Jump to content

search.coolsearches.com

Parfumeur
 Share

Recommended Posts

Parfumeur

Parfumeur

Posted
Posted

This week I keeo getting a browser highjack: coolsearches > IP 3.95.119.220

Which is not detected by ADWCleaner or Malwarebytes.  There is no program (app) by that name, nor any mention in my browser Chrome in the add-ons or extensions.  Seach for those strings in the registry did not find anything.

Any help or hint much appreciated!

 

coolsearches_Malware.png

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

@Parfumeur

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and then do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

    Then be patient for the next expert to take your case.

Thank you

Link to post
Share on other sites
Parfumeur

Parfumeur

Posted
  • Author
Posted

Hi Portos.... Thank you for looking into this.  I did restore from a backup dated 2/27/2024.  AND removed al lot of obsolete files/apps.

Rebooted, then ran Chrome, at first it was fine then on the 3rd-4th try, the 'coolsearches' popped up, duly blocked by Malware bytes.

Got a feeling it's activated either by what was searched, time on line, or some other delaying factor. AND this was from the backup (using Acronis).

Maybe I should restore from an earlier date and see what happens.

 

 

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
Just now, Parfumeur said:

I did follow instructions and mailed it. Maybe I skipped a step in sending it?

Supposed to be attached to your topic here in the forum.

On 3/12/2024 at 6:21 PM, Porthos said:

A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)
On 3/12/2024 at 6:21 PM, Porthos said:

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

 

Edited by Porthos
Link to post
Share on other sites
Parfumeur

Parfumeur

Posted
  • Author
Posted

Hi Porthos, Here is the file.

After I created the [mbst-grab-results.zip], my mouse started stuttering with long delays to my motions/entries, while trying to attach it here.  Had to reboot, then got in a loop with the BSOD: CRITICAL_PROCESS_DIED.  Now in a loop, cannot boot.

I had to extract the file in safe mode to a USB, and I'm now on another system to send it.

mbst-grab-results.zip

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @Parfumeur

Please run the following on the affected computer.

 

 

Please download https://www.safezone.cc/resources/av-block-remover-avbr.224/download AV block remover, unzip it and run.


If you possibly can't run it, just rename AVbr.exe -> AV-b-r.exe for instance and run. Or you can use this link to download a random named file to run: https://avbr.safezone.cc/rnd/


If this method doesn't work, run this tool NOT from your Desktop or Downloads folder (use any other folder).

If the malware still blocks the utility, then try to run it in Safe Mode with Networking. Follow the instructions. After reboot you'll receive AV_block_remove_date-time.log. Please attach it to your next post.
 

Link to post
Share on other sites
Parfumeur

Parfumeur

Posted
  • Author
Posted

All right!  Thanks .... Once again I had to restore from my Acronis back-up, and now seems to be running OK.  The browser hijack is still there with the Malwarebyte pop up warning when I open Chrome and access some sites... it's randoms.

A tid bit of info. Usually, after 2-3 minutes after my log into Windows, I get a warning that the Firewall is turned off. BUT when I immediately check [Settings] it says it's turned on. ?!

The last time it froze, (and ths happens often, the graphics card fan turns on, the laptop gets hot, mouse slows to a crwal or freezes as if some i/o is taking a looooong time. I then am forced to reboot.  This damn Lenovo W540 has an awful track pad, and no I/O disk light , so I never know if the disk is being accessed. Impossible these days to find a laptop wiht a drive access light!

 

 

AV_block_remove_2024.03.16-00.57.log

Link to post
Share on other sites
  • 5 weeks later...
  • 3 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.