Google Chrome and IE8 Hijacked

The only Addition.txt I could find was the one downloaded on 7/5/14.

 

Looks like Trovi is sitting at the first FRST.txt entry under Chrome.

 

That's OK.. I really don't need it and it only makes it on the first run. sorry about the confusion, I didn't tell you.

I'll go over the log and get back to you a little later.. shouldn't be a problem, I just over looked that Chrome hung on to it..

2oG

 

Addition.txt is from 7/5/14 since one didn't come up on this latest scan. Looking at FRST.txt, Trovi appears on the first entry under Chrome.

 

Some of these Browser Hijackers can be really stubborn to remove. Once it is installed, it can reconfigure browser default settings. To ensure its auto-start up, it places its registry entries into the kernel part of the system and disables some service on the machine in order to protect itself from being removed.

First, I would like for you to reset Chrome using it's own reset. Then, if by chance that don't take it out, I will use a little brute force on it.

Go here and follow instructions to reset Chrome:
https://support.google.com/chrome/answer/3296214?hl=en

Let me know if it works..

2oG

 

opps, I picked up the wrong link.lol
reset here
https://support.google.com/chrome/answer/3296214?hl=en

 

Looks like Trovi is still sitting at the first FRST.txt entry under Chrome.

 

You did reset, reboot and it's still on Chrome?

 

I rebooted and Trovi is still there. I copied several lines from FRST.txt shown below:

Chrome:
=======
CHR HomePage: hxxp://www.trovi.com/?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=55&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&SSPV=
CHR StartupUrls: "hxxp://norton/"
CHR Extension: (Google Docs) - C:\Documents and Settings\Leon\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-05]
CHR Extension: (Google Drive) - C:\Documents and Settings\Leon\Local Settings

 

Yeah, I know it's there.. It's just that Chrome is extremely difficult to work with and if not very careful it can be broken. I really don't like to break things.

We can go the safe ways first and if that does not work, we'll go with the Big Guns...... Evidently this is a newer ver that I have ran across.

This is safe and should do it. I keep my fingers crossed.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Please attach this log in your reply..

2oG

 

Attached is the AdwCleaner[S5].txt. It looks as though Trovi has been deleted.

# AdwCleaner v3.215 - Report created 11/07/2014 at 22:12:29
# Updated 09/07/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Leon - MAGILL-1FRN6M5P
# Running from : C:\Documents and Settings\Leon\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Google Chrome v35.0.1916.153

[ File : C:\Documents and Settings\Leon\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://isearch.fantastigames.com/web?src=ieb&gct=ds&appid=100&systemid=439&q={searchTerms}
Deleted [Search Provider] : hxxp://www.amazon.com/websearch/ref=bit_bds-p18_serp_ie_us_display?ie=UTF8&tag=bds-p18-serp-us-ie-20&tagbase=bds-p18&tbrId=v1_abb-channel-18_069d38dd58d441bfa2ecdc5d36ec726d_18_38_20130202_US_ie_ds_OC1&query={searchTerms}
Deleted [Search Provider] : hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=394&systemid=406&apn_uid=4538510442404356&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}&affID=119969&tt=gc_&babsrc=SP_ss_din2g&mntrId=74BE00111102A3C5
Deleted [Search Provider] : hxxp://www.delta-search.com/?q={searchTerms}&affID=119969&tt=gc_&babsrc=SP_ss&mntrId=74BE00111102A3C5
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_coinis_14_27_ie&cd=2XzuyEtN2Y1L1QzutDtDtCtCtCtCtDtB0AtA0CyD0DyDyCtBtN0D0Tzu0SzytCyBtN1L2XzutBtFtBtCtFtCtCtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0FyB0EtC0FyDtG0DyEtC0CtGyCzyzytDtGyBtB0FzytGtBtB0A0Bzy0FtC0CtCtDzytC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyByB0FtBtDyDyEyEtG0FtCtA0AtGyD0B0CzytG0F0AzyyDtGyB0CyD0BtDtB0F0Azy0EyDzz2Q&cr=1492929178&ir=
Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=58&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&q={searchTerms}&SSPV=
Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=9B4E1154-7C4E-4941-808B-C76771C6F81B&apn_ptnrs=TV&apn_sauid=F737E786-4CD5-4EC0-8B41-A77C0D8BB0F3&apn_dtid=OSJ000YYUS&q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://start.sweetpacks.com?src=6&q={searchTerms}&barid={B7425721-CA0D-11E2-9C65-00111102A3C5}&crg=3.5000006.10042&st=23
Deleted [Search Provider] : hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^0D^xdm146^YY^us&ptb=33716463-4540-4491-83E3-62C83B1E3C55&ind=2013012717&n=77fc22ed&psa=&st=sb&searchfor={searchTerms}
Deleted [Search Provider] : hxxp://search.fbdownloader.com/search.php?channel=sfus205&q={searchTerms}
Deleted [Homepage] : hxxp://www.trovi.com/?gd=&ctid=CT3324850&octid=EB_ORIGINAL_CTID&ISID=25faf152-5803-4400-abb8-8032893ecb8d&SearchSource=55&CUI=&UM=6&UP=SP6579FFA9-6CD2-48A7-96F2-D1B148CA5DCA&SSPV=
Deleted [Extension] : gjkpcnacdgdlpfejlgflolpaigoicibh
Deleted [Extension] : ibnjmihbbanannlbobkbmnmckjnmdnom

*************************

AdwCleaner[R0].txt - [25259 octets] - [29/10/2013 12:16:12]
AdwCleaner[R1].txt - [12299 octets] - [22/04/2014 11:54:57]
AdwCleaner[R2].txt - [6048 octets] - [02/06/2014 19:11:46]
AdwCleaner[R3].txt - [2965 octets] - [04/07/2014 21:56:36]
AdwCleaner[R4].txt - [5196 octets] - [06/07/2014 12:07:15]
AdwCleaner[R5].txt - [8105 octets] - [11/07/2014 13:54:09]
AdwCleaner[R6].txt - [2217 octets] - [11/07/2014 22:11:16]
AdwCleaner[S0].txt - [25414 octets] - [29/10/2013 12:17:17]
AdwCleaner[S1].txt - [11488 octets] - [22/04/2014 11:58:58]
AdwCleaner[S2].txt - [6107 octets] - [02/06/2014 19:12:58]
AdwCleaner[S3].txt - [4783 octets] - [04/07/2014 21:57:48]
AdwCleaner[S4].txt - [5311 octets] - [06/07/2014 12:09:04]
AdwCleaner[S5].txt - [4493 octets] - [11/07/2014 22:12:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [4553 octets] ##########

 

Well, that seems to have gotten it.. I'll know with the next victim just what to use on it...

Hope everything else is OK. If you need anything else, I'll be here...

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the program to complete his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
(no need to post it)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and creates a fresh system restore point after cleaning.


2oG

 

Thanks for the assistance. I hope that this is the last I see of Trovi etal.

 

You're very welcome, just happy I could help you.

And I learned something with this experience that I can help someone else with..

Keep your guard up,

2oG