Jump to content

Charmsearching.com malware without doing anything


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I'm glad this forum exist. I've already had virus problems in the past, so I'm really cautious now. But recently i've been on websites for streaming (www12.9anime.to).

And suddenly my search query are redirected to Bing through Charmsearching.com. I don't have any extensions in my browser that is abnormal. I don't have any clue why it has been installed since I didn't download anything. 

How did it happen ?
I've read that this malware sells your data for identity thief, and I'm really worried since my browser is chrome and multiple Google account are connected to it. 

What are the risks ? Malwarebytes don't detect anything with a scan !

Thank you for your help.

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  I will be helping you.  I can help you to get rid of the search-redirect pest & to beef up your browser.

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.8.3.885.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Link to post
Share on other sites

Thanks a lot Maurice for your help.
You're a savior.

Here we go, here is the file (I cannot attach it directly on the forum, so I used WeTrasnfer) :
https://we.tl/t-7ArYwy4oOh

I recently disconnected all of my Google accounts from syncing with chrome to be safe.




Regards,

Link to post
Share on other sites

Thanks for the ZIP-file report.  As we go forward, please as much as possible, attach report along with your reply.

I suggest a  check with a tool, an anti-adware tool from Malwarebytes.

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

  • To upload  attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

 

We will be doing more after this round.

Sincerely.

Link to post
Share on other sites

Hello,

I know you will not like it but I have to copy paste the report, I literally can't upload file. I just have a text box. See my screenshot : https://ibb.co/42v7Bz1

And here is the report :

# -------------------------------
# Malwarebytes AdwCleaner 8.0.9.1
# -------------------------------
# Build: 01-20-2021
# Database: 2021-01-26.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 02-01-2021
# Duration: 00:00:07
# OS: Windows 10 Home
# Cleaned: 0
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1406 octets] - [01/02/2021 18:32:11]
AdwCleaner[S01].txt - [1467 octets] - [01/02/2021 18:35:42]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

Link to post
Share on other sites

Just by the way, when you went to 'paste' your last reply , if you looked just to the Top of the "Submit Reply" button  and to the left side ...

just 2 lines above that you woukd have seen the link to begin a Attachment upload

like this image

attach.jpg.c0d7f0ff9c2ce7a4010610f8073c889e.jpg

Link to post
Share on other sites

  • Solution

The script on this post is ONLY for this machine and NO other.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

The system will be rebooted after the script has run.

.

This custom script is for  FOUFOUL  only / for this machine only.

The  custom Fix script is going to be used by the FRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder.  

The tool named FRSTENGLISH .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

Fixlist.txt

Link to post
Share on other sites

Hello.  I will review this log  and get back with you.   I am glad to hear the Brave browser is good now.

If there is a new occurrence oif a browser hijack, if possible get a screen-image capture.  Always be very cautious what you elect to optionally install on any browser.

One possibility of the browser redirect hijack would have been thru a browser Extension.

Bravo   😎👍

Link to post
Share on other sites

Hello Maurice,

I was using Brave only during the clean process

Chrome seems now back to normal. However, I have multiple questions, hope you can help me on that before you go, so I can prevent this to happen again ! 
I know your time is precious, don't hesitate to link some ressources if you want to, I can do some research.

  1. How that happened ? I checked, and I swear i've seen not extensions that I didn't know. Plus, I installed nothing (I never do) when navigating on this streaming website. Is the problem only come from my browser or was it installed on my computer ? Can I prevent it by blocking some automatic actions made without my consent ?
    For the record, as i said i have two chrome account synced, and only one was affected.
  2. How does it work, since I saw nothing malicious. Is it an adware, malware, hidden extension.. ?
  3. Did it affect my data (stolen ?) since I  was connected with my Google accounts ? (passwords, google photos, files, etc...)
  4. I was connected, and used this google account on another computer which was automatically synced with chrome. Did it spread by any chance ?

I've had a virus once, so I'm usually really cautious (hope so).
You're a savior, thanks again for your time

fdfsd.JPG

Link to post
Share on other sites

You mention Chrome.  Is that the one that had had the redirects ?

To answer as far as I can guess from my experience in helping lots & lots of people over many years on browser hijacks:

1.  I cannot know for certain how the redirect-hijacks happened.  I can only guess it was a browser extension.   Possibly one called "New Tab"

This is all high tech geek speak.  But the Brave browser had these entries

Quote

"chrome-extension://ehpgcagmhpndkmglombjndkdmggkgnge/index.vulcanized.html", Not-active:"chrome-extension://lllnjdmfnfjifcfpppjmcnanpokikcpl/index.html?action=newtab", Not-active:"chrome-extension://meffljleomgifbbcffejnmhjagncfpbd/newtab.html"

That was removed as part of the custom script that we did.

I do have a bit of residual concern that brave has this other extension

http://Nouvel onglet G Suite - Nouvel onglet personnel puissant) - C:\Users\doduy\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ehpgcagmhpndkmglombjndkdmggkgnge

I mean to say, I suspect as possibilities, NewTab  and this G Suite

.

Cannot say how they were placed on the system other than by some bundle possibly that you accepted.

.

2.  While not malicious malware, the redirect is technically a search hijack.  "they" re reouted any search you tried to route it to "charmsearching"  so they as a end result get the ad revenue.

By the way, I somewhat thing that that specific site is now gone away.  I am unable to bring it up manually on my machine.

 

3. No, I do not think it "harmed" your personal information.  However, you may go ahead and change all your passwords if you feel the need.

Just be sure any you change are very secure passwords.  The Lastpass website has a online way to generate strong passwords.  Password Generator | LastPass

Best to keep all passwords in a modern password manager.   See the section on passwrods   ( as well as other tips for security)  Tips to help protect from infection - Windows Malware Removal Help & Support - Malwarebytes Forums

 

4.  If your other computers'   browsers did not get redirected  then they are in good shape.

5.  I would just remark that it is always good to know, for each web browser you use, how to look at and change the Search engine choice.

Each one of the browser makers have a support site  and each has a section on how to do that.

.

Let me suggest that we run one different sort of diagnostic report tool.

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).
  • Please disconnect any USB or external drives from the computer before you run this scan!

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Cordialement.

 

 

Link to post
Share on other sites

Please forgive me for adding more.  In addition to the last reply;   I would suggest that you read this article on the Malwarebytes Blog  for information.

Adware and PUPs families add push notifications as an attack vector - Malwarebytes Labs | Malwarebytes Labs

and the following for action on each of your web browsers.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.   For Brave browser, it should be quite similar to the way done for Chrome.

Scroll down to the tips section "How do I disable them".

Link to post
Share on other sites

Hello,

To avoid misunderstanding. I use Chrome, and the problem happened on chrome only. I was only using Brave temporarily during the process of cleaning my computer.

  1. Just letting you know that I have multiple Windows account and "doduy/" isn't the account I was on when the issue happened. And seems like many files from the software you told me to use are saving files on this user folder.
  2. I recently activated automatically WebGPL on Chrome to use some software. Hope it wasn't the cause.

Thanks for your detailled answers. I read the articles you've sent me and it's interesting !

Quote

I do have a bit of residual concern that brave has this other extension

3. Is there any problem with Brave then ? Because I don't use it, so I would be surprised.

 4. Question : how can I diagnostic myself ? Malwarebytes didn't detect anything at the time, neither Adware Malwarebytes. So what should I do if I'm suspecting something that runs in the background ? (except deleting extensions ofc). I'm asking that because my Chrome account are always synced (extensions, history, literally everything) so if a malicious extension  is up, it would be on other computers.

 

Here is the report,

Thanks !

rogue_report.txt

Link to post
Share on other sites

I will guide you to removing ( cleaning up ) on all the tools I had you use.  Please do not be worried on that count.

You mentioned 

Quote
  1. I recently activated automatically WebGPL on Chrome to use some software. Hope it wasn't the cause.

If that was one of the very most recent additions to Chrome,  I would then suggest to uninstall the WebGPL.   It is best to be safe.

To your other point, my concern was that 'doduy' is mentioned in the earlier reports, BUT  it is not a user-account that is reported by the Windows operating system.

It is almost a mystery how that happened.

No, I do not see a known specific malady on Brave.  But I will remark that both Brave browser and the Chrome browser seem to have a LOT of browser extensions.

If it were my system, I would drill down and look at each of the extensions and uninstall the ones I really do not need.

.

The search hijacker that you had encountered appears to be a quick gone away  ( as it were) because it seems that site URL is now gone away.

Lots of search hijackers are like that.

.

If in future you encounter a search hijacker, start the browser in "Incognito" mode if it is Brave or Google Chrome.

To launch Brave browser in Incognito mode
Press & hold the Windows-key on keyboard & tap the R key
Then copy and paste the whole line below ( as is )

"C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe" --incognito

For Chrome incognito  see   Browse in private - Computer - Google Chrome Help

if Chrome is "having an issue" in standard mode:
You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup.
First, close any prior instances of Chrome via Task Manager.
Then press Windows-key+R for the RUN option and then put a command line similar to this {do use COPY & PASTE}

chrome.exe -incognito


Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it.
Note also, Incognito mode is also an option in the Chrome menu {as long as it can start}.


Other suggestions,     

Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

Also see these Google - Chrome articles and take appropriate measures !!
Reset browser settings
https://support.google.com/chrome/answer/3296214

.

The report from RogueKiller indicates no suspicious settings.  That is excellent.  I think we can wrap up this case.  Your system is good to go.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTRNGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete   RogueKillerx64.exe 

Any other download file I had you download, you may delete.

I wish you all the best.  Stay safe.

Sincerely,

Maurice

  • Like 1
Link to post
Share on other sites

Hello,

Indeed, I'm using another Windows account, and the hijacked happened on this account. But the tools you made me use are (somehow) located in the "doduy" account.

 

I will check all the steps you've described, your answer is well detailled.

Thanks a lot for your support and your patience Maurice.
It was great to have your expertise.

Regards,
 

Link to post
Share on other sites

First, you are welcome.

One minor point to make about one of the last things you mentioned before.  Browser Extensions are installed only on one single system at any occasion.  That is to say, installed on a local single machine.  Extensions cannot and are not available to have anything to do with the "Sync" feature.

,

The tools you downloaded would be placed on the system under whichever account you were logged in into this Windows system.  That is to say, you are in control of how you login.  I was inquiring with you as to what you know about "doduy".  Is that a account you created ?  or a old account that you changed names on ?

Link to post
Share on other sites

Oh I see what you mean. However with Chrome, I can connect from any new computer and my extension will be available (Adblock for example). A prompt message asking before if I want to sync or not. It's convenient but I know how problematic it can be.

But based on what you say, I think the browser just installs it automatically when I sync it. So my concern was about whether or not it would install the malicious ones. Correct me if I'm wrong.

 

I misunderstood, sorry. Yes "doduy" is an admin account that I've created. And I installed the tools on this account (the one that got hijacked named "Kevin Travail") which is a guest account. I didn't want the tools to only scan the "doduy" account which was safe, but I guess they would scan the entire disk. Plus, all temp files are in the admin account (e.g. C:\Users\doduy\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ehpgcagmhpndkmglombjndkdmggkgnge)


I was following carefully what you recommanded me, and clean my extensions as you said that Brave and Chrome were full of it. But Brave turns out to be empty, however the folder is not. See my screenshots. Might be the "invisible" extensions issue I've got ?

 

Thanks Maurice

dfrf.JPG

fffff.JPG

Link to post
Share on other sites

1 minute ago, foufoul said:

I misunderstood, sorry. Yes "doduy" is an admin account that I've created. And I installed the tools on the "Kevin Travail" account (the one that got hijacked named "Kevin Travail") which is a guest account. I didn't want the tools to only scan the "doduy" account which was safe, but I guess they would scan the entire disk. Plus, some temp files from softwares installed on "Kevin Travail" are in the admin account for some reason (e.g. C:\Users\doduy\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ehpgcagmhpndkmglombjndkdmggkgnge

Sorry, bad english, I'm correcting.

Link to post
Share on other sites

The browser extensions like in the image you provided ....the names are a big string of letters.  So it is hard to know which is what.  My only point was to double check any latest ones you added in January 2021.   That is it.

As to login accounts, the thing is that while a malware-hunting & fixing case is on going, the home-end-user needs to insure that when they login into Windows, they only login with a account that has ADMINISTRATOR level rights.

If there are tools still left from what I had you download, you may delete them.

Stay safe.  I wish you all the best.

Edited by Maurice Naggar
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.