[Tollerowner]

My search engine changed from Google to Yahoo.

I did everything suggested on the internet and it doesn't help.

I ran 4 antivirus softwares.  One found and deleted most of "PC-App-Store" and I uninstalled the rest.  It didn't help.

I can change my default to Bing and that works, but changing back to Google gives me Yahoo.

Any advice?

Attached Files

•  FRST.txt   23.66KB   121 downloads
•  Addition.txt   33.79KB   116 downloads

Edited by Tollerowner, 24 October 2022 - 08:15 PM.

[Advertisements]

Hi, Tollerowner.


Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
 
 
===============================
 
1. FRST fix
 
Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
AS: Bitdefender Antispyware (Enabled - Up to date) {B5763A99-8435-6D40-83EB-2CA97758A9A5}
SearchScopes: HKU\S-1-5-21-612249682-4202380856-1698065691-1001 -> DefaultScope {19DD036C-D3F6-4E92-AC6C-D795D806EB14} URL = 
SearchScopes: HKU\S-1-5-21-612249682-4202380856-1698065691-1001 -> {19DD036C-D3F6-4E92-AC6C-D795D806EB14} URL = 
FirewallRules: [{5BA8CB5E-4132-4080-B074-4B78E3C20397}] => (Allow) C:\Users\Wade\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{848401B9-05EC-4783-93AB-BA4E6A8E71F0}] => (Allow) C:\Users\Wade\AppData\Roaming\Zoom\bin\Zoom.exe => No File
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-612249682-4202380856-1698065691-1001\...\Run: [] => [X]
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
CHR DefaultSearchURL: Default -> hxxps://www.bing.com/search?q={searchTerms}&PC=U316&FORM=CHROMN
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultNewTabURL: Default -> hxxps://www.bing.com/chrome/newtab
CHR DefaultSuggestURL: Default -> hxxps://www.bing.com/osjson.aspx?query={searchTerms}&language={language}&PC=U316
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [209088 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [199312 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [46704 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 webshieldfilter; C:\WINDOWS\System32\drivers\webshieldfilter.sys [96264 2022-09-27] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider) <==== ATTENTION
2022-10-15 10:18 - 2022-09-27 05:42 - 000209088 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2022-10-15 10:18 - 2022-09-27 05:42 - 000199312 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2022-10-15 10:18 - 2022-09-27 05:42 - 000046704 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
2022-10-14 04:52 - 2022-10-14 04:52 - 000000000 ____D C:\ProgramData\TotalAV
2022-10-14 04:52 - 2022-10-14 04:52 - 000000000 ____D C:\ProgramData\SecuritySuite
2022-10-14 04:52 - 2022-09-27 05:42 - 000096264 _____ (Windows (R) Win 7 DDK provider) C:\WINDOWS\system32\Drivers\webshieldfilter.sys
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

3. Run Malwarebytes (scan only)

• Open Malwarebytes you have already installed. 
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

 

In your next reply, please post:

• The fixlog.txt
• The AdwCleaner[S0*].txt
• The Malwarebytes report

[DR M]

Hi, Tollerowner.


Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
 
 
===============================
 
1. FRST fix
 
Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
AS: Bitdefender Antispyware (Enabled - Up to date) {B5763A99-8435-6D40-83EB-2CA97758A9A5}
SearchScopes: HKU\S-1-5-21-612249682-4202380856-1698065691-1001 -> DefaultScope {19DD036C-D3F6-4E92-AC6C-D795D806EB14} URL = 
SearchScopes: HKU\S-1-5-21-612249682-4202380856-1698065691-1001 -> {19DD036C-D3F6-4E92-AC6C-D795D806EB14} URL = 
FirewallRules: [{5BA8CB5E-4132-4080-B074-4B78E3C20397}] => (Allow) C:\Users\Wade\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{848401B9-05EC-4783-93AB-BA4E6A8E71F0}] => (Allow) C:\Users\Wade\AppData\Roaming\Zoom\bin\Zoom.exe => No File
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-612249682-4202380856-1698065691-1001\...\Run: [] => [X]
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
CHR DefaultSearchURL: Default -> hxxps://www.bing.com/search?q={searchTerms}&PC=U316&FORM=CHROMN
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultNewTabURL: Default -> hxxps://www.bing.com/chrome/newtab
CHR DefaultSuggestURL: Default -> hxxps://www.bing.com/osjson.aspx?query={searchTerms}&language={language}&PC=U316
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [209088 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [199312 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [46704 2022-09-27] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
R1 webshieldfilter; C:\WINDOWS\System32\drivers\webshieldfilter.sys [96264 2022-09-27] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider) <==== ATTENTION
2022-10-15 10:18 - 2022-09-27 05:42 - 000209088 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2022-10-15 10:18 - 2022-09-27 05:42 - 000199312 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2022-10-15 10:18 - 2022-09-27 05:42 - 000046704 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
2022-10-14 04:52 - 2022-10-14 04:52 - 000000000 ____D C:\ProgramData\TotalAV
2022-10-14 04:52 - 2022-10-14 04:52 - 000000000 ____D C:\ProgramData\SecuritySuite
2022-10-14 04:52 - 2022-09-27 05:42 - 000096264 _____ (Windows (R) Win 7 DDK provider) C:\WINDOWS\system32\Drivers\webshieldfilter.sys
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

3. Run Malwarebytes (scan only)

• Open Malwarebytes you have already installed. 
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

 

In your next reply, please post:

• The fixlog.txt
• The AdwCleaner[S0*].txt
• The Malwarebytes report

[Tollerowner]

Adw found a bunch of crap.  You don't know how badly i want to delete that stuff!

Attached Files

•  MWB.txt   1.2KB   118 downloads
•  FRST.txt   23.66KB   118 downloads
•  AdwCleanerS00.txt   2.24KB   114 downloads

[DR M]

Hi!
 
You missed a step, Step 1. Actually, after selecting the content of the fix and copy it, I would like you to run FRST and choose FIX, not Scan. Do that and attach the fixlog.txt which is going to be created on your Desktop.
 
After that:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• When the scan has finished a Scan Results window will open.
• Please check all the boxes and then click Quarantine.
• Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
  • Check any pre-installed software items you want to remove.
  • Click Quarantine.
• A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
• A prompt to restart your computer will appear.
  • Click Restart Now.
• Once your computer has restarted:
  • If it doesn't open automatically, please start AdwCleaner.
  • Click the Log Files tab.
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

 

 

In your next reply, please post:

1. The fixlog.txt
2. The AdwCleaner[S0*].txt

[Tollerowner]

Didn't fix the problem
 

Attached Files

•  AdwCleanerC01.txt   2.26KB   116 downloads
•  AdwCleanerS02.txt   1.57KB   115 downloads

[DR M]

I still don't see your fixlog.txt.

 

Please read carefully my instructions here and do Step 1. 

[Tollerowner]

I still don't see your fixlog.txt.

 

Please read carefully my instructions here and do Step 1. 

Didn't help 

Attached Files

•  Fixlog.txt   7.2KB   116 downloads

Edited by Tollerowner, 26 October 2022 - 10:39 AM.

[DR M]

Thank you!
 
That is what I wanted to see.
 
Just letting you know that we are in the process of cleaning the computer and not just solve the initial issue. So, stay with me until the end. 
 
Just to ensure everything is clean:

Download ESET Online Scanner and save it to your desktop.

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET.
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

[Tollerowner]

ESET said it didn't find anything

[DR M]

Thanks for the info.
 
Please run FRST tool once more, and attach for me fresh logs:

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach these two logs in your next reply.

[Tollerowner]

OKAY

 

Attached Files

•  Addition.txt   32.14KB   187 downloads
•  FRST.txt   21.7KB   115 downloads

[DR M]

Hi. 
 
I see that the computer got updated to the latest Windows version (22H2), which was the last thing I would ask from you. However, I don't see the update files in the files part of the logs, and this is strange. 

 

 

Something else I noticed is that Malwarebytes is still registered in the Windows Security Center. Let's fix it:
 
Please open Malwarebytes, click the little gear on the top right, then click the Security tab and make sure about the following:

Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is unchecked.
Under the title Potentially unwanted items all options are set to Always.

 
After that, run the following FRST fix. 
 
Your default browser is Chrome, and I didn't give the proper attention to Edge. I wonder why Malwarebytes or AdwCleaner didn't do the job for me.
 
 
FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
Task: {00B5CC17-2B3B-434F-A367-58120BE1A01F} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-612249682-4202380856-1698065691-1001 => C:\Users\Wade\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)
Task: {E86905CA-48E6-4448-9D10-0DB8BD01A780} - System32\Tasks\OneDrive Standalone Update Task v2 => C:\Users\Wade\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (No File)
Edge DefaultSearchURL: Default -> hxxps://mobility-search.com/search?subid=11119&u=7df685ee95350dcc&channel=default&keyword={searchTerms}
Edge DefaultNewTabURL: Default -> hxxps://mobilisearch.com/?path=chrome/newtab&u=7df685ee95350dcc&subid=11119&channel=default
2022-10-14 04:54 - 2022-10-14 04:54 - 000000000 ____D C:\Users\Wade\OneDrive\Documents\TotalAV
File: C:\Users\Wade\AppData\Local\Tempwd.tmp
VirusTotal: C:\Users\Wade\AppData\Local\Tempwd.tmp
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

[Tollerowner]

I think I had malwarebytes set right; no?

Attached Thumbnails

• 

Attached Files

•  Fixlog.txt   3.95KB   116 downloads

[DR M]

OK, since you have the free Malwarebytes, the specific setting can't be enabled anyway.
 
Open Malwarebytes, go to Settings (little gear at the top right), then choose the Account tab and click on De-activate.
 
Another fix for some maintenance:
 
 
FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
C:\Users\Wade\AppData\Local\Tempwd.tmp
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

How is the computer running now? 

[DR M]

Hi.

 

Are you still with me?