Solved Browser Hijack Virus is Stubborn...

Fuzzystrawberry

New Member
Thread author
Feb 3, 2025
5
I seemed to have acquired a browser hijak virus that switches my search engine to yahoo, unless I am searching for yahoo removal and then it hijacks to Bing. I have tried the AVG, Malwarebytes, Adcleaner, and ESET Smart Security. This is surprisingly frustrating. Please give me some suggestions in getting rid of this irriating thing.
 

Attachments

  • Addition.txt
    62.8 KB · Views: 5
  • FRST.txt
    52 KB · Views: 6

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
639
Hello..! Welcome to MalwareTips..! :)

My name is icotonev and I'm here to help you remove malware ..! Before we begin, please note the following:
  • First, please keep in mind most of us at MalwareTips volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
  • It is important to not run any tools or take any steps other than those I will provide for you.Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please attach all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

Please follow the following instructions to get started:



..and for chrome only:



Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.


In your next reply, please include:
  • Fixlog.txt
 

Attachments

  • fixlist.txt
    14.9 KB · Views: 5
  • +Reputation
Reactions: Jack

Fuzzystrawberry

New Member
Thread author
Feb 3, 2025
5
Okie dokie...I did that steps that you recommended. Here is the fixlog. Thanks in advance for all your help.

Fuzzy
 

Attachments

  • Fixlog.txt
    37.4 KB · Views: 7
  • Like
Reactions: Jack

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
639
Hello, Fuzzystrawberry..! :) Excellent work..! :) Is your problem solved..?

Next..:

Temporarily disable Smart Screen and your antivirus (if needed) to download and run the following tool. If you are afraid to turn off the antivirus, so as not to download even more viruses, then additionally temporarily disconnect from the Internet. This tool sometimes gets flagged as suspicious/malicious, but it's a false positive.

Furtivex Malware Removal Script by thisisu

Please download FMRS.exe and save it to your desktop.

Note: Please save all your existing work / windows as this tool will attempt to close all non-essential processes during the course of its scan. This includes the internet browser you're currently using to view this message.
  • Right-click FMRS.exe and then click Run as administrator.
  • Click Yes to the Disclaimer
  • The script will begin to run. Be patient.
  • When the scan is finished, a log entitled FMRS_final.txt will open.
  • Post the contents of the log into your next reply
  • A copy of this log is also saved to your desktop

Fresh FRST logs

Please run FRST tool once more, and attach for me fresh logs:
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach these two logs in your next reply.
 
Last edited:

Fuzzystrawberry

New Member
Thread author
Feb 3, 2025
5
Things are looking pretty good at this point. Your help has been very appreciated. What do you suggest for me to do next?

Fuzzy

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
# Furtivex Malware Removal Script v5.4.3
# Furtivex – Furtivex Computer Solutions
# Microsoft Windows 10 Pro x64 22H2 0409 // 1252 // 437
# 2025_02_05__22_19_10 - Christopher Carr -
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #



# Processes:

# Drivers:

# Services:

# Files:

C:\Users\Christopher Carr\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data (1574)
C:\Users\Christopher Carr\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js (2311)
C:\Users\Christopher Carr\AppData\Local\Google\Chrome\User Data\Profile 2\Code Cache\js (958)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data (140)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js (1947)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cache\Cache_Data (9)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Profile 1\Code Cache\js (4)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Profile 2\Cache\Cache_Data (7)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Edge\User Data\Profile 2\Code Cache\js (102)
C:\Users\Christopher Carr\AppData\Local\Tempwd.tmp
C:\Users\Christopher Carr\AppData\LocalLow\Sun\Java\Deployment\cache (0)
C:\Users\Christopher Carr\AppData\Roaming\discord\Cache\Cache_Data (129)
C:\Users\Christopher Carr\AppData\Roaming\discord\Code Cache\js (145)
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM217F8.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM23A1B.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM27E42.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM2C2AA.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\tw-4d90-2b08-35d440.tmp

# Folders:

C:\Users\Christopher Carr\AppData\Local\Microsoft\BGAHelperLib
C:\Users\Christopher Carr\AppData\Local\D3DSCache (6)
C:\Users\Christopher Carr\AppData\Local\Microsoft\Windows\INetCache\IE (4)
C:\WINDOWS\System32\config\systemprofile\AppData\Local (7999)
C:\WINDOWS\System32\config\systemprofile\AppData\Local\D3DSCache (4)

# Tasks:

Agent Activation Runtime\S-1-5-21-2790683329-2192569133-1678460992-1000
EPSON WF-2850 Series Update {2119FFE7-868E-46D4-B8DB-F7C55C128C40}
GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem134.0.6985.0{6DF23144-57B5-457B-9AD4-6B1415B99CD7}
HP\HP Print Scan Doctor\Printer Health Monitor Logon
HP\HP Print Scan Doctor\Printer Health Monitor
Microsoft\Windows\AppID\EDP Policy Manager
Microsoft\Windows\Application Experience\MareBackup
Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
Microsoft\Windows\Application Experience\PcaPatchDbTask
Microsoft\Windows\Application Experience\PcaWallpaperAppDetect
Microsoft\Windows\Application Experience\ProgramDataUpdater
Microsoft\Windows\Application Experience\StartupAppTask
Microsoft\Windows\ApplicationData\appuriverifierdaily
Microsoft\Windows\ApplicationData\appuriverifierinstall
Microsoft\Windows\ApplicationData\DsSvcCleanup
Microsoft\Windows\Autochk\Proxy
Microsoft\Windows\Chkdsk\ProactiveScan
Microsoft\Windows\Clip\ClipESU
Microsoft\Windows\CloudExperienceHost\CreateObjectTask
Microsoft\Windows\ConsentUX\UnifiedConsent\UnifiedConsentSyncTask
Microsoft\Windows\Customer Experience Improvement Program\Consolidator
Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
Microsoft\Windows\Defrag\ScheduledDefrag
Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceWnsFallback
Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner
Microsoft\Windows\Diagnosis\Scheduled
Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
Microsoft\Windows\DiskFootprint\Diagnostics
Microsoft\Windows\DiskFootprint\StorageSense
Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask
Microsoft\Windows\Feedback\Siuf\DmClient
Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload
Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures
Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing
Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting
Microsoft\Windows\Flighting\OneSettings\RefreshCache
Microsoft\Windows\HelloFace\FODCleanupTask
Microsoft\Windows\InstallService\ScanForUpdates
Microsoft\Windows\InstallService\ScanForUpdatesAsUser
Microsoft\Windows\InstallService\SmartRetry
Microsoft\Windows\InstallService\WakeUpAndContinueUpdates
Microsoft\Windows\InstallService\WakeUpAndScanForUpdates
Microsoft\Windows\Location\Notifications
Microsoft\Windows\Maintenance\WinSAT
Microsoft\Windows\Maps\MapsToastTask
Microsoft\Windows\Maps\MapsUpdateTask
Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents
Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic
Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser
Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
Microsoft\Windows\PushToInstall\LoginCheck
Microsoft\Windows\PushToInstall\Registration
Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
Microsoft\Windows\SettingSync\BackgroundUploadTask
Microsoft\Windows\SettingSync\NetworkStateChangeTask
Microsoft\Windows\Shell\CreateObjectTask
Microsoft\Windows\Shell\FamilySafetyMonitor
Microsoft\Windows\Shell\FamilySafetyMonitorToastTask
Microsoft\Windows\Shell\FamilySafetyRefreshTask
Microsoft\Windows\Shell\IndexerAutomaticMaintenance
Microsoft\Windows\Shell\ThemesSyncedImageDownload
Microsoft\Windows\Subscription\EnableLicenseAcquisition
Microsoft\Windows\Subscription\LicenseAcquisition
Microsoft\Windows\User Profile Service\HiveUploadTask
Microsoft\Windows\Windows Media Sharing\UpdateLibrary
Microsoft\Windows\WindowsUpdate\Refresh Group Policy Cache
Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler
Microsoft\Windows\WindowsUpdate\Scheduled Start
Microsoft\Windows\WindowsUpdate\sihpostreboot
Microsoft\Windows\WlanSvc\CDSSync
Microsoft\Windows\WOF\WIM-Hash-Management
Microsoft\Windows\WOF\WIM-Hash-Validation
Microsoft\Windows\WwanSvc\NotificationTask
Microsoft\Windows\WwanSvc\OobeDiscovery
Microsoft\XblGameSave\XblGameSaveTask
MicrosoftEdgeUpdateTaskMachineUA
OneDrive Reporting Task-S-1-5-21-2790683329-2192569133-1678460992-1000
OneDrive Standalone Update Task-S-1-5-21-2790683329-2192569133-1678460992-1000
OneDrive Startup Task-S-1-5-21-2790683329-2192569133-1678460992-1000
User_Feed_Synchronization-{1B3D75BB-32D5-4E2F-AB46-F84176939B4B}
ZoomUpdateTaskUser-S-1-5-21-2790683329-2192569133-1678460992-1000

# Registry:

HKLM\Software\Policies\Mozilla\Firefox
HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\\SubscribedContent-338388Enabled
HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\\SubscribedContent-338389Enabled
HKLM\System\CurrentControlSet\Control\CrashControl\\AutoReboot [1] => [0]

# Miscellaneous:

AntiVirus Software: ESET
AntiVirus Software: Windows Defender
Restore Point: Furtivex Malware Removal Script - Created

HKLM\Software\Microsoft\Windows Defender\Exclusions\Extensions

HKLM\Software\Microsoft\Windows Defender\Exclusions\IpAddresses

HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths

HKLM\Software\Microsoft\Windows Defender\Exclusions\Processes

HKLM\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths

C:\Users\Christopher Carr\AppData\Local\CrashDumps\explorer.exe.9260.dmp
C:\Users\Christopher Carr\AppData\Local\CrashDumps\SearchApp.exe.12584.dmp
C:\Users\Christopher Carr\AppData\Local\CrashDumps\SearchApp.exe.15456.dmp
C:\Users\Christopher Carr\AppData\Local\CrashDumps\SearchApp.exe.15648.dmp
C:\Users\Christopher Carr\AppData\Local\CrashDumps\SearchApp.exe.8652.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.10536.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.11676.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.12952.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.15012.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.16804.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.18048.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.19452.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.3976.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.4756.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\NVDisplay.Container.exe.5488.dmp


# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
 

Attachments

  • FRST.txt
    41 KB · Views: 5
  • Addition.txt
    42.7 KB · Views: 3

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
639
Things are looking pretty good at this point. Your help has been very appreciated.

Hello, Fuzzy..! :) Thank you..! (y)

  • Download the Revo Uninstaller (Free Download) and save it on your Desktop.
  • Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
  • Double click the program's icon to open it.
  • Write in the search area, on the top left, the following program:
Code:
AVG Update Helper
  • Choose the Uninstall tab from the menu and let the program to create a Restore point.
  • Choose Scan, and then the Advanced mode scan.
  • Select all the Online Services items found, Delete and Next.
  • Let the procedure be completed and click on Finish.
  • Restart the computer.

Next ....:

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone


Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

  • Copy/paste the following in the Search: box
Code:
Searchall: AVG Update Helper;feahffpjnjlbbjjocajdmbbgbmplnpji

  • Click Search Files button
  • When completed click OK and a Search.txt document will open on your desktop
  • Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:
  • Fixlog.txt
  • Search report
 

Attachments

  • fixlist.txt
    4.5 KB · Views: 4

Fuzzystrawberry

New Member
Thread author
Feb 3, 2025
5
Ok, I was unable to find the avg file in the revo uninstaller. I did the next two steps though. Uploaded as requested.
 

Attachments

  • Search.txt
    15.7 KB · Views: 3
  • Fixlog.txt
    9.6 KB · Views: 3

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
639
Hello, Fuzzy..! :) Very good..! (y)

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone


Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

In your next reply, please include:
  • Fixlog.txt
  • Feedback: let me know about how is the computer running. Please, include any issue and concern right now.
 

Attachments

  • fixlist.txt
    1.4 KB · Views: 3

Fuzzystrawberry

New Member
Thread author
Feb 3, 2025
5
Computer seems to be functioning great. I can tell a pretty big difference in the webpage loading without those annoying redirects. Only minor concern now is unrelated and probably not appopriate for this message board the DRAM light on my MSI B550 - a PRO is lit up white. IUploaded the attachment as requested.

Thanks for all the help. I love when the power of the internet and strangers is harnessed for good.

Fuzzy
 

Attachments

  • Fixlog.txt
    3.2 KB · Views: 3

icotonev

Super Moderator
Verified
Staff Member
Mar 9, 2017
639
Hello, Fuzzy..!..! :) Thank you, it has been great working with you...! Everything looks good.. Let's just remove the tools we used...If everything is fine ..for final:

KpRm by Kernel-panik
  • Download KpRm and save it to your Desktop (see here if you must use Chrome)
  • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
  • Right click on the icon and select Run as administrator
  • Click Yes on the Disclaimer
  • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
  • Click Run
  • Click OK on All operations are completed
  • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
  • You are free to remove any other tools/reports still remaining
  • Please copy and paste its contents in your next reply.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top