yourtv.link malware / infected Chrome

Hello,
I am unable to remove / change the default omnibox search engine in Chrome.

https://lh3.googleusercontent.com/-m0RM7LdE0-I/VXxoGCFnCoI/AAAAAAAAHJo/MGhoVPvZWaw/s1600/search-engines.png

The icon next to the Google (Default) says: This setting is enforced by your administrator

When I inspect the element to see the full URL of the enforced search engine, it’s this: http://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q=%s&sa=Search&siteurl=[b]yourtv.link[/b]%2F

I’ve been trying to figure this problem out on Chrome Forum: https://productforums.google.com/forum/#!msg/chrome/nRJplgYPFPQ/PXJ-HTeOBEwJ and I’ve sent the issue to your virus lab, where I got redirected here: https://support.avast.com/index.php?/Tickets/Ticket/View/TQE-579-53730/0/0/nVuUk9HQbZMgsrg6BgbN

Any help deeply appreciated.

My MBAM log: http://data.antonindanek.cz/MBAM.txt

A klidně můžeme Česky, co vám více vyhovuje.

Děkuji

Try this…

clear your browsers with AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/

if you still have problems, see here https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool (second picture) run as instructed and attach the two diagnostic logs

when done a malware expert will assist you

Hi,
AdwCleaner didn’t help.

Here are my logs:
http://data.antonindanek.cz/FRST.txt
http://data.antonindanek.cz/Addition.txt

Are you creating your own API’s for Chrome ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3535277157-3009570326-1991447429-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3535277157-3009570326-1991447429-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CHR Extension: (DHC - REST/HTTP API Client) - C:\Users\Antonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aejoelaoggembcahagimdiliamlcdmfm [2015-06-14] Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thank you for looking into this.

Here is the log: http://data.antonindanek.cz/Fixlog.txt

And no, I’m not creating my own API’s for Chrome.

OK run this fix and let me know what problems remain

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR Extension: (DHC - REST/HTTP API Client) - C:\Users\Antonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aejoelaoggembcahagimdiliamlcdmfm [2015-06-14] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

The problem remains. :frowning:


Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Antonin at 2015-06-20 14:28:46 Run:2
Running from C:\Users\Antonin\Downloads
Loaded Profiles: Antonin (Available Profiles: Antonin & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint: 
CHR Extension: (DHC - REST/HTTP API Client) - C:\Users\Antonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aejoelaoggembcahagimdiliamlcdmfm [2015-06-14]
EmptyTemp: 
CMD: bitsadmin /reset /allusers
*****************

Restore point was successfully created.
C:\Users\Antonin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aejoelaoggembcahagimdiliamlcdmfm folder not found

=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 325.9 MB temporary data Removed.


The system needed a reboot.. 

==== End of Fixlog 14:29:05 ====

Have you tried a full uninstall re-install of Chrome ?

Re-install Chrome

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome. Note: When asked about user data or settings you must remove this also so please check the box.
  5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  6. Import your bookmarks back into Chrome
  7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Yes, that was the first thing I’ve tried. Many times by now, but I’ll try again after this attempts. It’s really unbelievably sticky “bug”.

– tried again, still not able to change the search engine

It is not showing in the general report on Chrome extensions and settings either, which is unusual

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 7.0.3 (06.19.2015:1)
OS: Windows 8.1 Pro x64
Ran by Antonin on 21/06/2015 at 12:37:19.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_727423F7E0485DB70422384AEFB5ADEE
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Chrome


[C:\Users\Antonin\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Antonin\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Antonin\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Antonin\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/06/2015 at 12:42:33.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


If you are still experiencing this, could you run FRST one more time. But, this time select shortcut.txt and attach that log

I don’t know, I think whatever virus I had, it may be gone at this point and I’m just left with it’s consequences. I would like to know where you can set this “administrator enforced settings” and maybe just remove it there.

BTW when I boot the system into safe mode, I’m actually able to remove the setting in Chrome … only when I boot back normally, it’s back.

As far as I know Chrome is storing this search engine values into system registry, that’s why it actually persist install/uninstall because uninstaller is apparently keeping those entries. Other people just deleted this registry entries and they were ok. It’s very strange for me that if I run regedit and search for yourtv.link, it won’t find it anywhere … so I have no idea where could it possibly come from.

http://data.antonindanek.cz/Shortcut.txt (didn’t fit into 20 000 characters limit)

I have never used Chrome so I do not know where it hides it, but we can look

Using FRST
Start the programme and in the search box type/copy paste

yourtv

Then press the search registry button

A results.txt file will be produced please attach that

essexboy: How did you use the SpyHunter to remove this malware without paying for it? I woudn’t be surprised if the authors of this software are actually authors of this malware as well since it is the only one who can detect it and after a long scan it wants you to buy a licence. I’m not gonna support that.

If you guys ran out of ideas, I have no other choice than to give up. Really sad but what can we do. I am registered for a Windows 10 upgrade, I’ll try to do clean installation then and I hope it’s gonna be enough napalm to kill this shit. Until then I’ll just have to live with Firefox.

I never recommend spyhunter as it charges to remove anything it doesn’t find

If you could run FRST as shown above please

Ok guys, I’ve put all the logs from the new scan (including the registry search - no luck) into the zip file:

http://data.antonindanek.cz/farbar.zip

Did you fully uninstall Chrome including the “Stop and Clear”

essexboy: I uninstalled it, the only option there is on top to add is I think clearing the user data, which I chose. I don’t know how could I make a more full uninstall, what is “Stop and Clear”? Such option is not there during uninstall process.

Eddy: Except that you have deleted my shows, it behaves the same (including my problem).

So the Google guys helped me out after all, see the topic in Chrome forum I’ve posted in the original question.
Thanks for the effort anyways guys!!