The Old Wolf

New Member
I think I caught this while trying to download Arcsoft's MediaImpression to retrieve photos from a Brookstone digital frame; a spurious download site must have pushed it. Have listed everything I've done in the above section. I've scanned the web for suggestions, watched every video and tried every suggestion I can find. Help would be much appreciated!
 

Attachments

The Old Wolf

New Member
Here are the results:


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/28/17
Scan Time: 9:22 PM
Log File: 240ab49e-d4ac-11e7-a4bc-d4bed9966f92.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3369
License: Free

-System Information-
OS: Windows 10 (Build 15063.726)
CPU: x64
File System: NTFS
User: Chris_i7\Chris

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 491095
Threats Detected: 2
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 15 min, 42 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUP.Optional.SpiralsTab, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\ikaooahnheaoeceaipjcmnamnoleeblk, No Action By User, [16458], [462351],1.0.3369

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.SpiralsTab, C:\USERS\CHRIS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, [16458], [462351],1.0.3369

Physical Sector: 0
(No malicious items detected)


(end)
 

The Old Wolf

New Member
Sorry, did what work? I just ran Malwarebytes and posted the results as you asked. Not sure what I'm supposed to do next.
 

The Old Wolf

New Member
Ran Malwarebytes again and quarantined and deleted all threats. restarted. This is what I get when I type a search in the URL bar. Chromesearch.win is still present.
 

Attachments

TwinHeadedEagle

Removal Expert
Verified
Staff member
Can you run one more MalwareBytes scan? That must be some of your extensions hijacking your search.
 
Last edited:

TwinHeadedEagle

Removal Expert
Verified
Staff member
Please download Zemana AntiMalware and save it to your Desktop.
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • Open Zemana AntiMalware again.
  • Click on
    icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.
 

The Old Wolf

New Member
I was finally able to clear this PUP (and HandyTab as well, which recently showed up. This is what I did:
Used the Chrome Cleanup Tool, no programs found.
Reset Chrome settings.
Chromesearch.win and HandyTab do not exist in "Remove Programs" or Chrome Extensions
Uninstalled Chrome
Restarted
Ran Malwarebytes one more time - some PUPs found. Quarantined and deleted.
Cleared the registry of all references to "Chrome"
Reinstalled Chrome
Deleted all extensions and reinstalled.
Success.

I will keep a pointer to Zemana for future use. I sincerely appreciate the time you take to help people out here. Thank you!