i the Google drive sync is enabled at start up if you do the following:
  • Right click anywhere on your Taskbar and choose Task Manager.
  • If you don't see the tab Start-up, click More Details.
  • Choose the Start-up tab.
  • Check in the list if Google Drive Sync is enabled. If yes, click on it and choose Disable.

2. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {429ECCAA-CB86-43DF-8891-B64F13BF59F0} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2598599195-3313540102-1335525054-1001 -> {429ECCAA-CB86-43DF-8891-B64F13BF59F0} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
FirewallRules: [{C74B5399-089E-4855-9468-4969CD0F7B2E}] => (Allow) LPort=3445
S2 WildTangentHelper; "C:\Program Files (x86)\WildTangent Games\Integration\WildTangentHelperService.exe" [X]
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

3. AdwCleaner (Scan mode)

Let's check if Trovi has been completely removed.
  • Double click AdwCleaner.exe to run it, as you did before.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

4. Check Windows Defender
  • Go to Settings (Windows icon on the keyboard + i)
  • Select Privacy & Security
  • From the left pane, Windows Security
  • Open Windows Security
  • Please take a screenshot of what you see at the Security at a glance screen (Microsoft's instructions of how to take screenshots using snipping tool are here)

In your next reply, please post:
  1. The screenshot with Windows Defender status
  2. The fixlog.txt
  3. The AdwCleaner[S0*].txt
  4. Report any remaining issues regarding this computer
 
#25 ·
Okay, latest logs attached.

# -------------------------------
# Malwarebytes AdwCleaner 8.0.9.1
# -------------------------------
# Build: 01-20-2021
# Database: 2021-01-26.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 02-22-2021
# Duration: 00:00:34
# OS: Windows 10 Home
# Scanned: 31956
# Detected: 21

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

PUP.Optional.Legacy Bitly | Powerful Short Links - iabeihobmhlgpkcgjiloemdbofjbdcic

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH
Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1E4C2240-51B2-455C-A1E1-A7C07A4AD5C2}
Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch
Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH
Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher
Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE
Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT
Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Folder C:\Users\sound\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY
Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6}
Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT
Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}

AdwCleaner[S00].txt - [5772 octets] - [13/02/2021 08:16:52]
AdwCleaner[S01].txt - [5833 octets] - [14/02/2021 07:44:35]
AdwCleaner[C01].txt - [3502 octets] - [14/02/2021 07:46:27]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########
 

Attachments

#27 ·
Hi, Soundy.

1. Stop Google Drive Sync at start-up

This only prevents Google Drive Sync at startup. It doesn't cancel syncing, since if you open Drive, syncing is on. Of course the decision about this is yours and you are the one who knows better your needs.

2. FRST fix

I would like the fixlog after performing the Step 2 here. You ran another FRST scan instead and that was not necessary.

3. PUPs in AdwCleaner > Bitly

PUP is for potentially unwanted programs. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. If you think that it is fine to keep using Bitly, you can keep it. I wanted to see AdwCleaner's scan to check if Trovi is removed. It is removed, so no need to take any other action here.

4. Windows Defender / Antivirus

Windows Defender and Windows Firewall are shown with a red mark, meaning that they don't run properly and therefore your computer is not protected. You had Spybot & Destroy as an antivirus solution before. We uninstalled it because you said it was not working properly. I recommend you to stay with the built-in Windows 10 antivirus, running under the whole security package called Windows Security, but again, it's your computer so your decision. In any case, the antivirus has to work properly.

If you want to reinstall Spybot & Destroy, do it now and check if it is functional.

If you want to stay with Defender, then open Windows Security and fix all the issues regarding Windows Defender. Do the same about Windows Firewall. After you fix the issues, please take another screenshot and post it here.

5. Upgrade your operating system

Considering that you took care of all the above, you may consider upgrade your operating system. You have version 1909, two critical upgrades behind the latest one which is 20H2. It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

To upgrade:
  • Go to this Microsoft page and under the title Create Windows 10 installation media press on Download tool now.
  • Save the tool on your Desktop and double click to run it.
  • On the License terms page, if you accept the license terms, select Accept.
  • On the What do you want to do page, select Upgrade this PC now, and then select Next.
  • Follow the instructions and select Keep personal files and apps, when you are asked to.
  • It might take a couple of hours, depending on your wifi speed connection, to install Windows 10. Your PC will restart a few times. Make sure you don't turn off your PC.
  • After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC.

In your next reply please post:

1. The fixlog
2. The Windows Security screenshot if you decide to stay with Defender
3. Any question/concern about the computer
 
#29 ·
I'm leaving this thread due to lack of feedback. If you still need assistance, you can post here again, or, if the thread is closed, send me a personal message (hover the mouse on my profile avatar and press Start a conversation) with a link to the topic.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top