Jump to content

Infected with BuyNSave extension

Recommended Posts



BuyNSave extension keeps coming back after removing it in Google Chrome. I have run Malwarebytes software full scan with no luck, plus most anti adware applications I could find.


Following the "I'm infected - What do I do" instructions, I have scanned the PC with FRST and I attach here the results, in hope that one of your experts can help me.



Thank you very much in advance for any help that you can provide me,


Best regards!



Link to post
Share on other sites

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the ìAll clear.î  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONCHR dev: Chrome dev build detected! <======= ATTENTIONCHR Extension: (BuyNsave) - C:\ProgramData\cgegiifgfhpfcddeihnlihliaegenhhj\ [2014-03-28]CHR HKU\S-1-5-21-443500592-2341243126-2451085566-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No PathTask: {D604F01A-6814-4522-915C-D76124368923} - System32\Tasks\PremiumBooster-S-4024159173 => c:\programdata\trusted publisher\provider\PremiumBooster.exe <==== ATTENTIONTask: {EAD04166-47E1-4AF6-850D-DBAB4C627D27} - \MySearchDial No Task File <==== ATTENTIONTask: C:\Windows\Tasks\PremiumBooster-S-4024159173.job => c:\programdata\trusted publisher\provider\PremiumBooster.exe <==== ATTENTIONEmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Link to post
Share on other sites

Thank you very much for such a quick reply, the problem seems to be solved!

Before doing it I had applied the fix I found on this other thread (https://forums.malwarebytes.org/index.php?/topic/161404-buynsave-keeps-coming-back/), so some of the keys were not found by FRST.


This is the content of fixlog.txt:



Running from C:\Users\Enrique\Desktop
Loaded Profile: Enrique (Available profiles: Enrique)
Boot Mode: Normal
Content of fixlist:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Extension: (BuyNsave) - C:\ProgramData\cgegiifgfhpfcddeihnlihliaegenhhj\ [2014-03-28]
CHR HKU\S-1-5-21-443500592-2341243126-2451085566-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
Task: {D604F01A-6814-4522-915C-D76124368923} - System32\Tasks\PremiumBooster-S-4024159173 => c:\programdata\trusted publisher\provider\PremiumBooster.exe <==== ATTENTION
Task: {EAD04166-47E1-4AF6-850D-DBAB4C627D27} - \MySearchDial No Task File <==== ATTENTION
Task: C:\Windows\Tasks\PremiumBooster-S-4024159173.job => c:\programdata\trusted publisher\provider\PremiumBooster.exe <==== ATTENTION
HKLM\SOFTWARE\Policies\Google => Key not found. 
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
C:\ProgramData\cgegiifgfhpfcddeihnlihliaegenhhj\ directory not found.
"HKU\S-1-5-21-443500592-2341243126-2451085566-1000\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D604F01A-6814-4522-915C-D76124368923} => Key not found. 
C:\Windows\System32\Tasks\PremiumBooster-S-4024159173 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PremiumBooster-S-4024159173 => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EAD04166-47E1-4AF6-850D-DBAB4C627D27}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EAD04166-47E1-4AF6-850D-DBAB4C627D27}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySearchDial" => Key deleted successfully.
C:\Windows\Tasks\PremiumBooster-S-4024159173.job not found.
EmptyTemp: => Removed 82.9 MB temporary data.
The system needed a reboot. 
==== End of Fixlog 17:03:51 ====
Thanks a lot once again, and happy new year in advance!!
Link to post
Share on other sites

Please do this next:

icon11.gif  Open Malwarebytes AntiMalware (MBAM)

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Please include the following in your next post:

  • MBAM log
  • adwCleaner log

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.