Jump to content

Bing search redirect malware

Recommended Posts

Hello all!

On this computer whenever google is used it redirects to bing.

There is this bullcrap running:

C:\Windows\System32\pwovstdsvc.exe which I can't stop to delete, access is denied. Taking ownership of the file is denied as well. This file seems to create a few randomly named folders in appdata\local that are also unable to be deleted/ownership taken due to permissions problems.

Attached is the malwarebytes scan, fst, and addition.






Link to post
Share on other sites

  • Staff

***This is an automated reply***


Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact an Administrator to let them know.

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:


Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.

  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.

  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:


Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.

  3. It will make a log (FRST.txt) in the same directory the tool is run. Please attach or copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:   notify me.jpeg

Click "Reveal Hidden Contents" below for details on how to add attachments to your post.
Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 


To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.


Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips



Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

For now I need to know  if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes


On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.

Link to post
Share on other sites


Here is the file attached and pasted.

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
Ran by owner (13-06-2018 10:47:43) Run:1
Running from C:\Users\owner\Desktop
Loaded Profiles: owner (Available Profiles: owner & Administrator)
Boot Mode: Normal

fixlist content:
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========

========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========

==== End of Fixlog 10:47:43 ====



Link to post
Share on other sites

Lets proceed:

Preparing the USB Flash Drive

Using the Clean computer download the right version of Farbar program for your system to Desktop.
64-bit or 32 bit version. Select the one you need.

Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.


Boot in the Recovery Environment WINDOWS 7 USERS

To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
Restart the computer
Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears

Look at this video if not familiar with it.

Use the arrow keys to select Repair your computer, and press on Enter
Select your keyboard layout (US, French, etc.) and click on Next

Once in the command prompt
Plug your USB Flash Drive in the infected computer

Click on Command Prompt to open the command prompt

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad

In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter

Note: Replace the letter e with the drive letter of your USB Flash Drive

FRST will open

Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply.

Wait for further instructions.

If at any time you need additional information please ask before proceeding.

Link to post
Share on other sites

Thank you so much for your help. Do to time constraints I had to press on. But thankfully things worked out and the machine is clean now.

I made a recovery usb and boot into the recovery console.

Thanks to the frst log I wiped out every reference to the rootkit it indicated (and removed the junk it referenced in the registry as well)

then I searched through the file system by date that it started (and with the hidden flag) and removed the garbage in drivers, system32, tasks, etc. In the user dirs I removed the garbage folders in local data.

Emptied the recycle bin, remade the hibernation and page swap files, etc.

checked that safemode was ok, ran some cleaners then finally in a normal boot malwarebytes came up and ran clean.

Thank you for your help, I could not have done it without those log files.


Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.