SkipperGas Posted October 13, 2018 ID:1275280 Share Posted October 13, 2018 I first reported this problem to Malwarebytes in about May, 2018 through the regular channels. Today, they directed me to this "I'm infected - what do I do now". My problem has remained about the same over this time, getting a little worse. I have 3 attachments from this morning's results. 1. My Malwarebytes Premium ran automatically this morning, and did not find any threats. (attachment #1) 2. After surfing with Google Chrome for a while, I ran AdwCleaner, as I also did yesterday, and many other days, with the same results - 9 threats. (attachment #2) 3. After restarting, but before I started any other programs, I ran AdwCleaner again, and got the same results - 9 threats. (attachment #3) 4. I ran the FRST program, and log is attached 5. Addition log is attached Note: one thing that I have always noticed is a folder called "search" appears in my downloads folder after every restart. I have not been able to get rid of it. If I double click on it, I get to a "data" folder. If I double click on that, I get to a "temp" folder. If I double click on that, I get to a "usgthrsvc" folder. If I double click on that, I get a "folder is empty"; however I think there may be hidden data in there; because deleting it may result in more folders being deleted than are evident. Sometimes, I am initially denied access to this lowest folder until I say "continue" 2 - AdwCleaner[C64] 9 found.txt 3 - AdwCleaner[S65].txt 4 -FRST.txt 5 - Addition.txt Link to post Share on other sites More sharing options...
nasdaq Posted October 14, 2018 ID:1275423 Share Posted October 14, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Remove this program in bold via the Control Panel > Programs > Programs and Features.CCleaner (HKLM\...\CCleaner) (Version: 5.45 - Piriform) Version 5.45 is compromised. Delete it and get the the latest version.https://www.ccleaner.com/ Information.https://www.bleepingcomputer.com/news/software/ccleaner-v545-pulled-due-to-anger-over-usage-data-collection/ === Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Reset Chrome... Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome. Click "Settings" then "Show advanced settings" at the bottom of the screen. Click "Reset and clean up" > "Restore settings to their original defaults" Restart Chrome. <<<>>> Quote Note: one thing that I have always noticed is a folder called "search" appears in my downloads folder after every restart. I have not been able to get rid of it. If I double click on it, I get to a "data" folder. If I double click on that, I get to a "temp" folder. If I double click on that, I get to a "usgthrsvc" folder. If I double click on that, I get a "folder is empty"; however I think there may be hidden data in there; because deleting it may result in more folders being deleted than are evident. Sometimes, I am initially denied access to this lowest folder until I say "continue" This is part of the Windows Search service.https://superuser.com/questions/964861/upgraded-windows-7-to-windows-10-window-search-service-no-longer-starts/1105784 If you have any problems check the status. === If your problem persists check this out. If you are Syncing Chrome with other devices? To remove it you will have to reset the Sync in Chrome. Read this article and proceed. Chrome Secure Preferences detection always comes backhttps://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ <<<>>> Let me know what problem persists with this computer. Link to post Share on other sites More sharing options...
SkipperGas Posted October 14, 2018 Author ID:1275462 Share Posted October 14, 2018 Hello nasdaq, I did not find the Fixlist.txt file attached to your message. Please resend. Thank you Link to post Share on other sites More sharing options...
nasdaq Posted October 15, 2018 ID:1275600 Share Posted October 15, 2018 My bad, here it is. fixlist.txt Link to post Share on other sites More sharing options...
SkipperGas Posted October 15, 2018 Author ID:1275619 Share Posted October 15, 2018 OK, Nasdaq,, I upgraded CCleaner to the lastest version I ran FRST, and clicked on Fix, and am attaching logs I reset Chrome settings to default I also uninstalled Direct Folders, because Google Chrome had a problem with it I restarted, and ran Adwcleaner, and it found only 1 threat, which I think may be a false positive (Windows Search Service) I started Google Chrome, and started my yahoo, google, and facebook pages I ran AdwCleaner again, and it found adware again... I will attach all the logs Thank you Addition.txt Fixlog.txt FRST.txt AdwCleaner[S74].txt AdwCleaner[S73].txt AdwCleaner[C72].txt AdwCleaner[S72].txt AdwCleaner[S71].txt AdwCleaner[S70].txt AdwCleaner[S69].txt AdwCleaner[C68].txt AdwCleaner[S68].txt Link to post Share on other sites More sharing options...
nasdaq Posted October 16, 2018 ID:1275829 Share Posted October 16, 2018 Hi, The AdwCleaner is reporting the folder from your \Downloads folder. 2018-10-13 07:38 - 2018-10-13 07:38 - 000000000 ____D C:\Users\Skipper\Downloads\Search If the folder is empty you can deleted it. Link to post Share on other sites More sharing options...
SkipperGas Posted October 16, 2018 Author ID:1275870 Share Posted October 16, 2018 Yes, I do often delete it, but it returns every time I restart my computer. It appears to be empty, but I think that actually there are hidden files. AdwCleaner always reports it as an optional search PUP, or something like that. Link to post Share on other sites More sharing options...
bobsadino Posted October 16, 2018 ID:1275874 Share Posted October 16, 2018 hi skippergas have ever find SearchFilterHost.exe on usgthrsvc folder or tmp folder ? Link to post Share on other sites More sharing options...
SkipperGas Posted October 16, 2018 Author ID:1275876 Share Posted October 16, 2018 No, when I get down to the usgthrsvc folder and open it, there is nothing visible. Maybe hidden files? Hmmm, I just looked and don't see the Search folder. I can't remember if I deleted it today, it always reappears after restart. Maybe I will restart now to see if it comes back. Link to post Share on other sites More sharing options...
nasdaq Posted October 17, 2018 ID:1276118 Share Posted October 17, 2018 Hi. This may help you in your search. Unhide files/folders Windows. How To:http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7 <<<>>> p.s. Note to bobsadino You are not allowed to post in this topic. If you have any problems start your own topic nasdaq Link to post Share on other sites More sharing options...
SkipperGas Posted October 18, 2018 Author ID:1276363 Share Posted October 18, 2018 I had previously unhidden files/folders, and there was still nothing shown. One reason that makes me think that there is something there that I can't see is that there are 4 levels of supposedly empty folders: "search", "temp", "data", and "usgthrsvc"; however when I delete the highest level "search" folder, the system says that 6 items have been deleted, rather than 4. Link to post Share on other sites More sharing options...
nasdaq Posted October 19, 2018 ID:1276481 Share Posted October 19, 2018 Hi, Lets see what we can find in the Registry. Run the Farbar program .exe as an Administrator. In the Search text area, copy and paste the following:usgthrsvc Once done, click on the Search Registry button and wait for FRST to finish the search On completion, a log will open in Notepad. Copy and paste its content in your next reply ==== Link to post Share on other sites More sharing options...
SkipperGas Posted October 19, 2018 Author ID:1276488 Share Posted October 19, 2018 OK, here you are: Farbar Recovery Scan Tool (x64) Version: 10.10.2018 Ran by Skipper (19-10-2018 11:17:56) Running from C:\Users\Skipper\Downloads\programs\Malwarebytes FRST scan program Boot Mode: Normal ================== Search Registry: "usgthrsvc" =========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager] "TempPath"="C:\Users\Skipper\Downloads\Search\Data\Temp\usgthrsvc" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\PerformanceCounters] "USGTHRSVC"="UGTHRSVC" [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\Gathering Manager] "TempPath"="C:\Users\Skipper\Downloads\Search\Data\Temp\usgthrsvc" [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\PerformanceCounters] "USGTHRSVC"="UGTHRSVC" ====== End of Search ====== Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 14, 2018 Root Admin ID:1280919 Share Posted November 14, 2018 Hello @SkipperGas Very sorry for the delay. Looks like your post reply got lost with no notification. Did you still need help with this issue? Thank you Ron Link to post Share on other sites More sharing options...
SkipperGas Posted November 14, 2018 Author ID:1280977 Share Posted November 14, 2018 I am away from that computer for the month of November, so it will be a few days before I can check again. I will let you know when I return to it. I don't believe the issue had been resolved when I left it. Thanks. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 14, 2018 Root Admin ID:1281107 Share Posted November 14, 2018 Okay sorry to hear. I'll go ahead then and close this topic. When you are ready to look at this again please start a new topic and send me a private message with the link and I'll help you take a look at it. Cheers Ron Link to post Share on other sites More sharing options...
Recommended Posts