foufoul

I don't, I resintalled windows through a bootable key. But since the virus crashed my previous windows I'm just worried that it could be a deeper issue, but I might be paranoid.

Thanks, i'll read it ! Keep in mind that I don't have those symptoms anymore, I'm just worried it might have infected my OS or key usb boot.

Adding that the virus was not detected by Malwarebyte at all, I tried multiple complete scans

Hi, A member of my family got a virus somehow from downloading something (I guess), because there were popup ads at the bottom right with fake malware detection inviting to "solve the issue". But step by step, it started to make windows unable to sign in the account. I could'nt reset windows 10 from the computer, nor go back to a previous restauration point (all deleted). I had to reinstall from a USB key boot. I just wanted to check that everything is clean, including my USB key. Check the screenshots below Thanks !! Note : I didn't put my USB key during thoses analysis, please tell me if it's needed analyse malwarebyte.txt FRST.txt Addition.txt

Sorry, bad english, I'm correcting.

Oh I see what you mean. However with Chrome, I can connect from any new computer and my extension will be available (Adblock for example). A prompt message asking before if I want to sync or not. It's convenient but I know how problematic it can be. But based on what you say, I think the browser just installs it automatically when I sync it. So my concern was about whether or not it would install the malicious ones. Correct me if I'm wrong. I misunderstood, sorry. Yes "doduy" is an admin account that I've created. And I installed the tools on this account (the one that got hijacked named "Kevin Travail") which is a guest account. I didn't want the tools to only scan the "doduy" account which was safe, but I guess they would scan the entire disk. Plus, all temp files are in the admin account (e.g. C:\Users\doduy\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ehpgcagmhpndkmglombjndkdmggkgnge) I was following carefully what you recommanded me, and clean my extensions as you said that Brave and Chrome were full of it. But Brave turns out to be empty, however the folder is not. See my screenshots. Might be the "invisible" extensions issue I've got ? Thanks Maurice

Hello, Indeed, I'm using another Windows account, and the hijacked happened on this account. But the tools you made me use are (somehow) located in the "doduy" account. I will check all the steps you've described, your answer is well detailled. Thanks a lot for your support and your patience Maurice. It was great to have your expertise. Regards,

Hello, To avoid misunderstanding. I use Chrome, and the problem happened on chrome only. I was only using Brave temporarily during the process of cleaning my computer. Just letting you know that I have multiple Windows account and "doduy/" isn't the account I was on when the issue happened. And seems like many files from the software you told me to use are saving files on this user folder. I recently activated automatically WebGPL on Chrome to use some software. Hope it wasn't the cause. Thanks for your detailled answers. I read the articles you've sent me and it's interesting ! 3. Is there any problem with Brave then ? Because I don't use it, so I would be surprised. 4. Question : how can I diagnostic myself ? Malwarebytes didn't detect anything at the time, neither Adware Malwarebytes. So what should I do if I'm suspecting something that runs in the background ? (except deleting extensions ofc). I'm asking that because my Chrome account are always synced (extensions, history, literally everything) so if a malicious extension is up, it would be on other computers. Here is the report, Thanks ! rogue_report.txt

Hello Maurice, I was using Brave only during the clean process Chrome seems now back to normal. However, I have multiple questions, hope you can help me on that before you go, so I can prevent this to happen again ! I know your time is precious, don't hesitate to link some ressources if you want to, I can do some research. How that happened ? I checked, and I swear i've seen not extensions that I didn't know. Plus, I installed nothing (I never do) when navigating on this streaming website. Is the problem only come from my browser or was it installed on my computer ? Can I prevent it by blocking some automatic actions made without my consent ? For the record, as i said i have two chrome account synced, and only one was affected. How does it work, since I saw nothing malicious. Is it an adware, malware, hidden extension.. ? Did it affect my data (stolen ?) since I was connected with my Google accounts ? (passwords, google photos, files, etc...) I was connected, and used this google account on another computer which was automatically synced with chrome. Did it spread by any chance ? I've had a virus once, so I'm usually really cautious (hope so). You're a savior, thanks again for your time

Hi, I've been using Brave as a browser since then. Here is the file. Everything is doing good for now. Thanks for your help ! Fixlog.txt

And to add some context. Now on one google account, I clearly have a redirection to charmsearching, but when I switch to my second chrome account, the google results page is weirdly resized

Hello, I know you will not like it but I have to copy paste the report, I literally can't upload file. I just have a text box. See my screenshot : https://ibb.co/42v7Bz1 And here is the report : # ------------------------------- # Malwarebytes AdwCleaner 8.0.9.1 # ------------------------------- # Build: 01-20-2021 # Database: 2021-01-26.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 02-01-2021 # Duration: 00:00:07 # OS: Windows 10 Home # Cleaned: 0 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** No Preinstalled Software cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [1406 octets] - [01/02/2021 18:32:11] AdwCleaner[S01].txt - [1467 octets] - [01/02/2021 18:35:42] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

Thanks a lot Maurice for your help. You're a savior. Here we go, here is the file (I cannot attach it directly on the forum, so I used WeTrasnfer) : https://we.tl/t-7ArYwy4oOh I recently disconnected all of my Google accounts from syncing with chrome to be safe. Regards,

Hello, I'm glad this forum exist. I've already had virus problems in the past, so I'm really cautious now. But recently i've been on websites for streaming (www12.9anime.to). And suddenly my search query are redirected to Bing through Charmsearching.com. I don't have any extensions in my browser that is abnormal. I don't have any clue why it has been installed since I didn't download anything. How did it happen ? I've read that this malware sells your data for identity thief, and I'm really worried since my browser is chrome and multiple Google account are connected to it. What are the risks ? Malwarebytes don't detect anything with a scan ! Thank you for your help.