"Searchgoose" closed my Edge/Brave sessions, could only restore parts - please help!!

[SearchgooseNukedSession]

For a while, I've been working with 5 active browser sessions - each with many windows open, and each wikdow with many tabs:
Edge (30 windows),
Brave (32),
Chrome (5),
Opera (12),
Avast (7).

Been meaning to save these sessions, but hadn't gotten around to it yet (I am quite chaotic at times) - when:



Here's what just happened within the last hour:

-Command Prompt flashes spontaneously and then disappears.
-All the browsers (except Opera, which I was currently working with) have been closed
-some of them incl. Edge are reopening again.
-Edge reopens with just 1 window 1 tab, with "Searchgoose" in the URL box.
-Reopening Brave manually - offers to "restore session", but only restores 30 instead of 32 tabs.


So normally upon restart or etc., the browser sessions either get restored via "Restore Session", or by manually restoring each window from the "Recently Closed" History list.


-However Edge only has 23 out of 30 "recently closed windows + 1 tab! Which I may have closed weeks ago? Not sure though.



So then I shut down the Laptop and start it again:
-Now Edge opens with the "Searchgoose" again, has another "Searchgoose" in the "Recently Closed" list (presumably the one from before the restart), and still those 23 windows but now without that tab!!

And then I manually click through them all, and now the list is empty.

-open Brave - just the "Searchgoose" 1-tab window;
the "Recently Closed" list is now only 26 long!!! Had 30 out of 32 windows before restart, now just 26!!!!!



The Opera/Avast/Chrome sessions appear safe/restorable for now - but I just apparently lost:
-6 Brave windows
-7 Edge windows.


Did this Searchgoose malware nuke them?
Or did it just shut the browsers, replace its previous sessions with itself, and then the numbers of windows closed in that process exceeded these browsers' "Recently Closed" list memory?



Either way I really, really need to now:
1) Get rid of this Searchgoose malware.
2) Restore all those lost windows / all the tabs in them!!!

Was working on organizing them and saving them elsewhere etc., they kept reliably reopening upon each crash or restart (as even most recently with the System Update), there's no way they're just gone now and can't be saved??

Please help and tell me what to do if you can, I'm just in shock and despair right now.

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give you sound advice I need more information.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer


Right-click on the MBAM icon and select Run as administrator to run the tool.
Click Yes to accept any security warnings that may appear.
Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
On the left menu pane click the Settings tab, and then select the Protection tab on the top.
Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
Note: The scan may take some time to finish, so please be patient.
If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
The log can also be viewed by clicking the log to select it, then clicking the View Report button.

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Click the LogFile button and the report will open in Notepad.

IMPORTANT

If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Check off the element(s) you wish to keep.
Click on the Clean button follow the prompts.
A log file will automatically open after the scan has finished.
Please post the content of that log file with your next answer.
You can find the log file at C:\AdwCleanerCx.txt (x is a number).

===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "Upload file" button.
Do this for both files. Then press the "Post reply" button.
<<<>>>

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>

 

[SearchgooseNukedSession]

Ok small update:

a) The "Searchgoose" malware had changed both my Edge's and Brave's settings from "restore previous session" to "open page: Searchgoose" - I changed both back and deleted "Searchgoose" from that Edge menu (disappeared on its own on Brave).

Ran full scan with Windows Security but it found nothing, no threats etc. - did it miss it? Or is it gone?



b) Pretty sure now that the loss of my windows was due to both Edge and Brave storing less than 30 items in the "Recently Closed" lists - however can't be entirely sure if Searchgoose didn't nuke (some of) them?


I've found the "Sessions" and "Session Storage" folders for both Edge and Brave, and copied them;
however only the current and previous sessions seem to be there.

Is there any way to find the pre-previous ones - i.e. the ones from a day ago?
Since I did 2 consecutive restarts (first just the browser, then the PC), the full sessions are the pre-previous ones - the previous ones are already incomplete.

Or, is there a way to find further "Recently Closed" windows not visible on that History menu? Some backup somewhere?

Or, roll back the entire system to 1 day ago, including all the browser sessions?




I realize that most of b) is no longer directly tied to "Malware removal", however there still may be a connection there; not sure right now.

Thanks in advance!

 

[SearchgooseNukedSession]

Oh, just saw the repiy - will follow as soon as I've got time again.

Not sure if this updated info in my 2nd post changes anything?

EDIT:
Also what do I need to save before doing all of this - like closing the browsers, restarting the computer etc.?
The session files (plus more?) from the other browsers as well (Opera, Chrome, Avast; Firefox) maybe?

 

[SearchgooseNukedSession]

Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.

Hm, couldn't find "Scan Status" anywhere.

On the left menu pane click the Settings tab, and then select the Protection tab on the top.

Can't see any Protection tab in the Settings - also the Settings are on the top right.
Do I have a different version of Malwarebytes? I just downloaded it from the 1st link.

Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.

Found the Scan Options, they're in the "Security" tab though.

In addition to those 2, it also offers "Use artificial intelligence to detect threats" and "Use expert system algorithms to identify malicious files", should those be on or off?

Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button

Found no options to select Threat Scan, however upon starting the scan, it automatically says "Threat Scan in progress..." - currently have it on pause.



Additional questions:
-Are the AdwCleaner and Farbar the next consecutive steps after Malwarebytes, or alternative methods?
-How urgent is this situation in terms of 1) chances to recover the lost windows, and 2) prevent further damage? I can refrain from using Edge and Brave for a while.

And, just to reiterate, the uncertainties mentioned above;
-whether the updated info changes anything about those instructions I need to follow, and
-if I need to save anything further before proceeding with the paused scan (in case it wants a restart, or possibly for other reasons).

 

[nasdaq]

Hi,

Forget about the MBAM or AdwCleaner tools for not.

Try to run the Farbar program and attach the logs for my review.

 

[SearchgooseNukedSession]

Ah, I'll go do that then.


Meanwhile another, more specific question about System Restore - it shows 2 restore points:
02/02/2023 Windows Modules Installer Type: Install
29/01/2023 Automatic Restore Point Type: System

Is there any possibility for a system rollback there? Incl. restoring those sessions?

 

[nasdaq]

Hi,

Not unless you do a System Restore your self.

 

[SearchgooseNukedSession]

Hm, what does that mean precisely, "do it myself"? Something in addition to the standard version of this process?

And would that lead to getting the sessions back (i.e. the way they were on 02/02/2023)?

 

[nasdaq]

Hi,

Meanwhile another, more specific question about System Restore - it shows 2 restore points:
02/02/2023 Windows Modules Installer Type: Install
29/01/2023 Automatic Restore Point Type: System

When was the last time you computer was working correctly.

It may well be on the 29/01/23 then you install the Windows Module installer on the 02/02/23 a few days later. You decide if you want to restore one of them.

My suggestion is you now have issues with this computer it to Execute the Farbar program and attach the logs.
Will take if from there.

 

[SearchgooseNukedSession]

Hi,

"Meanwhile another, more specific question about System Restore - it shows 2 restore points:
02/02/2023 Windows Modules Installer Type: Install
29/01/2023 Automatic Restore Point Type: System"

When was the last time you computer was working correctly.

It may well be on the 29/01/23 then you install the Windows Module installer on the 02/02/23 a few days later. You decide if you want to restore one of them.

I'd say the computer was working correctly as late as 03/02/2023 - right up until that Command Prompt incident + browser crashes etc. which happened early on 04/02/2023.

Certainly all the browser sessions were in their proper form until that incident.


What exactly is the "Windows Modules Installer", and what would happen if I did a Restore on 02/02/2023?

My suggestion is you now have issues with this computer it to Execute the Farbar program and attach the logs.
Will take if from there.

Attached them below.

For paranoia privacy reasons, I made copies of both files and edited out a few bits in those copies - all the edits are marked with a {{}}.
Replaced every mention of my PC username with {{Username}}, as well as a few webpage downloads and apps from certain forums etc.

Everything without an "{{}}" is in its original, unedited form.

 

[nasdaq]

Hi,

RUN this fix. If any of the entries (names) listed in the fix were modified I suggest your change them with the proper name listed before the changes.
Safe the fixlist.txt before executing the fix.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[SearchgooseNukedSession]

Ah, thanks!

What's the intended effect of this fix?
The opening mentions something about system restore and creating a new restore point, what is that referring to? Is there any connection to the 29/01 / 02/02 system restores discussed above?

 

[SearchgooseNukedSession]

An update:

Today, early in the night - precisely 1 week after the initial incident - a similar thing happened again, except with a few differences:

-The blue "update your drivers" pop-up window appeared (it had started appearing at some point not too long before the initial incident 1 week ago - thought nothing of it initially), however unlike usually, the X button to close it wasn't working, and it stuck around on the screen.

-I opened Task Manager but couldn't find it there.

-Then, either on its own, or as a reaction to some kinda keystroke (I was trying to click on the "up" arrow to move up the Task Manager, I think), the Command Prompt flashed again before disappearing - and now, unlike the previous time, a bunch of "do you want to close this window with x tabs" (not sure whether it belonged to a particular browser or not - if yes, probably Brave) started rapidly appearing on the left top corner of the screen, on top of each other.

-I closed my Laptop, thus putting it into Sleep mode, and then opened it again - the "Driver Update" pop-up was no closeable so I closed it;

-and then I started to go through those "do you want to close this window" things and clicking "Cancel" each time.

However to no avail: Brave, Edge, Chrome, Avast, and now Firefox as well, closed - the only one unaffected was Opera.
And the ones that re-opened automatically were on "Searchgoose" again - the "start" settings had been changed back by the Malware. I quickly changed it back to "open previous session"" again.



So now what's new about this is:
-While this may be something the analysts/experts here had already caught on to, now it's pretty much obvious that this "Update your Driver" pop-up thing is part of the same Searchgoose malware.
-Apparently, judging by this pattern, it pulls this browser reboot thing once per week - on the night from Friday to Saturday.
-Firefox (which I hadn't been using before the first incident), is now affected too.




Questions:
-Do you need a new Farbar log now? / Is that Fixlist still applicable?
-Does anyone know any answers to the questions I asked earlier, about the System Restore or methods of recovering those Brave/Edge sessions?
-As well as what this Fix is exactly expected to do?
And if I need to save something before running it?

The data recovery aspect is the most important to me at this moment - and I'd been holding off running this Fix because there were still remaining unclarities about what it would do, whether it would somehow result in a loss of a currently available opportunity to restore that data, etc.

 

[nasdaq]

Hi,
To be sure that the fix will be the same now I would like to see fresh Farbar logs before giving you an answer.
Please post them.

 

[nasdaq]

Are you still with us?

 

[nasdaq]

Are you still with me?