Jump to content

I have a virus that keeps adding extensions - can't get removed


Go to solution Solved by kevinf80,

Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hiya Omar, Good to hear the extensions are now gone, this infection was a browser hijacker, have a read at the following link: https://en.wikipedia.org/wiki/Browser_hijacking It is very

Hi Kevin, Thank to @picasso for the great work as well! I will send you a small donation/gesture for helping me out. It's not much, but it's all I can miss for now... Let me know what needs to be

Hiya Omar, Thanks for the kind words. I got the zip file, thank you, I`ve attached to this reply so devs can download for analysis.. I will check over your thread and give clean up procedure

Posted Images

Hiya Ootje98,

Nothing of note showing in that log, try the following:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thanks,

Kevin..

 

Link to post
Share on other sites
I want you to try "CurrPorts" and monitor what is happening, it is a portable tool no installation necessary. Download from the following link and unzip the contents to your Desktop.

http://www.nirsoft.net/utils/cports-x64.zip <------ 64 bit

http://www.nirsoft.net/utils/cports.zip <------32 bit

Read the contained instructions for a basic understanding, it is very easy to use..... Right click on the tool and select "Run as Administrator"

When opened you will see your network activity. The easiest way to check what is happening is to "Right click" direct anywhere in the field and select "HTML report - All Items"
That will open the report in an easier to read fomat, have a look at the connections check the "Established" entries, are any suspicious and not known or recognized by your self.
Make a note of any unusual or suspicious IP addresses, you can send in reply for me to check or check them yourself at the following link:

http://whois.domaintools.com/

Does that help, is anything obvious found with currports....
Link to post
Share on other sites

Whats happening with your PC, are the extensions still returning..? After you remove the extension does it automatically return after you restart the Browser or after Starting (Booting) your PC.

Link to post
Share on other sites

I haven't been doing sensitive tasks on my PC since last week. I am afraid that it will leak sensitive information again, just like last week when they used my FaceBook and Instagram account... I am not gonna let this happen again. I am really pissed of that this is happening to me. I am preparing for the worst, which is doing a total reset of my PC, which is very unfortunate since I am a music producer and I have loads of music, banks and plugins on my PC. Unless there are alternatives to get rid of this virus? Thanks for helping me out though. 

Link to post
Share on other sites

Hiya Ootje98,

Can you disconnect from the internet, remove the extension. Restart your browser, check to see if the extension returns...

Thanks,

Kevin..

Link to post
Share on other sites

Hiya Kevin,

The extension came back when I had disconnected from the internet and restarted my browser, which means that the extension is coming from my system :(. 

Link to post
Share on other sites

Hiya O0tje98,

Yep a real PIA for sure, try the following:

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo should now show in the Run box.

user posted image

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.

To start the scan select OK in the "Run" box.

user posted image

The Windows Protected your PC window will open, select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

user posted image

Attach the report information as previously instructed....
 
Thank you,
 
Kevin..
Link to post
Share on other sites

Hiya Ootje98,

Have been checking through your thread to see if we have missed anything. One point of note was the first Malwarebytes log, the following entry should have been fixed as it was classed as replaced at boot..

Physical Sector: 1
Bootkit.Pitou.MBR, 0, Replace-on-Reboot, 17543, 514091, 0.0.0, , ame, , ,

I want you to run the following to make sure it was definitely fixed..

Please download Malwarebytes Anti-Rootkit from here: http://downloads.malwarebytes.org/file/mbar
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


Thank you,

Kevin..

 

 

Link to post
Share on other sites

I`ve attached Preformat.zip to this reply, download and unzip to your Desktop so you have a folder named Preformat. Inside that folder will be preformat.vbs. Double click that file, it will run very quickly and create a file named Preformat.txt in the folder. Attach that to your reply...

Preformat.zip

Link to post
Share on other sites
Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.