Jump to content

Crossbrowser keeps reappearing in registry


robh

Recommended Posts

Malwarebytes Premium scan identifies 'crossbrowser' as a PUP (an entry in the registry). I quarantine it, and then delete it. On reboot it reappears. How can I find what keeps reloading it.     HKEY_USERS\S-1-5-21-3389552051-3824227687-2005105280-1000\Software\CrossBrowser

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also let me know if there are any remaining issues or concerns....

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Kevin, here goes:

fixlog.txt attached

AdwCleaner[C2].txt follows:

# AdwCleaner 7.0.6.0 - Logfile created on Mon Dec 25 03:28:57 2017
# Updated on 2017/21/12 by Malwarebytes
# Running on Windows 10 Pro (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKU\S-1-5-21-3389552051-3824227687-2005105280-1000\Software\CrossBrowser
Deleted: [Key] - HKCU\Software\CrossBrowser


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

 

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [2268 B] - [2017/12/12 13:3:7]
C:/AdwCleaner/AdwCleaner[C1].txt - [1364 B] - [2017/12/12 13:13:2]
C:/AdwCleaner/AdwCleaner[S0].txt - [2294 B] - [2017/12/12 13:1:4]
C:/AdwCleaner/AdwCleaner[S1].txt - [1202 B] - [2017/12/12 13:11:17]
C:/AdwCleaner/AdwCleaner[S2].txt - [1215 B] - [2017/12/12 13:51:25]
C:/AdwCleaner/AdwCleaner[S3].txt - [1408 B] - [2017/12/25 3:26:43]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

 

Most recent portion of the MRT log

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.55, December 2017 (build 5.55.14421.1)
Started On Sun Dec 24 22:39:02 2017

Engine: 1.1.14405.2
Signatures: 1.257.1160.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sun Dec 24 22:51:01 2017


Return code: 0 (0x0)

 

I will update status further in a bit.

 

Fixlog.txt

Link to post
Share on other sites

Hello robh,

Continuw with the following:

Please download Zemana AntiMalware and save it to your Desktop.

  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

*CrossBrowser*

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Let me see those logs in your reply...

Thank you,

Kevin..

 

 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Open the search function bottom left corner of Desktop, type regedit Right click on that entry and select "Run as Administrator" agree UAC alert.....

Registry Editor should open.... Navigate to the following by expanding each folder arrow >

> HKEY_USERS > S-1-5-21-3389552051-3824227687-2005105280-1000 > Software > CrossBrowser Do not expand "CrossBrowser" right click on it direct and select Delete, agree any alert

Again for this one:


> HKEY_USERS > S-1-5-21-3389552051-3824227687-2005105280-1000 > Software > Microsoft > Windows > CurrentVersion > Applets > left click direct onto "Regedit" look to right hand pane, right click direct on "LastKey" then select "Modify" in the new window clear any "value data" then select OK.... close out regedit.... Reboot and see if CrossBrowser issue is cleared..

Edited by kevinf80
typo
Link to post
Share on other sites

Re: Lastkey - its entry when I had checked it after the last go-around showed 'regedit'. Next time I checked it showed something else that had been pointed to in the registry.

search.txt is attached.

It found something in an Appeon application I use once a year to report statistics to head office of our church.

I also found this on-line:

https://support.appeon.com/index.php?/Knowledgebase/Article/View/93/10/how-to-remove-the-appeon-plug-ins-for-multi-browser

I'm wondering whether there is a possibility of false positive (similar name)?

I can delete Appeon. It's available for download every year when I need it.

Search.txt

Link to post
Share on other sites

Yes it would seem that "CrossBrowserHelper.dll" is putting the registry key back after removal, if you are confident you can manually delete the following entries, you will have to enable hidden files/folders to see "appdata" folder. https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

C:\Users\Rob Hockin\AppData\Local\Appeon Multi-browser Plug-in

Navigate through registry editor again and delete the following folder:

> HKEY_USERS > S-1-5-21-3389552051-3824227687-2005105280-1000 > Software > CrossBrowser

Quote
CrossBrowser is a Chromium based web browser that is designed to deliver advertisements and search modifications via SimilarSites. CrossBrowser is a program that is commonly bundled with other free programs that you download off of the Internet.30 Jan 2015

Let me know if you have removed crossbrowser ok...

Thank you,

Kevin

Link to post
Share on other sites

Thanks for the update, good to hear that nuisance has finally gone, run the following to clean up:

Uninstall Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.