Nanopicoen hijacker removal

[matadorj69]

Hello,
I noticed some weird redirect behavior in Edge with search results, and then tried the same search in Chrome with identical behavior. After some research, it looks like a known hijacker has gotten into my system, but unlike most of the descriptions for removing it, mine is pretty securely embedded. I can't even do registry edits to remove the keys for it (access denied) despite using an administrator account. I've seen a similar case brought up in these forums with the advisor (nasdaq) requesting the user to run Farbar and post the results. I have done so, and am attaching the Addition.txt file to this message.

Thanks for any help,
-JW

 

[icotonev]

Hello and Happy New Year..!

The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.

For the analysis of your system I also need the FRST.txt file..Please attach it in your next post..!

 

[matadorj69]

Adding that file now

 

[icotonev]

Thank you..!

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

• Copy/paste the following in the Search: box

Searchall: lfallkjeibheabomekahpopfkkidnjfj , maiaommlekkjigddbmngdjppffmbpmol

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:

• Fixlog.txt
• Search report

 

[matadorj69]

Results attached

 

[icotonev]

Greetings..

Once again please:

• Right click on FRST and select Run as administrator
• Copy/paste the following in the Search: box

Searchall: lfallkjeibheabomekahpopfkkidnjfj;maiaommlekkjigddbmngdjppffmbpmol

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:

• Search report

 

[matadorj69]

Search report attached

 

[icotonev]

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

In your next reply, please include:

• Fixlog.txt
• Feedback: let me know about how is the computer running. Please, include any issue and concern right now.

 

[matadorj69]

I ran FRST with administrator privileges. Log file attached.
Remaining weird behavior is that I cannot uninstall Chrome. When running Chrome, the menu bar indicates an update is available, but then when I click on "Restart to update" nothing happens and shortly afterwards the update notification appears again. I thought maybe uninstalling and reinstalling could fix that, but as the attached screencap shows, I cannot uninstall.

 

[icotonev]

I think there is no need to reinstall Chrome ..at least at this stage..! Check if sync is turned on.
What happens to the redirects..? The hijacker has already been removed..!

 

[icotonev]

+

Malwarebytes AdwCleaner

• Please download AdwCleaner and save it to your Desktop
• Close all open programs and browsers
• Right click on the icon and select Run as administrator
• Click Scan now
• Uncheck any detected items you would to keep then click Next
• If a Preinstalled software was found! screen appears review it if you'd like then click OK

The section at the bottom under Pre-Installed Software is software that was apparently installed when the device was new by your PC manufacturer.Personally, I don't keep anything from this software that I don't use/need. But it's your computer, so the decision is yours.

• Review the list of Preinstalled software and place a check mark in those you do not wish to keep
• Click Quarantine, then Continue
• When completed click View Log File
• Copy and paste the contents in your reply
• Close the AdwCleaner window

Fresh FRST logs

Please run FRST tool once more, and attach for me fresh logs:

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach these two logs in your next reply.

In your next reply, please post:

• AdwCleaner report
• Fresh FRST logs

 

[matadorj69]

Sync is on - there appear to be no redirects happening at the moment. I'm having problems uninstall/reinstalling Zoom but I don't know if that is new behavior. Its been several yearrzs since I used it and my Norton 360 packaged identified an old Zoom version as a possible security risk. I will download and run AdwCleaner as requested.
-JW

 

[matadorj69]

Logs attached. I got an error message saying the FRST program was blocked by the system from writing to a file (dberr.txt) I included that as well in case its of interest.

 

[icotonev]

Great..! The system looks clean..!

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications:

Scan with SecurityCheck by glax24

• Temporarily disable Microsoft SmartScreen only if it blocks the download of the software. The program is safe
• Download SecurityCheck by glax24 from here
• If SmartScreen blocks the file from running click on More info and Run anyway
• This tool is safe. Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
• Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow it to run
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Next ....:


As a check to make sure we haven't overlooked anything, I'd like you to run an ESET online scan for me:

ESET Online Scan - ESET Online Scan - Eset Online Scanner will take some time, so be prepared.

ESET Online Scanner

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply

I'm having problems uninstall/reinstalling Zoom

https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0065146

 

[matadorj69]

eset found and quarantined 2 potentially unwanted/unsafe programs - screenshot below. I closed the eset results before I saved them, and am re-running. The securitycheck.txt is attached, though

 

[icotonev]

Thank you..! I recommend updating the software in the box below:

The elevation prompt for administrators disabled
The elevation prompt for users disabled
^It is recommended to enable (default): Win+R typing UserAccountControlSettings and Enter^
Malwarebytes version 5.2.3.156 v.5.2.3.156 Warning! Download Update
CrystalDiskInfo 8.16.4 v.8.16.4 Warning! Download Update
Microsoft 365 - en-us v.16.0.18129.20200 Warning! Download Update
How Install Office updates?
NVIDIA app 11.0.1.184 v.11.0.1.184 Warning! Download Update
GIMP 2.10.38-1 v.2.10.38 Warning! Download Update
Inkscape v.1.0.2.2 Warning! Download Update
Zoom Workplace (32-bit) v.6.1.43767 Warning! Download Update
Adobe Acrobat Reader v.24.003.20112 Warning! Download Update
^Please run Acrobat Reader DC and go Help - Check for updates...^
Google Chrome v.131.0.6778.109 Warning! Download Update
Norton Private Browser v.131.0.27760.140 Warning! Browser installed as part of other software. Uninstall it if you do not use.