Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Browser Extension has taken over my Address Bar through possible Broswer Hijack


  • Please log in to reply
19 replies to this topic

#1 TooTallGar

TooTallGar

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 18 April 2024 - 11:42 PM

So I have been dealing with this issue for almsot a week now. I had a broswer extension enable on both Microsoft Edge and Chome that was called "Volume Booster". I came under the impression a couple days ago that this extension has been hijacked and will take over your broswer and change the  settings, which has happened to me. My settings now say "Your browser is managed by your organization", meaning the browser extension. I have gotten rid of the extension, but this has not gotten rid of the problem. Whenever I search through the address bar, instead of searching through Google, it redirects me through multiple sites such as MyHoroscopePro, qtrsearch, kosearch, etc. and then lands on yahoo. I have looked up ways to fix this and have tried multiple things to try to find the source of the problem and get rid of it, but nothing has worked.

 

I have tried completely resetting and clearing my settings and cache on both broswers, I have run multiple scans with different anti-malware programs, I have gone into my RegEdit and cleared the policies on both broswers, I have updated the Group Policies using administrative cmd commands, I have gone into my local files in my AppData and deleted both extension folders, and tried every little setting change on both broswers that I could have done and sometimes it temporarily fixes it, but it has returned after a couple hours, so the host is still somewhere living either in my web broswer or on my PC. I find it weird that no malware scanner has found anythning on my PC, so I'm lead to believe that it is in my broswer specifically.

 

If anyone could help me figure out what the host could be or any other way that I could try to get rid of it I would be more than thankful. This has plagued my broswers for days and I am worried about keepign this issue on my PC leading to more problems in the future.

 

Thank you.


Edited by TooTallGar, 19 April 2024 - 03:08 PM.


BC AdBot (Login to Remove)

 


#2 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 19 April 2024 - 02:49 AM

Hi TooTallGar,
My name is Dennis and I will assist you with your computer problems.
Please read through these guidelines before we start.

  • Back up any important data, as a precaution before starting this process.
  • If you are unsure about anything then please ask. This makes the task much easier in the long run.
  • Do not run any other tools or make changes to your system during the removal process.
  • Please do not start a new topic and keep all replies in this thread.
  • Follow the instructions in the sequence advised.
  • Copy and paste the logs into the reply. I will advise if anything needs to be added as an attachment.
  • Here at Bleeping Computer we are mostly volunteers, so please be patient with us. I’ll try to respond within 24 hours. You will be advised if it is expected to be longer than 48 hours.
  • Please let me know if you are going to be delayed in responding. If you do not reply after 5 days, I’ll assume you do not want to continue and will close the topic.
  • Sometimes things might seem to be resolved, but there may still need to be more checks necessary, so please wait until I give the all clear.

Firstly I'd like you to follow the steps outlined here: Preparation Guide
Section 6 covers how to download and run the Farbar Recovery Scan Tool (FRST).
Note: If you receive a warning about the download, it is a false positive and you can safely ignore it.
Please copy and paste both FRST logs into your reply. If you get an error message advising that the content is too long, you should post 2 separate replies.

Dennis



#3 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 19 April 2024 - 11:35 AM

I have run FRST and included both results from the test.

Attached Files


Edited by TooTallGar, 19 April 2024 - 11:35 AM.


#4 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 19 April 2024 - 11:44 AM

Thanks.

Please give me some time to check your logs and I will get back to you asap.



#5 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 19 April 2024 - 03:13 PM

Sounds good, thank you.



#6 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 20 April 2024 - 07:34 AM

There are some items that we need to remove, to try and resolve this issue.
Firstly I have some observations and questions for you to consider.
1) Please check your Downloads folder and remove anything that you do not recognise, do not need or are unsure about.
2) I see that you have Peer 2 Peer torrent software installed. It is likely that if you continue to use this, you will become infected, as malicious Worms, Trojans & Ransomware can spread across P2P file sharing networks
It would be wise to uninstall Peer 2 Peer programs, but that choice is up to you. If you choose to remove the program, you can do so via Start > Windows System  > Control Panel > Programs and Features.
However if you still wish to keep it, please do not use until we are finished and your computer is clean and updated.
3) Please note that Adobe Flash Player is no longer supported and is a security risk.
Details of the uninstall procedure can be found here.
4) Please advise if your recognise these open firewall ports?

FirewallRules: [{519A6EB9-F111-4E70-99AB-CE9D6C92302B}] => (Allow) LPort=2333
FirewallRules: [{5A403F03-616A-453A-9C9E-8713A9355490}] => (Allow) LPort=9143
FirewallRules: [{A46ADBDC-B6B5-44C1-809C-FBB2D14C1CA2}] => (Allow) LPort=8501
FirewallRules: [{AA45A49C-8C80-4462-B309-F06460FADFCB}] => (Allow) LPort=8501
FirewallRules: [{B76E912D-5E41-4BF4-96E5-1CF967C50642}] => (Allow) LPort=3306
FirewallRules: [{023CD626-AE5B-40CB-BC97-A9F6A27D4BE9}] => (Allow) LPort=33060

We could always reset your firewall, but this would require you to re-authorise a number of genuine connections, so I'd ask for your go-ahead before proceeding.
---------------------------------------------------------------
5) Could you please run this FRST script next.
As a part of this I have included the The Emptytemp: command.
Note: This will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
Important: This script was written specifically for you, for use only on this machine. Running this on another machine may cause damage to your operating system

  • Right click on the FRST icon and select Run as administrator.
  • Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
  • It is not necessary to paste the information anywhere as FRST will do this for you.
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Folder: C:\Users\Garrett's PC\AppData\Local\OAC
Folder: C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs
Task: {C9FF2BDD-2B05-4EDD-B4D0-C727514EE79F} - System32\Tasks\NvOptimizerTaskUpdater_V2 => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [455680 2024-02-17] (Microsoft Windows -> Microsoft Corporation) -> -File C:/Windows/System32/NvWinSearchOptimizer.ps1 <==== ATTENTION
2024-04-11 14:24 - 2024-04-11 14:24 - 000000271 _____ C:\WINDOWS\system32\NvWinSearchOptimizer.ps1
2024-04-11 14:24 - 2024-04-11 14:24 - 000003586 _____ C:\WINDOWS\system32\Tasks\NvOptimizerTaskUpdater_V2
2024-04-11 14:24 - 2024-04-11 14:24 - 000001882 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VLC.lnk
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\WINDOWS\NvOptimizerLog
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\Users\Garrett's PC\AppData\Local\vlc-updater
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\Users\Garrett's PC\AppData\Local\TaskUpdater
2024-04-14 22:27 - 2024-04-14 22:27 - 000000000 ____D C:\WINDOWS\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\63e1f6e8d7f2f9e7\Honey.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
AlternateDataStreams: C:\Logs:err [1154]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [274]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\avg_antivirus_free_setup.exe:MBAM.Zone.Identifier [213]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\CCSetup.exe:MBAM.Zone.Identifier [143]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\ccsetup623.exe:MBAM.Zone.Identifier [215]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\spybotsd_2.9.85.5.exe:MBAM.Zone.Identifier [321]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\spywareblastersetup60.exe:MBAM.Zone.Identifier [322]
AlternateDataStreams: C:\Users\Public\AppData:CSM [120]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [466]
Task: {66B84CFC-3A3D-4B14-883B-2323AB78C3D3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {F4D2A29D-AD41-421B-851C-B83A5787B789} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe  (No File)
Task: {F61E5179-8E0B-494A-B3AB-EB022280C611} - System32\Tasks\MySQLNotifierTask => "C:\Program Files (x86)\MySQL\MySQL Notifier 1.1MySQLNotifier.exe"  --c (No File)
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers2: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers2: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} =>  -> No File
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
S3 cpuz149; \??\C:\Users\GARRET~1\AppData\Local\Temp\cpuz149\cpuz149_x64.sys [X] <==== ATTENTION
S3 cpuz152; \??\C:\WINDOWS\temp\cpuz152\cpuz152_x64.sys [X] <==== ATTENTION
S3 cpuz157; \??\C:\WINDOWS\temp\cpuz157\cpuz157_x64.sys [X] <==== ATTENTION
S1 EneTechIo; \??\C:\WINDOWS\system32\drivers\ene.sys [X]
S3 hsstap; \SystemRoot\System32\drivers\hsstap.sys [X]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
Emptytemp:
End::
  • Click on the Fix button just once and wait.
  • If the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Copy the contents from this text file and paste into your next reply.
Please advise if the redirects have stopped now and whether the "Your browser is managed by your organization" message is still present.
Also advise on question 4) above.

 



#7 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 April 2024 - 10:06 AM

For the open firewall ports, how can I ID what these ports are so I can see if I know what they are? I haven't looked too far into my ports before so I'm not sure if I need them open or not.

 

I have run the Fix through FRST and it did clear the issue on Chrome and it is working okay for now, however, Edge is still redirecting and is still "managed by your organization". In the extensions on Edge, it shows a greyed out extension called "Simple New Tab" and I can't remove it or change any settings with it. 

 

I have also uninstalled Adobe Flash Player.

 

Here's the result of the FRST fix:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 19.04.2024 01
Ran by Garrett's PC (20-04-2024 10:58:19) Run:1
Running from C:\Users\Garrett's PC\Desktop
Loaded Profiles: Garrett's PC & SQLTELEMETRY$SQLEXPRESS & MSSQL$SQLEXPRESS
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Folder: C:\Users\Garrett's PC\AppData\Local\OAC
Folder: C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs
Task: {C9FF2BDD-2B05-4EDD-B4D0-C727514EE79F} - System32\Tasks\NvOptimizerTaskUpdater_V2 => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [455680 2024-02-17] (Microsoft Windows -> Microsoft Corporation) -> -File C:/Windows/System32/NvWinSearchOptimizer.ps1 <==== ATTENTION
2024-04-11 14:24 - 2024-04-11 14:24 - 000000271 _____ C:\WINDOWS\system32\NvWinSearchOptimizer.ps1
2024-04-11 14:24 - 2024-04-11 14:24 - 000003586 _____ C:\WINDOWS\system32\Tasks\NvOptimizerTaskUpdater_V2
2024-04-11 14:24 - 2024-04-11 14:24 - 000001882 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VLC.lnk
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\WINDOWS\NvOptimizerLog
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\Users\Garrett's PC\AppData\Local\vlc-updater
2024-04-11 14:24 - 2024-04-11 14:24 - 000000000 ____D C:\Users\Garrett's PC\AppData\Local\TaskUpdater
2024-04-14 22:27 - 2024-04-14 22:27 - 000000000 ____D C:\WINDOWS\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\63e1f6e8d7f2f9e7\Honey.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --google-base-url=hxxps://qtrsearch.com --extensions-on-chrome-urls --load-extension=C:\Windows\InternalKernelGrid4
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
AlternateDataStreams: C:\Logs:err [1154]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [274]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\avg_antivirus_free_setup.exe:MBAM.Zone.Identifier [213]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\CCSetup.exe:MBAM.Zone.Identifier [143]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\ccsetup623.exe:MBAM.Zone.Identifier [215]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\spybotsd_2.9.85.5.exe:MBAM.Zone.Identifier [321]
AlternateDataStreams: C:\Users\Garrett's PC\Downloads\spywareblastersetup60.exe:MBAM.Zone.Identifier [322]
AlternateDataStreams: C:\Users\Public\AppData:CSM [120]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [466]
Task: {66B84CFC-3A3D-4B14-883B-2323AB78C3D3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {F4D2A29D-AD41-421B-851C-B83A5787B789} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe  (No File)
Task: {F61E5179-8E0B-494A-B3AB-EB022280C611} - System32\Tasks\MySQLNotifierTask => "C:\Program Files (x86)\MySQL\MySQL Notifier 1.1MySQLNotifier.exe"  --c (No File)
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers2: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers2: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} =>  -> No File
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File
S3 cpuz149; \??\C:\Users\GARRET~1\AppData\Local\Temp\cpuz149\cpuz149_x64.sys [X] <==== ATTENTION
S3 cpuz152; \??\C:\WINDOWS\temp\cpuz152\cpuz152_x64.sys [X] <==== ATTENTION
S3 cpuz157; \??\C:\WINDOWS\temp\cpuz157\cpuz157_x64.sys [X] <==== ATTENTION
S1 EneTechIo; \??\C:\WINDOWS\system32\drivers\ene.sys [X]
S3 hsstap; \SystemRoot\System32\drivers\hsstap.sys [X]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
Emptytemp:
End::
*****************
 
SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
 
========================= Folder: C:\Users\Garrett's PC\AppData\Local\OAC ========================
 
2024-04-15 01:23 - 2024-04-15 01:23 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved
2024-04-15 01:23 - 2024-04-15 01:23 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config
2024-04-15 01:23 - 2024-04-15 01:30 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\CrashReportClient
2024-04-15 01:23 - 2024-04-15 01:23 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\CrashReportClient\UE4CC-Windows-50F54957430C04FF5AD87CA76360EDEF
2024-04-15 01:23 - 2024-04-15 01:23 - 000000112 ____A [13F8815C6C6582CD5630BAC6DF8D1E7C] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\CrashReportClient\UE4CC-Windows-50F54957430C04FF5AD87CA76360EDEF\CrashReportClient.ini
2024-04-15 01:30 - 2024-04-15 01:30 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\CrashReportClient\UE4CC-Windows-B059A0EC425E764BC24FB08C62A0EDA3
2024-04-15 01:30 - 2024-04-15 01:30 - 000000112 ____A [13F8815C6C6582CD5630BAC6DF8D1E7C] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\CrashReportClient\UE4CC-Windows-B059A0EC425E764BC24FB08C62A0EDA3\CrashReportClient.ini
2024-04-15 01:23 - 2024-04-15 01:55 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Compat.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\DeviceProfiles.ini
2024-04-15 01:23 - 2024-04-15 01:55 - 000001661 ____A [FFBBE27F4CD901C6A1FEDEA543C6E6FE] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Engine.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Game.ini
2024-04-15 01:23 - 2024-04-15 01:55 - 000001092 ____A [BC92D9BAC9EFD3D750FCD3177FBB6E6A] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\GameUserSettings.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Hardware.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Input.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\LiveLink.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\MagicLeap.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\MagicLeapLightEstimation.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\MotoSynth.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Niagara.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Paper2D.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\PhysXVehicles.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\RuntimeOptions.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Scalability.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\Synthesis.ini
2024-04-15 01:55 - 2024-04-15 01:55 - 000000002 ____A [81051BCC2CF1BEDF378224B0A93E2877] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Config\WindowsNoEditor\VariantManagerContent.ini
2024-04-15 01:23 - 2024-04-15 01:23 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\Logs
2024-04-15 01:23 - 2024-04-15 01:49 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames
2024-04-15 01:23 - 2024-04-15 01:55 - 000013576 ____A [D665B73F8EBAA8FAA0B1AD3C3DBC256D] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\765611981107023574.sav
2024-04-15 01:23 - 2024-04-15 01:54 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\76561198110702357Stats
2024-04-15 01:27 - 2024-04-15 01:54 - 000002965 ____A [5324E15F6079CFDC47A407338F6480A5] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\76561198110702357Stats.sav
2024-04-15 01:24 - 2024-04-15 01:32 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\76561199017402038Stats
2024-04-15 01:23 - 2024-04-15 01:23 - 000001203 ____A [4EF607DDDA298BA464AF2E1F179FA42E] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\DLCadDrink.sav
2024-04-15 01:49 - 2024-04-15 01:49 - 000001684 ____A [7CCF6F2431F0D37863C4869F162A425D] () C:\Users\Garrett's PC\AppData\Local\OAC\Saved\SaveGames\Settings.sav
 
====== End of Folder: ======
 
 
========================= Folder: C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs ========================
 
2024-03-23 17:14 - 2024-03-25 14:38 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven
2024-03-23 17:15 - 2024-03-23 17:15 - 000059368 ____A [764452B2BE9B880553C64F49C5706D2B] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\1913526_512x512.png
2024-03-23 17:14 - 2024-03-25 01:54 - 000000181 ____A [26053DD3B89E6BF69F6F09E7C4C73B3C] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Hosts
2024-03-23 17:14 - 2024-03-25 15:12 - 000001375 ____A [B3D0FBDD2E96247CB726C29237CF1788] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Library
2024-03-23 17:14 - 2024-03-25 15:12 - 000169428 ____A [8ABE7AD336E1516C878E7914E9F8F91C] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Player.log
2024-03-23 17:14 - 2024-03-25 01:59 - 000065154 ____A [93D1A1FC124C3214CDDD2A8129DC4B14] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Player-prev.log
2024-03-23 17:14 - 2024-03-23 18:07 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Cookies
2024-03-23 18:07 - 2024-03-25 15:12 - 000000008 ____A [33CDECCCCEBE80329F1FDBEE7F5874CB] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Cookies\Library
2024-03-23 17:14 - 2024-03-23 17:14 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache
2024-03-23 17:14 - 2024-03-23 17:14 - 000261084 ____A [7283CFD3F4FE5AFBC039C21CC630FC20] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\1
2024-03-23 17:14 - 2024-03-23 17:14 - 000242282 ____A [E1DCAA5F75D388BFADC1B51900A12299] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\2
2024-03-23 17:14 - 2024-03-23 17:14 - 000266267 ____A [226F1080C90CA5D022365D02609C339F] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\3
2024-03-23 17:14 - 2024-03-23 17:14 - 000192076 ____A [3339ABC807B6E143E38B0B6102D88159] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\4
2024-03-23 17:14 - 2024-03-23 17:14 - 000224104 ____A [858210DBC8F861850DAB275B93833460] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\5
2024-03-23 17:14 - 2024-03-23 17:14 - 000195052 ____A [EBD6E3E5DF6A2C4CEFA4615B027942E2] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\6
2024-03-23 17:14 - 2024-03-23 17:14 - 000251051 ____A [D06F28133AEC526ED8ED93C5670D99DE] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\HTTPCache\7
2024-03-23 17:14 - 2024-03-23 17:14 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity
2024-03-23 17:14 - 2024-03-23 17:14 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57
2024-03-23 17:14 - 2024-03-23 17:14 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics
2024-03-23 17:14 - 2024-03-25 14:38 - 000000293 ____A [8673A8AC0B06A9D056D08D62F857BA4B] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\config
2024-03-23 17:14 - 2024-03-25 15:12 - 000000157 ____A [14A6BEF6ADF89C287858FCD4F6C55DD5] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\values
2024-03-23 17:14 - 2024-03-25 15:12 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents
2024-03-25 15:12 - 2024-03-25 15:12 - 000000000 ____D [00000000000000000000000000000000] C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents\171139373600005.35a49fa2
2024-03-25 15:12 - 2024-03-25 15:12 - 000000001 ____A [ECCBC87E4B5CE2FE28308FD9F2A7BAF3] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents\171139373600005.35a49fa2\c
2024-03-25 15:12 - 2024-03-25 15:12 - 000000829 ____A [7968305526EDC1A5671502CFB5E64376] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents\171139373600005.35a49fa2\e
2024-03-25 15:12 - 2024-03-25 15:12 - 000000001 ____A [C81E728D9D4C2F636F067F89CC14862C] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents\171139373600005.35a49fa2\g
2024-03-25 15:12 - 2024-03-25 15:12 - 000000461 ____A [800431E9D875FA9DAAECA75511F13EFD] () C:\Users\Garrett's PC\AppData\LocalLow\For Fun Labs\Eleven\Unity\e77632de-7840-48ff-913d-1fdbac17bf57\Analytics\ArchivedEvents\171139373600005.35a49fa2\s
 
====== End of Folder: ======
 
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C9FF2BDD-2B05-4EDD-B4D0-C727514EE79F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9FF2BDD-2B05-4EDD-B4D0-C727514EE79F}" => removed successfully
C:\WINDOWS\System32\Tasks\NvOptimizerTaskUpdater_V2 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NvOptimizerTaskUpdater_V2" => removed successfully
C:\WINDOWS\system32\NvWinSearchOptimizer.ps1 => moved successfully
"C:\WINDOWS\system32\Tasks\NvOptimizerTaskUpdater_V2" => not found
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VLC.lnk => moved successfully
 
"C:\WINDOWS\NvOptimizerLog" Folder move:
 
C:\WINDOWS\NvOptimizerLog => moved successfully
 
"C:\Users\Garrett's PC\AppData\Local\vlc-updater" Folder move:
 
C:\Users\Garrett's PC\AppData\Local\vlc-updater => moved successfully
 
"C:\Users\Garrett's PC\AppData\Local\TaskUpdater" Folder move:
 
C:\Users\Garrett's PC\AppData\Local\TaskUpdater => moved successfully
 
"C:\WINDOWS\InternalKernelGrid4" Folder move:
 
C:\WINDOWS\InternalKernelGrid4 => moved successfully
C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully
C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully
C:\Users\Garrett's PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\63e1f6e8d7f2f9e7\Honey.lnk => Shortcut argument removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
C:\Logs => ":err" ADS removed successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully
C:\Users\Garrett's PC\Downloads\avg_antivirus_free_setup.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\Garrett's PC\Downloads\CCSetup.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\Garrett's PC\Downloads\ccsetup623.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\Garrett's PC\Downloads\spybotsd_2.9.85.5.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\Garrett's PC\Downloads\spywareblastersetup60.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\Public\AppData => ":CSM" ADS removed successfully
C:\Users\Public\Shared Files => ":VersionCache" ADS removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{66B84CFC-3A3D-4B14-883B-2323AB78C3D3}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{66B84CFC-3A3D-4B14-883B-2323AB78C3D3}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F4D2A29D-AD41-421B-851C-B83A5787B789}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4D2A29D-AD41-421B-851C-B83A5787B789}" => removed successfully
C:\WINDOWS\System32\Tasks\ASUS\P508PowerAgent_sdk => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS\P508PowerAgent_sdk" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F61E5179-8E0B-494A-B3AB-EB022280C611}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F61E5179-8E0B-494A-B3AB-EB022280C611}" => removed successfully
C:\WINDOWS\System32\Tasks\MySQLNotifierTask => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySQLNotifierTask" => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\SDECon32 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\SDECon64 => removed successfully
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\SDECon32 => removed successfully
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\SDECon64 => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxDTCM => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\SDECon32 => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\SDECon64 => removed successfully
HKLM\System\CurrentControlSet\Services\cpuz149 => removed successfully
cpuz149 => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz152 => removed successfully
cpuz152 => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz157 => removed successfully
cpuz157 => service removed successfully
HKLM\System\CurrentControlSet\Services\EneTechIo => removed successfully
EneTechIo => service removed successfully
HKLM\System\CurrentControlSet\Services\hsstap => removed successfully
hsstap => service removed successfully
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright Microsoft Corp.
 
{2ED9A4DF-A3C9-400E-8E33-5914D3714A07} canceled.
1 out of 1 jobs canceled.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-1108670812-234273735-451653643-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1108670812-234273735-451653643-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========== EmptyTemp: ==========
 
FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15087103 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 1779048832 B
Windows/system/drivers => 56616239 B
Edge => 0 B
Chrome => 502058691 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 16 B
systemprofile32 => 915098 B
LocalService => 927790 B
NetworkService => 927790 B
Garrett's PC => 57556174 B
SQLTELEMETRY$SQLEXPRESS => 57556174 B
MSSQL$SQLEXPRESS => 57556174 B
 
RecycleBin => 50197661 B
EmptyTemp: => 2.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:59:09 ====

Edited by TooTallGar, 20 April 2024 - 10:11 AM.


#8 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 20 April 2024 - 12:20 PM

I think that we should reset the firewall, as a precautionary measure. You might the see a few prompts to re-allow some connections, but that would only be temporary.
Also I'd like to reset the hosts file at the same time, but before we do this, could you please uninstall Spybot - Search & Destroy?
You can always re-install later if you wish to continue using the tool.
-------------------------------------------------------
Before we look at the remaining Edge issues, I'd like you to run two scans, as follows.
Please download AdwCleaner.

  • Close all open programs and browsers
  • Right click on the icon and select Run as administrator
  • Click Scan Now
  • When the scan has finished AdwCleaner shows you all detected PUPs and adware.
  • If any are found, select them and click Quarantine. (I would suggest that you do not select Pre-installed applications for now, or any other items you wish to keep.)
  • AdwCleaner prompts you to save and close your work before continuing. Click Continue.
  • After cleaning, you are prompted to restart your device. Click Restart now to complete the cleanup process.

Once your computer has restarted ...

  •     If it doesn't open automatically, please start AdwCleaner.
  •     Click on View Log File button (This log can also be found in the Log Files tab).
  •     A Notepad file will open containing the results.
  •     Click Skip Basic Repair (if the option appears)
  •     Please post the contents of the file in your next reply.

----------------------------------------------------------
The I'd like you to run a full scan with ESET Online Scanner.

  • Download ESET Online Scanner from here and save it to your Desktop.
  • Right click the esetonlinescanner.exe file you downloaded and select Run as administrator.
  • Select your desired language from the drop-down menu and click Get started.
  • Click Yes if a User Account window appears.
  • In the Terms of use screen, click Accept if you agree to the Terms of use.
  • Click Get started in the welcome screen.
  • Select your preference for the Customer Experience Improvement Program and the Detection feedback system.Click Continue.
  • Click Computer scan, in the Welcome back screen.
  • Choose Full scan on the next screen.
  • Select Enable ESET to detect and quarantine potentially unwanted applications.Then click Start scan
  • Please note that this process can take several hours to complete.
  • At the end of the scan, the Found and resolved detections screen may be displayed. You can click View detailed results to view specific information. Click Continue.
  • On the following screen click Save scan log and save it to your Desktop as ESETScan.txt. Click Continue.
  • ESET Online Scanner will now ask if you wish to turn on the Periodic Scan feature.I suggest that you do not do this for now Click Continue
  • You are offered a 30 day trial of ESET Internet Security on the next screen. Click Continue
  • On the next screen, you can leave feedback about the program if you wish.
  • There is an option to delete the application's data on closing, but we can but we can do this later.
  • If you left feedback, click Submit and Close. If not, click Close.
  • Copy and paste the contents of the ESETScan.txt file in your next reply.


#9 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 April 2024 - 01:06 PM

Yes, we can go ahead with the firewall reset.

 

I tried to run the ESETScan, but everytime it finished doing the module update at the beginning of the scan, the program crashes and nothing happens. I've looked up about this isue and have seen that others had the same/similar issue. Let me know what I should do with that.

 

Here's the results of the AdwCleaner: 

 

# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build:    03-04-2024
# Database: 2024-03-04.1 (Cloud)
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    04-20-2024
# Duration: 00:00:12
# OS:       Windows 10 (Build 19045.4291)
# Scanned:  32105
# Detected: 19
 
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
PUP.Optional.Legacy             C:\Users\Garrett's PC\AppData\Roaming\Installer.dat
PUP.Optional.Legacy             C:\Users\Garrett's PC\AppData\Roaming\agent.dat
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hotfresh.exe
PUP.Optional.Legacy             HKLM\Software\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
PUP.Optional.Legacy             HKLM\Software\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
PUP.Optional.Legacy             HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hotfresh.exe
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries found.
 
***** [ Chromium URLs ] *****
 
PUP.Optional.HelperBar          http://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGyjt9ihJPpQjuFSYdaqyR3YDLLWUooft1sS8X4OuRMW3lovS_nPdk_FwTkMeKOVGJLzEJE_MT4oR_x89U_3fLh-foXJMSnBZKxzsuvCVN-6XiLl6IPkgqRlavb03j7NUWdZMKup2NQGxInZ9W216ylRkUlPQD9m2Bwwp1FrAg,,
PUP.Optional.Legacy             http://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGyjt9ihJPpQjuFSYdaqyR3YDLLWUooft1sS8X4OuRMW3lovS_nPdk_FwTkMeKOVGJLzEJE_MT4oR_x89U_3fLh-foXJMSnBZKxzsuvCVN-6XiLl6IPkgqRlavb03j7NUWdZMKup2NQGxInZ9W216ylRkUlPQD9m2Bwwp1FrAg,,
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries found.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs found.
 
***** [ Hosts File Entries ] *****
 
No malicious hosts file entries found.
 
***** [ Preinstalled Software ] *****
 
No Preinstalled Software found.
 
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########


#10 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 20 April 2024 - 01:26 PM

Did you quarantine the AdwCleaner detections?

We seem to be having a few issues with ESET at the moment, so let's run an alternative scanner.

Please run a scan with Emsisoft Emergency Kit.

  • Download and save the installation file from here:
  • Emsisoft
  • Double-click on the Emsisoft Emergency Kit setup file to start the installation process and then click on the Install button.
  • You may be presented with a User Account Control warning, asking you if you want to run this file. Click Yes to continue.
  • The downloaded package unpacks to “C:\EEK” by default and this folder now opens on your screen.
  • To start Emsisoft, double-click on the Start Emergency Kit Scanner icon in this folder.
  • You may get another User Account Control warning. Click Yes to continue.
  • Accept the Licence Agreement.
  • When you launch the program for the first time, Emsisoft Emergency Kit will automatically download updates. The Scan tab changes from orange to green when the update process is completed.
  • Leave the settings unchanged, which include detection of Potentially Unwanted Programs.
  • Now click on Malware Scan in the Scan button.
  • When the Emsisoft scan has finished, you will see a screen reporting details of any malicious files found on your computer.(Close the pop up inviting installation of Emsisoft protection)
  • Click Quarantine selected objects. (Note, this option is only shown if malicious objects were detected during the scan)
  • You may be asked to restart your computer.
  • When the threats have been quarantined, click the View Report button in the lower-right corner and the scan log will open in Notepad. The logs can also be accessed in the left hand menu bar.
  • Please save this log on your desktop and post the contents into your next reply.
  • When you close Emsisoft Emergency Kit it asks if you wish to sign up for a newsletter. This is optional, and does not affect the malware removal process.

Also please advise if you uninstalled Spybot and if the Edge re-directs are still present.

We will do the firewall reset etc. tommorow, as I have to finish for the evening now.



#11 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 April 2024 - 01:50 PM

Yes, I quarantined the detections on AdwCleaner.

 

Yes I did uninstall Spybot, so we can do the firewall stuff tomorrow.

 

Here's the results from the Emsisoft Kit Scan: 

 

Emsisoft Emergency Kit - Version 2024.4
Last update: 4/20/2024 2:33:51 PM
My own GARRETTS-PC\Garrett's PC
 GARRETTS-PC
 Windows 10x64 
 
Scan settings:
 
Scan type: Malware Scan
Objects: Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
Scan mail archives: Off
ADS Scan: On
 
Scan start: 4/20/2024 2:33:59 PM
C:\Program Files\AzureLauncher\AZPROJ.dll detected: Gen:Variant.Razy.860170 (B) [krnl.xmd]
 
Scanned 104131
Found 1
Scanning memory... 
Scanning traces... 
Scanning files... 
 
Scan end: 4/20/2024 2:41:40 PM
Scan time: 0:07:41
 
C:\Program Files\AzureLauncher\AZPROJ.dll Gen:Variant.Razy.860170 (B)
 
Quarantined 1


#12 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 21 April 2024 - 10:09 AM

Could you please run this new FRST script next, to reset the firewall and hosts file.

  • Right click on the FRST icon and select Run as administrator.
  • Highlight all of the information in the text box below then hit the Ctrl + C keys together to copy the text.
Start::
CreateRestorePoint:
CloseProcesses:
BootExecute: autocheck autochk * sdnclean64.exe
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
hosts:
End::
  • Click on the Fix button just once and wait.
  • Please make sure you let the system restart normally. After that let the tool complete its run.
  • When it's finished FRST will generate a log in the location you ran the tool from. (Fixlog.txt).

Please copy the contents from this text file and paste into your next reply.
---------------------------------------------------------------------------
Then I'd like you to run a Windows Defender Full Scan.

  • Select Start  > Settings  > Update & Security > Windows Security and then Virus & threat protection.
  • Under Current threats, select Scan options.
  • Select Full scan (Checks all files and running programs currently on hard disk).
  • This will take some time to complete.
  • You will be able to view any detections under Current threats, in the Virus & threat protection screen.

Please advise if anything was found.
-------------------------------------------------------------------------
When you have completed the above steps, please advise the the Edge issues remain.



#13 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 21 April 2024 - 12:56 PM

So I ran the FRST fix and Windows Defender Full Scan. WIndows Defender found one trojan, in one of the game files that I had, so I removed it, otherwise no threats were found. After I did the FRST fix, Edge still was managed by the organiozation and still redirected. I went into RegEdit in the policies folder, and saw that the "Simple New Tab" policy was still there, so I deleted it and restarted Edge, and it was no longer managed by the organization (This fix has worked before, but after a few hours, somehting would rewrite that policy back into Edge). It sitll redirects the search in the search bar however and I'm not sure why.

 

Here's the results of the FRST fix:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 19.04.2024 01
Ran by Garrett's PC (21-04-2024 11:27:15) Run:2
Running from C:\Users\Garrett's PC\Desktop
Loaded Profiles: Garrett's PC & SQLTELEMETRY$SQLEXPRESS & MSSQL$SQLEXPRESS
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
BootExecute: autocheck autochk * sdnclean64.exe
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
hosts:
End::
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\System\CurrentControlSet\Control\Session Manager\\"BootExecute"="autocheck autochk *" => value restored successfully
 
========= netsh advfirewall reset =========
 
Ok.
 
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
 
The system needed a reboot.
 
==== End of Fixlog 11:27:31 ====


#14 dennis_l

dennis_l

  •  Avatar image
  • Malware Response Team
  • 3,348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:30 AM

Posted 22 April 2024 - 02:19 AM

Could you please advise more detail on the current Edge re-direct.
Does the browser start from the unwanted site or is it a re-direct after loading your home page etc?
Is it still going to Yahoo or other sites as well?



#15 TooTallGar

TooTallGar
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 22 April 2024 - 11:03 AM

So this is exactly what happens on Edge. I load it up and it takes me to the front Microsoft Start page which is normal. Nothin weird happens until I search something either through the adress bar or the search bar on the microsoft start screen. It does say google search next to my search query, but as soon as i cliock enter, it redirects through a bunch of different sites and then lands on yahoo search. The sites it goes throgh are myhoroscopepro.com, uniquesearch.me, kosearch.com, qtrsearch.com. These don all always happen as it may go through all of them or jsut some but it's random every time. 

 

One thing to note is that my Chrome is finally staying normal and is no longer reverting back like it was before, so I think we killed the host of it for the Chrome side, also for Edge, the fix I did in the RegEdit yesterday to delete the policy fodler to ghet rid of the "Management by organization" is fianlly staying away also. Ususally when I deleted that folder it would come back after a few hours. So my thought is that we killed the host, but we just need to fix this redirect in Edge and it should be good. 

 

Let me know what you think.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users