Google Chrome and IE8 Hijacked

I downloaded CCleaner from After Dawn and was attacked by three hijackers (that I know of) Trovi, Searchnu and Rocket-find. They do not appear on my program list nor on my program removal list and are not present when I do a search but they keep coming up. How do I get rid of the? I tried uninstalling Google Chrome and reinstalling the latest version, all to no avail. Please help.

 

If you will allow me. I can help you clean your computer. If so I can issue instructions.

what say?

 

We can start with this please:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the correct version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

• Please attach all reports using button below. Doing this, you make it easier for me to analyze and fix your problem.

 

Attached are first text and addl. text. Hope this helps.

 

Hi triviaace,
You do have the Hijackers Trovi, Searchnu and Rocket-find. You also have a lot of malware and some PUP's.

I see Norton AV running but, can't determine if it's up to date or not. please let me know.......

The biggest problem is that XP is no longer supported and you won't be getting updates and patches to protect you but we'll see what we can do about that after you are clean.

It's going to take me some time to go over your logs and build a fix. Don't loose your patients. In the meantime please do not install any programs or run any cleaners that I do not ask you to. That makes it harder for me to help you.

I'll be back as soon as possible.
Any questions???

2oG

 

Hi triviaace,

Please Download attached fixlist.txt file and save it to the Desktop.

NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.




***** NEXT *****




Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Post logfile will also be saved in the C:\AdwCleaner folder.
• Please attach log in your reply..

Run the Fix, check it out and let me know how it's doing now.

2oG

 

My computer is a 32-bit machine therefore FRST/FRST64 would not run. I ran FRST in a 32-bit format which is attached. I am also attaching the ADW Cleaner log below.

# AdwCleaner v3.214 - Report created 06/07/2014 at 12:09:04
# Updated 29/06/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Leon - MAGILL-1FRN6M5P
# Running from : C:\Documents and Settings\Leon\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Deleted : C:\Documents and Settings\Leon\Application Data\Advanced System Protector
Folder Deleted : C:\Documents and Settings\Leon\Application Data\Systweak
File Deleted : C:\WINDOWS\system32\roboot.exe
***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\systweak
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v35.0.1916.153
[ File : C:\Documents and Settings\Leon\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
Deleted [Search Provider] : hxxp://isearch.fantastigames.com/web?src=ieb&gct=ds&appid=100&systemid=439&q={searchTerms}
Deleted [Search Provider] : hxxp://www.amazon.com/websearch/ref=bit_bds-p18_serp_ie_us_display?ie=UTF8&tag=bds-p18-serp-us-ie-20&tagbase=bds-p18&tbrId=v1_abb-channel-18_069d38dd58d441bfa2ecdc5d36ec726d_18_38_20130202_US_ie_ds_OC1&query={searchTerms}
Deleted [Search Provider] : hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=394&systemid=406&apn_uid=4538510442404356&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}&affID=119969&tt=gc_&babsrc=SP_ss_din2g&mntrId=74BE00111102A3C5
Deleted [Search Provider] : hxxp://www.delta-search.com/?q={searchTerms}&affID=119969&tt=gc_&babsrc=SP_ss&mntrId=74BE00111102A3C5
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=58&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&q={searchTerms}&SSPV=
Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=9B4E1154-7C4E-4941-808B-C76771C6F81B&apn_ptnrs=TV&apn_sauid=F737E786-4CD5-4EC0-8B41-A77C0D8BB0F3&apn_dtid=OSJ000YYUS&q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://start.sweetpacks.com?src=6&q={searchTerms}&barid={B7425721-CA0D-11E2-9C65-00111102A3C5}&crg=3.5000006.10042&st=23
Deleted [Search Provider] : hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^0D^xdm146^YY^us&ptb=33716463-4540-4491-83E3-62C83B1E3C55&ind=2013012717&n=77fc22ed&psa=&st=sb&searchfor={searchTerms}
Deleted [Search Provider] : hxxp://search.fbdownloader.com/search.php?channel=sfus205&q={searchTerms}
Deleted [Search Provider] : hxxp://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_coinis_14_27_ie&cd=2XzuyEtN2Y1L1QzutDtDtCtCtCtCtDtB0AtA0CyD0DyDyCtBtN0D0Tzu0SzytCyBtN1L2XzutBtFtBtCtFtCtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0FyB0EtC0FyDtG0DyEtC0CtGyCzyzytDtGyBtB0FzytGtBtB0A0Bzy0FtC0CtCtDzytC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyByB0FtBtDyDyEyEtG0FtCtA0AtGyD0B0CzytG0F0AzyyDtGyB0CyD0BtDtB0F0Azy0EyDzz2Q&cr=1492929178&ir=
Deleted [Startup_urls] : hxxp://www.trovi.com/?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=55&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&SSPV=
Deleted [Startup_urls] : hxxp://www.searchnu.com/406?appid=394
Deleted [Startup_urls] : hxxp://rocket-find.com/?f=7&a=rckt_coinis_14_27_ie&cd=2XzuyEtN2Y1L1QzutDtDtCtCtCtCtDtB0AtA0CyD0DyDyCtBtN0D0Tzu0SzytCyBtN1L2XzutBtFtBtCtFtCtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0FyB0EtC0FyDtG0DyEtC0CtGyCzyzytDtGyBtB0FzytGtBtB0A0Bzy0FtC0CtCtDzytC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyByB0FtBtDyDyEyEtG0FtCtA0AtGyD0B0CzytG0F0AzyyDtGyB0CyD0BtDtB0F0Azy0EyDzz2Q&cr=1492929178&ir=
Deleted [Homepage] : hxxp://www.trovi.com/?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=55&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&SSPV=
Deleted [Extension] : gjkpcnacdgdlpfejlgflolpaigoicibh
*************************
AdwCleaner[R0].txt - [25259 octets] - [29/10/2013 12:16:12]
AdwCleaner[R1].txt - [12299 octets] - [22/04/2014 11:54:57]
AdwCleaner[R2].txt - [6048 octets] - [02/06/2014 19:11:46]
AdwCleaner[R3].txt - [2965 octets] - [04/07/2014 21:56:36]
AdwCleaner[R4].txt - [5196 octets] - [06/07/2014 12:07:15]
AdwCleaner[S0].txt - [25414 octets] - [29/10/2013 12:17:17]
AdwCleaner[S1].txt - [11488 octets] - [22/04/2014 11:58:58]
AdwCleaner[S2].txt - [6107 octets] - [02/06/2014 19:12:58]
AdwCleaner[S3].txt - [4783 octets] - [04/07/2014 21:57:48]
AdwCleaner[S4].txt - [5171 octets] - [06/07/2014 12:09:04]
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [5231 octets] ##########

 

You attached the fixlist.txt that I sent you.. After you have ran it there will be a fixlog.txt that I need to see. Please attach it and tell me how is the PC doing now?

 

Sorry about that.

 

Trovi et al appear in new tabs at opening.

 

I still haven't seen the fixlog.txt... were you able to run the fixlist.txt??
You need to use the FRST.exe it's for 32bit
Try it again:
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

2oG

 

I hope that this is it.

 

No, It's FIXLOG.TXT... log

 

No, It's FIXLOG.TXT... log not list..

 

I finally got it. I have to learn how to read instructions carefully. Sorry.

 

Know what you mean. I have to avoid electric fences.

Tell me what it's doing so I'll know what to look for and what to do about it......

2oG

 

It seems as though everything is ok and I don't see any of the spyware programs popping up. Thanks for your assistance.

 

Your welcome and happy to be able to help.
surf safely

2oG

 

I thought that Trovi was gone but it popped up again. I did not download any new software and I can not find Trovi anywhere on my computer. Is there anyway I can get rid of it once and for all?

 

Well fudge.. I thought we got it.. It is in your Chrome browser and sometimes Chrome doesn't want to give up things very easily. lol

Lets run a fresh scan with FRST and this time I'll see if I can get it from a different direction...

Step 1

Please download -> Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatible with your system (32 or 64bit). If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the correct version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
  
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Step 2

After you generate both reports, please attach them. There is a button below. Use it to attach all reports.

Location of the reports:

FRST.txt and Addition.txt --> are on the desktop or in the same folder where you downloaded FRST

If you have difficulties attaching the reports, just open them and copy/paste it's content into the topic.


2oG