[Chrissy26]

When searching in Chrome (or Firefox) it reverts to myhoroscope.com and then reverts to the Yahoo search engine.

 

I have tried resetting the search engine and default browser defaults in settings multiple times.

 

I have run a full Kaspersky scan and it comes back clean, but the problem is still happening.  

[Advertisements]

Hello, Chrissy26.
 
Welcome to GTG Forums.

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

[DR M]

Hello, Chrissy26.
 
Welcome to GTG Forums.

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

[Chrissy26]

Hi Dr M

 

Thank you. I have run the scan. Attached are the files.

 

Chrissy

Attached Files

•  FRST.txt   52.26KB   36 downloads
•  Addition.txt   34.48KB   31 downloads

[DR M]

Hello, Chrissy.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
 
 
======================
 
1. Move FRST
 
Please move the tool from your Downloads folder directly on to your Desktop.
 
 
2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{188E301C-5BF3-4DCA-9C30-EF4BD2746B7F}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe => No File
FirewallRules: [{86307F49-A1B2-465D-BEA9-516DC7DD73AB}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe => No File
HKLM\...\Run: [] => [X]
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
FF Homepage: Mozilla\Firefox\Profiles\hatm12ic.default-release -> hxxps://mobilisearch.com/?path=firefox/newtab&u=1de1d269f6ed8122&subid=11119&channel=default
S3 cpuz153; \??\C:\WINDOWS\temp\cpuz153\cpuz153_x64.sys [X] <==== ATTENTION
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

3. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

 

4. Run Malwarebytes (scan only)

• Download Malwarebytes and save it to your Desktop.
• Once downloaded, close all programs and Windows on your computer.
• Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
• Follow the instructions to install the program.
• When finished, double click the program's icon created on your Desktop.
• Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled. 
• Click the Protection tab and enable the 4 options under Real-time protection. 
• Return to the Dashboard and choose Scan. 
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:

• The fixlog.txt
• The AdwCleaner[S0*].txt
• The Malwarebytes report

[Chrissy26]

Hi Dr M

 

Thank you. I have run the scans. Please see attached.

 

Chrissy

Attached Files

•  Fixlog.txt   18.34KB   27 downloads
•  AdwCleanerS00.txt   1.56KB   25 downloads
•  Malwarebytes Scan Report 2024-04-06 161906.txt   4.78KB   32 downloads

[DR M]

Hello, Chrissy.
 
Some system corruptions were fixed and some items were detected by the tools we used.
 
What I noticed, is that due to Google Sync option, you have some bad items which will remain in the system even if we clean them now. To avoid that:
 
Turn Google Sync option OFF in this computer and in all the devices you are using. DO NOT turn it on, until I ask you to. 
 
This link can help you work around with Google Sync: Delete synced information from your account
 
After the above:

 
1. AdwCleaner (Clean mode)
 
This tool detected the following:
 
PUP.Optional.DriverUpdatePlus   C:\Users\user\Downloads\DRIVERUPDATE.EXE
PUP.Optional.FreeMakeConverter  HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run|ProductUpdater
PUP.Optional.Legacy             HKCU\Software\Classes\.bgl

The second detection has to do with FreeMaker Converter you have already installed, and specifically with the product's updater. Not sure if it is a false-positive or not, but if you downloaded the product from its official site, then you can leave it there.
 
However, I recommend you to remove the other two findings.

To proceed, please do the following:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• Once the scan completes, AdwCleaner shows you what it found on your computer. Check the boxes next to any items you want to quarantine and disable, then click Next.
• Now, AdwCleaner will show you any preinstalled software it found on your device. Again, check the boxes next to any items you want to quarantine and disable. If nothing found, you won't see this message. If you don't want to remove any preinstalled software, click Cancel and continue.
• Click Continue, then click Restart now, and you’re done.
• Once your computer has restarted:
  • Click the Log Files tab.
  • Click Skip Basic Repair to finish the cleaning process
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

 

 

2. Malwarebytes (Clean mode)
 
Run Malwarebytes as you did before, but this time, when the threats are found:

• Make sure that all threats are selected, and click on Quarantine/Remove selected.
• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

 

 

In your next reply please post:

• If you successfully tuned off Google Sync for ALL your devices
• The AdwCleaner[C0*].txt
• The Malwarebytes report
• Feedback: How is the computer running now? Any improvement with the initial issue? 

[Chrissy26]

Hi Dr M

 

I have excellent news. I have followed your instructions and the issue now appears to be resolved and chrome is back to normal now. Thank you so much for your advice. 

 

I have turned off Google Sync and the reports are attached.

 

Thanks

Chrissy

Attached Files

•  AdwCleanerC01.txt   1.66KB   22 downloads
•  Malwarebytes Scan Report 2024-04-06 151918.txt   4.67KB   22 downloads

[DR M]

Hello, Chrissy!

 

 

I have excellent news. I have followed your instructions and the issue now appears to be resolved and chrome is back to normal now. Thank you so much for your advice. 

 

Yes, this is excellent news indeed! I'm glad the problem is now resolved. 

 

Let's check fresh FRST logs now, just to ensure that everything is clean.

[DR M]

Hi, Chrissy.

 

Are you still with me? 

[Chrissy26]

Hi Dr M

 

I have run a fresh FRST, attached are the reports.

 

Thanks again

Chrissy

Attached Files

•  FRST.txt   41.2KB   22 downloads
•  Addition.txt   36.98KB   21 downloads

[DR M]

The logs are clean.

 

Let's see another scan from Malwarebytes, before doing anything else. Run the tool as you did before, and attach the report, please. 

[Chrissy26]

Hi Dr M

 

Please see attached new scan from Malwarebytes...

[Chrissy26]

Hi Dr M

 

It wouldn't attach the report, so I have pasted here... 

 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 4/12/2024

Scan Time: 9:18 AM

Log File: da114f6e-f859-11ee-8e57-64006a52b935.json

 

-Software Information-

Version: 5.1.2.109

Components Version: 1.0.1207

Update Package Version: 1.0.83331

License: Trial

 

-System Information-

OS: Windows 10 (Build 19045.4170)

CPU: x64

File System: NTFS

User: WINDOWS-QSS2PM6\user

 

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 238548

Threats Detected: 0

Threats Quarantined: 0

Time Elapsed: 2 min, 30 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

File system: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

WMI: 0

(No malicious items detected)

 

 

(end)

Edited by Chrissy26, 11 April 2024 - 05:32 PM.

[DR M]

Perfect!

 

Your computer is clean. Now, you can turn ON the Google sync, if you like, starting first from this computer we cleaned. This is very important, and if you don't do it, the computer will get infected again. So be careful with this.

 

As to your question here, please let me know if you are using the computer at that specific time. This is the way to track your Data usage:

Settings > Network and Internet > Data usage

[Chrissy26]

I have turned on Google sync.

 

No, the computer isn't being used at the time of the data usage. It seems to be something running in the background overnight.