Jump to content

Browser Hijacker- request guidance to fix


Recommended Posts

Hello,

I've got my mother's laptop.  She has some kind of a browser hijacker. 

Attached are reports from:

Malwarebytes scan

Adwcleaner scan

Farbar scan

I'd appreciate guidance at this point, as I'm not in IT.  THANK YOU!

Malwarebytes 210316.txt AdwCleaner[S01] 210316.txt Addition 210316.txt FRST 210316.txt

Edited by jammin67
revise info, attach scan results
Link to post
Share on other sites

  • jammin67 changed the title to Browser Hijacker- request guidance to fix
  • Root Admin

Hello @jammin67

 

Please follow the directions from the following topic and let us know if that corrects the issue for you.

 

Once that is done, let's go ahead and run another scan

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Thanks

 

Link to post
Share on other sites

Hello,

#1  The browser was not signed in, and upon trying to sign them in we discovered nobody knows the password and the security email/phone number are obsolete.  When going to their Outlook mail, that also would not let us sign on with the password.  My mom doesn't remember changing the Outlook password at all.  She probably doesn't even understand about the Google sign in, so she was unaware of the password for that.  The phone associated with the security on both is a landline, and unable to receive a text.  Have no idea what to do about that, but proceeded to the scan.

#2 The ESET scan is still in process.  It has been going on for almost four hours now.  It was up to 306,000 files scanned, but appears to be going slowly.  At this point, there is "1" detection.  I will check it in the morning, but going to bed for the evening now.

Let me know if I should do something, in case the scan is still in progress in the morning.  Or any other direction.  THANK YOU!

Link to post
Share on other sites

  • Root Admin

Thanks @jammin67

If your mom was not really using the Sync feature then it's okay. Simply do the clean up of Google Chrome that you can manually such as cookies, cache, etc.

As for the ESET scan yes, let that finish. Hopefully by morning.

Once it's done post the log

Then restart the computer and run FRST again and make sure you place a check mark on Addition.txt and attach back both new logs from a SCAN

I'll check back on you again sometime tomorrow

Cheers

 

Link to post
Share on other sites

  • Root Admin

Thank you @jammin67

Please double-check the following items that start with the Browser just to make sure only the ones she wants are loading

Edge StartupUrls:

CHR StartupUrls:

 

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour

 

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

Please consider changing the default DNS provider to Google Public DNS or another one.

Google Public DNS: 8.8.8.8 and 8.8.4.4

Cloudflare 1.1.1.1: 1.1.1.1 and 1.0.0.1

Cisco OpenDNS: 208.67.222.222 and 208.67.220.220c

 

Are you blocking Zoom on purpose?

FirewallRules: [TCP Query User{2C017DAE-DAD3-4B0B-8E85-7D360810DD73}C:\users\rogerandcarolyn\appdata\roaming\zoom\bin\zoom.exe] => (Block) C:\users\rogerandcarolyn\appdata\roaming\zoom\bin\zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [UDP Query User{2F9D2643-7F71-464C-A58E-6923497BA1E7}C:\users\rogerandcarolyn\appdata\roaming\zoom\bin\zoom.exe] => (Block) C:\users\rogerandcarolyn\appdata\roaming\zoom\bin\zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)

 

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

I haven't had time to check the Edge and CHR Startup Urls.

Bonjour is now uninstalled.

I have not had time to change teh DNS provider(s).

Zoom was not blocked on purpose, the app is now allowed through Firewall.

Attached is the fixlog.

I'll try to do get to the other things after work tomorrow.  I work two jobs, and work all weekend at both.  

Thank you,

Fixlog 210319.txt

Link to post
Share on other sites

  • Root Admin

That is alert from Windows Defender probably from CCleaner

Most Experts no longer recommend the use of CCleaner - probably best to consider uninstalling it.

The actual fix log did not complete due to a time out.

Let me give you an updated script to run.

 

I hear you about the job concerns, no pressure, I've worked two jobs most of my career as well

 

Please save the attached FIXLIST.TXT file to the same folder as FRST64 again and then click the FIX button.

fixlist.txt

Once it's done it will make a new FIXLOG.txt file, please attach that on your next reply.

 

Then also run the following

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Okay, sorry to do this to you but based on the findings from Microsoft it's probably best we use another scanner. I don't think there is any ongoing current threats but it will help to possibly find anymore left over straggler files that may have been missed so that your parents don't accidentally move and trigger one of these dormant files.

 

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Link to post
Share on other sites

Scan results: "No threats found"

When looking for the "report", there was a window that showed individual "objects", all with "okay" on the left side.  That page would not let me copy/paste or save.  I still have it open, and could send about 15 screenshots if it would help.

I am going to include a couple of screenshots below, which show the popups and new tabs that are still autogenerating in Chrome (these are what caused me to initially contact malwarebytes).  There doesn't seem to be the same issues in Edge.  I know my mom uses Chrome exclusively.

image.thumb.png.719f5fc690564c9b4d71c7f2e3f168e2.png

 

image.thumb.png.76edc80dd8c35dc0ca059f970677405b.png

Thank you

 

Link to post
Share on other sites

  • Root Admin

Yeah, Ad and junk sites cannot be removed by Malwarebytes. We can add Content blocking to help, but Google Chrome needs a good clean up to stop that ill behaved behavior.

If you've already followed the guide on cleaning Chrome then maybe it's best to export and save all her bookmarks to a location outside of the Google Chrome folder structure then I can work with you on doing a full removal of Chrome.

Then reinstall it and import the bookmarks back. You'd need the passwords for any sites though as those will be gone.

Let me know if you'd like to go that route.

 

You could also try this FORCED clean up which is about as much clean up as one can do without fully removing Google Chrome. You cannot just uninstall it as Chrome will leave behind a lot of items so that on reinstall it will be junk again. I can help do a full removal if wanted.

 

 

Link to post
Share on other sites

  • Root Admin

This will do a massive clean up but is still not as good as a full removal of Chrome

 

 

Force Reset Google Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • Open Chrome and at the top right, click ellipse.png.2829aeeb2aea006bc956de077091and then More tools and then Extensions
  • Write down the list of Extensions installed.
  • Next, go to >> Google Sync << and sign in to your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the   "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the Run dialog box.

run_command.png.48e046f63c86c59e76a91e21643af57b.png

  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks
  5. WARNING: If the folders do not look similar do not continue deleting. You may not be in the correct folder.

chrome_files_folders.png.00938ead26fa2bdb08ba3436ef59f54f.png

 

Restart your computer now and make sure there are no longer any redirects or other browser issues 

 

 

 

 

 

Link to post
Share on other sites

Okay, Google is reset.  In the process, I found some extensions on the browser that were probably from an old Avast account.  Also, deleted some search engines again.  Haven't had any popups with new tabs, etc.  YAY!

Question:  What is Any Player?  See snip.  It is on her taskbar.  

image.thumb.png.751643448dae03a29acf66adc6566510.png

 

Any other scans or settings I need to review?

Thank you!

Link to post
Share on other sites

  • Root Admin

Hello @jammin67

That is what appears to be a forked project of VLC Player

https://en.wikipedia.org/wiki/VLC_media_player

https://www.videolan.org/vlc/index.html

( In software engineering, a project fork happens when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software. The term often implies not merely a development branch, but also a split in the developer community )

I tried to track down the actual vendor, an author that built it but I was not able to find them in a quick search.

The program is downloaded from the Microsoft Store: 

https://www.microsoft.com/en-us/p/any-player-video-dvd/9n1znfmt0zf5

It is installed as an Application (so it doesn't show up in your Add/Remove programs)
You need to uninstall it from Settings, Apps & Features

image.png

 

It actually installs as Package 15191PeakPlayer on my system.

image.png

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\15191PeakPlayer.50533F9B98293_3.1.9.0_x64__y5c4dfz5b21fm\15191PeakPlayer.50533F9B98293_y5c4dfz5b21fm!App\windows.fileTypeAssociation\.3g2]
"ACID"="Player\Any Player.exe"

 

I downloaded the software to test, review what it was and try to track down the vendor. The very first time the application opened I was presented with the following SPAM

image.png

I simply closed the windows and the App opened. Your parents may not have done so and may have installed FilmForth

The website for FilmForth goes to this website

https://www.ioforth.com/

The site was created on: 2019-12-18

image.png

Based on the poor grammar of the site I would believe it is probably not from a native English-speaking country.

image.png

 

 

The company also appears to make a product named "Neat Office" but that too seems to be hiding the real authors. Not sure why but it too appears to be a Fork of the LibreOffice project, but again, whoever is working on the project sure seems to be hiding.

Neat Office is a 3rd party app and is not associated with, affiliated with or endorsed by Microsoft.

image.png

 

The fact that both of these software applications are using Forked open-source software to build these apps but don't appear to be up-front about who or where it was written makes it a bit sketchy in my opinion.
I'm not saying either one is bad software but I'd use the original well-known programs myself instead of these packages.

 

So, long story short. If it were my computer I would uninstall it and stay clear from it.

 

We've run many of the major antivirus scans and they don't find any real infections at this point. However, we need to check and verify that the current software is up to date. Please run the following for me.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

 

 

I would recommend that you bookmark the following site and review it as you have time. It provides information to help you better protect your computer and privacy. It's not a cookie-cutter do this, do that, but review and what makes sense for you or your parents to take a look at.

 

Thanks

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

The AnyPlayer is uninstalled.   I did not see New Office listed.

Question on the attached log.  It lists Avast, which my parents don't currently use, or didn't know they were still using.  Prefer to just use Windows Defender.  They previously did have an Avast subscription a few years ago.

--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and up to date)
Avast Antivirus (enabled and up to date)

 

SecurityCheck 210322.txt

Link to post
Share on other sites

  • Root Admin

I'll write you a script to remove the Avast entry. Please address the following.

-------------------------- [ IMAndCollaborate ] ---------------------------
Zoom v.5.4.9 (59931.0110) Warning! Download Update

--------------------------- [ AdobeProduction ] ---------------------------
Adobe Shockwave Player 12.2 v.12.2.8.198 Warning! This software is no longer supported. Please uninstall it.

 

Then download the following program to have it check for other software update issues and if found update those programs.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

Once all those updates are completed please restart the computer one more time. Then run the FRST program again and click the SCAN button and get me the two updated logs again and we'll finish up any left over removal items such as Avast.

Thanks @jammin67

Link to post
Share on other sites

Okay, the iCloud is no longer opening on startup.  All looks good, except there is a yellow exclamation mark in Windows Security.  Seems to be under "App & Browser Control > Reputation-based protection > Review".  See the two snips below.  Note, I had uninstalled the piriform bundle on Saturday.  

image.thumb.png.e4166a07a89f85547b4ddfa1ffff3b38.png

 

image.thumb.png.0f1e37b85b30fae47d98bc1b29af381d.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.