RavneetBhangu Posted May 22, 2021 ID:1458624 Share Posted May 22, 2021 I don't know what happened to my laptop. there is one extension in browser that keeps coming back even after removing with full scanning my laptop with malwarebytes premium. So, I did a complete scan of my laptop. the result is in the scan log.txt file. i cleaned up all the viruses but even after removing all of them, there is this one folder in program data folder which is named KMMXW and this is hidden by default and it comes again after removing it . the main folder name remains the same as KMMXW but the subfolders and files name changes every time after i remove them. browser log new.txt is file containing info about that folder only. which is only left on my laptop. It keeps track of my browsing and all the things i do. please help me out in this. I don't even want to log in into any account on my laptop because of this. help! help! Extension name is Uhelpshow. and obviously there is nothing about this extension on the internet. fyi - scan log.txt shows no action by the user. but after this i did the complete scan again and removed all of them and forgot to save the log. scan log.txt browser log new.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 22, 2021 ID:1458644 Share Posted May 22, 2021 Hello My name is Maurice. I will guide you. Much patience is needed we will be doing multiple scans & tasks as time permits. Let me suggest you do one scan with Adwcleaner to check for adwares. First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 22, 2021 Author ID:1458671 Share Posted May 22, 2021 AdwCleaner[S00].txt there you go. nothing detected. it doesn't detect that folder as virus or i dont think it has even scanned that folder. but malwarebytes premium does and flag that as trojan browser hijack. Also, one more thing, there are two unnamed background processes going on. although they take up little ram and cpu but they are there. interesting thing is when is right click on them and go to details, svchost.exe comes up with username as SYSTEM and when i right click on them and go to services, i don't get anything there. it just goes from there and selects nothing in services. tell me about this issue also?? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 23, 2021 ID:1458681 Share Posted May 23, 2021 (edited) Thanks for the Adwcleaner report. Next, two things. [ 1 ] https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html Use option One or Two to show All files, folders [ 2 ] Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Edited May 23, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2021 ID:1459029 Share Posted May 24, 2021 Hello. I need you to do the steps listed before from Saturday last. Then attach the new FRST reports so that I can review & then guide you further . Thanks in advance. You can put the reports into a Zip file if you prefer. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2021 ID:1459068 Share Posted May 24, 2021 As I re-read the original post, there is zero mention of which specific browser this involves !! Is it the EDGE browser ? How are you doing on the request for steps & report https://forums.malwarebytes.com/topic/274606-trojan-browser-hijack-extension-keeps-coming-back/?do=findComment&comment=1458681 Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 24, 2021 Author ID:1459072 Share Posted May 24, 2021 Yes its in every browser . Edge chrome whichever i run and i will be doing the scans later today Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2021 ID:1459075 Share Posted May 24, 2021 In addition to the steps above Do this also. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈 🔻 Then click on Quarantine selected. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 We will do more, later. Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 24, 2021 Author ID:1459110 Share Posted May 24, 2021 I have always keep the rootkit scan on Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2021 ID:1459131 Share Posted May 24, 2021 Alright. Even that being the case, I would urge you do all my last suggestions, including that new special scan, which would only take a few minutes. I have those 2 posts mentioned above. Once all done, all those will give me a much better set of details in order to best get a better reading for what all is going on. Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 27, 2021 Author ID:1459807 Share Posted May 27, 2021 Hey man, sry for the late reply. Just got some time today. Will do the frst scans. And send the logs Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 27, 2021 Author ID:1459817 Share Posted May 27, 2021 Addition.txtFRST.txt here you go. Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 27, 2021 Author ID:1459886 Share Posted May 27, 2021 Please let me know. What is it in the scans Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459892 Share Posted May 27, 2021 (edited) There is a number of 'boogers' here. Browser hijacker . This here is a custom fix. The script Fixlist.txt needs to be saved to the same folder that contains FRST64.exe / you have yours saved somehere on Desktop The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Please save the (attached file named) FIXLIST.txt to the Desktop folder Fixlist.txt Start the Windows Explorer and then, to the Desktop RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Do let me know how things are overall, after all this. Edited May 27, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 27, 2021 Author ID:1459908 Share Posted May 27, 2021 System should be connected to internet or not ? Link to post Share on other sites More sharing options...
RavneetBhangu Posted May 27, 2021 Author ID:1459917 Share Posted May 27, 2021 after restarting , the folder came up again, just like before. with the same folder name but different subfolder and file names. this is what happened all the time for the past 20 days or so, since i got this infection on my system. I don't think this fix has worked. malwarebytes premium also detects it and removes it and it comes again. there is something that is triggering the extension again and again. please tell me what would be the working solution of this. because scanning and fixing with anti viruses is not helping here. can window's refresh would get rid of it or reset is the only option ? Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 28, 2021 ID:1459969 Share Posted May 28, 2021 (edited) Thanks for the report. The run overall was good in that it did what it was set to do. I would encourage you to have added patience & stick with me here. I have helped one or two others with a similar issue. You have only been here Saturday, Monday & part of today . I realize you are frustrated. A Refresh or Reset may not succeed. Unless perhaps you tried Reset and kept Nothing. That's perhaps if you have no need to keep personal files. . I would stick around. By the way, Yes you want the internet on while we do any fixes or scans or procedures. One of the things I noticed before was that the Edge browser had a Extension named uHelpshow that needs to be uninstalled. Kindly see about removing it or else, see about starting Edge in it's Safe mode & remove uHelpshow. https://www.tenforums.com/tutorials/44420-add-remove-extensions-microsoft-edge.html [ Next ] Next. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic. Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. [ 3 ] New reports by running FRST64 on the Desktop Double-click FRST64 to run it. When the tool opens click Yes to disclaimer. Be sure to TICK the check-box marked Addition. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you. Edited May 28, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461448 Share Posted June 4, 2021 Sorry for the late reply. in safe mode, the extension does not show up in internet explorer. But the folder is there in program data. I also tried the safe mood with networking. The extension does not show up there also. I will do the two scans now and share the logs. Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461449 Share Posted June 4, 2021 Also, i deleted the folders of frst folders from c drive and also deleted previous logs and fixlist and fixlogs. Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461450 Share Posted June 4, 2021 I will do it now. Frst scan and mbar anti rootkit scan Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461536 Share Posted June 4, 2021 @Kevinf80 has solution to this Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461547 Share Posted June 4, 2021 mbar-log-2021-06-04 (13-42-07).txtsystem-log.txt mbar anti rootkit removed it but after restarting it came up again with different name. frst scan done after mbar. all logs are attached. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 4, 2021 ID:1461597 Share Posted June 4, 2021 Thanks for all reports. Now, here, I have a new custom Fixlist ( attached below). First, look on Desktop. Delete the old file Fixlist.txt. Next Save this Fixlist.txt to the Desktop' Fixlist.txt Then do a new FIX run like before ( same ways as on this post) https://forums.malwarebytes.com/topic/274606-trojan-browser-hijack-extension-keeps-coming-back/?do=findComment&comment=1459892 Note: The previous run of MBAR would have done a cleanup after one Restart. and the last FRST does not show any rogue sub-folder. After this task is done, you should do a new scan with Malwarebytes for Windows. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 4, 2021 ID:1461601 Share Posted June 4, 2021 Correction note: The last FRST showed a hidden folder named C:\ProgramData\Kmmxw Hopefully this last script run will remove it. 1 Link to post Share on other sites More sharing options...
RavneetBhangu Posted June 4, 2021 Author ID:1461604 Share Posted June 4, 2021 Okk i will do this . 1 Link to post Share on other sites More sharing options...
Recommended Posts