+- Gridinsoft Forum (https://forum.gridinsoft.com)
+-- Forum: Help (https://forum.gridinsoft.com/forumdisplay.php?fid=1)
+--- Forum: Malware Removal Help (https://forum.gridinsoft.com/forumdisplay.php?fid=2)
+--- Thread: Help Needed: Removing Persistent Browser Hijacker (/showthread.php?tid=5)
Help Needed: Removing Persistent Browser Hijacker - Chris Johnson - 06-19-2024
Can anyone advise on removing an annoying browser hijacker that doesn't get picked up by anti-virus software?
It appears as a search engine on Chrome: 'tfrsrch.com'. It always opens a new tab with the URL 'find-browseronline.com', which is a malvertising search engine.
I can't delete it as it's locked by making it be managed by the administrator even though I'm the only admin. I've tried all the antivirus software I can think of—Windows Defender, Malwarebytes, Kaspersky, etc.—but none detect anything. I've also tried deleting Chrome policies but got some error messages. This only appears to be on Chrome (which I've already reset) and not on Edge.
Is there anything to be done, or do I need to do a Windows reinstall?
RE: Help Needed: Removing Persistent Browser Hijacker - Shorter_513 - 06-19-2024
As far as I know, this "managed by the administrator" trick is done through changing registry settings. If you are aware of how to work with registry, consider deleting the following keys:
HKEY_CURRENT_USER\Software\Google\Chrome
HKEY_CURRENT_USER\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment
In this one, remove the CloudManagementEnrollmentToken value:
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
To finish off, go to the Chrome directory in the Program Files (x86), find the Policies directory and delete it. This should hopefully do the job.
RE: Help Needed: Removing Persistent Browser Hijacker - Chris Johnson - 06-20-2024
(06-19-2024, 05:23 PM)Shorter_513 Wrote: As far as I know, this "managed by the administrator" trick is done through changing registry settings. If you are aware of how to work with registry, consider deleting the following keys:
HKEY_CURRENT_USER\Software\Google\Chrome
HKEY_CURRENT_USER\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment
In this one, remove the CloudManagementEnrollmentToken value:
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
To finish off, go to the Chrome directory in the Program Files (x86), find the Policies directory and delete it. This should hopefully do the job.
That took some time, but looks like it is gone! The "managed by administrator" thing disappeared and I removed the changes. Also reset the browser just for a good measure. Thank you!