Jump to content

I have a virus that keeps adding extensions - can't get removed


Go to solution Solved by kevinf80,

Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hiya Omar, Good to hear the extensions are now gone, this infection was a browser hijacker, have a read at the following link: https://en.wikipedia.org/wiki/Browser_hijacking It is very

Hi Kevin, Thank to @picasso for the great work as well! I will send you a small donation/gesture for helping me out. It's not much, but it's all I can miss for now... Let me know what needs to be

Hiya Omar, Thanks for the kind words. I got the zip file, thank you, I`ve attached to this reply so devs can download for analysis.. I will check over your thread and give clean up procedure

Posted Images

Hiya Ootje98,

Can you uninstall Java from programs and feature "Java 8 Update 241"

Delete this folder: C:\ProgramData\Cljpjcy

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

user posted imageScan with HitmanPro

In any case don't remove on your own anything that Hitman Pro detects! This scanner is really good for checking, it has however been known for deleting files instead of curing them, in some cases this may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!

Please download HitmanPro by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
 
  • Right-click on user posted image icon and select user posted imageRun as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button. You must agree with the terms of EULA (if asked).
  • Check the box beside No, I only want to perform a one-time scan to check this computer.
  • Click on the Next button.
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click Next
  • Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
  • Close Hitman Pro


Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply.
 
  • Click on the Next button.
  • Click on the Save Log button.
  • Save that file to your desktop.



Please include that logfile in your next reply.

Don't forget to re-enable your security!

let me see those logs in your reply..

Thank you,

Kevin..

Link to post
Share on other sites

Hiya Ootje98,

We might be on the wrong track, but need to find out why that folder comes back...

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Settings check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.



Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.

Open Zemana again then do the following to get the latest report

Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply....

Let me see those logs....

Thanks,

Kevin..

Link to post
Share on other sites

Scan Information

Product Name    :  Zemana AntiMalware
Scan Status    :  Completed
Scan Date    :  5/7/2021 2:19:21 PM
Scan Type    :  Smart Scan
Scan Duration    :  00:00:23
Scanned Objects    :  2297
Detected Objects    :  1
Excluded Objects    :  0
Auto Upload    :  True
OS    :  Windows 10 x64
Processor    :  12X Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
BIOS Mode    :  UEFI
Domain Info    :  WORKGROUP,False,NetSetupWorkgroupName
CUID    :  126A273E9C987A86BA3489

 

Detections

MD5    :
Status    :  Scanned
Object    :  c:\programdata\cljpjcy\ohzu\da1f143a
Publisher    :
Size    :  0
Detection    :  HijackExt:ChromePlugin/xSysChrome
Action    :  Delete

-----------------------------------------------------------------------

AutoRunsData0507.txt

Zemana AntiMalware deleted it! Hopefully, this solved the problem!

 

Link to post
Share on other sites

Hiya Ootje98,

Can you get me a fresh set of FRST logs please @picasso has given me information on what the problem might be. Just want fresh logs to make sure to make sure the information I want is still available..

Thank you,

Kevin..

Link to post
Share on other sites

Hiya Ootje98,

Thanks for the update, you enjoy your time away... A lot of progress has been made with your problem, discussions here at Malwarebytes and at Bleeping computers. When you`ve posted the fresh FRST logs i`m sure we will be able to fix your system. Catch up later...

Regards,

Kevin..

 

Link to post
Share on other sites
  • Solution

Hiya Omar,

Thanks for those logs, continue with the following..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 
That fix should remove the source of the infection, there will however be other steps to do once I see the fix log...
 
Thank you,
 
Kevin..

fixlist.txt

Link to post
Share on other sites
Hiya Omar,
 
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 
Attach that log to your reply, FRST will have also created a zip file and saved to your Desktop, also attach that file..
 
Thank you,
 
Kevin

fixlist.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.