Jump to content

Trojan browser hijack extension keeps coming back

Go to solution Solved by Maurice Naggar,

Recommended Posts

I don't know what happened to my laptop. there is one extension in browser that keeps coming back even after removing with full scanning my laptop with malwarebytes premium. So, I did a complete scan of my laptop. the result is in the scan log.txt file. i cleaned up all the viruses but even after removing all of them, there is this one folder in program data folder which is named KMMXW and this is hidden by default and it comes again after removing it . the main folder name remains the same as KMMXW but the subfolders and files name changes every time after i remove them. browser log new.txt is file containing info about that folder only. which is only left on my laptop. It keeps track of my browsing and all the things i do. please help me out in this. I don't even want to log in into any account on my laptop because of this. help! help! Extension name is Uhelpshow. and obviously there is nothing about this extension on the internet.

fyi - scan log.txt shows no action by the user. but after this i did the complete scan again and removed all of them and forgot to save the log.

scan log.txt browser log new.txt

Link to post
Share on other sites

Hello :welcome:

My name is Maurice. I will guide you. Much patience is needed we will be doing multiple scans & tasks as time permits.

Let me suggest you do one scan with Adwcleaner to check for adwares.


First download & save it 




Then do a scan with Adwcleaner 



Attach the clean log.


Link to post
Share on other sites

AdwCleaner[S00].txt there you go. nothing detected. it doesn't detect that folder as virus or i dont think it has even scanned that folder.  but malwarebytes premium does and flag that as trojan browser hijack.

Also, one more thing, there are two unnamed background processes going on. although they take up little ram and cpu but they are there. interesting thing is when is right click on them and go to details, svchost.exe comes up with username as SYSTEM and when i right click on them and go to services, i don't get anything there. it just goes from there and selects nothing in services. tell me about this issue also??

Screenshot (2).png

Screenshot (3).png

Link to post
Share on other sites

Thanks for the Adwcleaner report.

Next, two things.

[ 1 ]



Use option One or Two to show All files, folders 

[ 2 ]

Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit


Double-click to run it. When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

Edited by Maurice Naggar
Link to post
Share on other sites

As I re-read the original post, there is zero mention of which specific browser this involves !!

Is it the EDGE browser ?

How are you doing on the request for steps & report 




Link to post
Share on other sites

In addition to the steps above Do this also.

In Malwarebytes for Windows program, we want to do a special scan.


Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.


Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈


Click it to get it ON if it does not show a blue-color


Next, click the small x on the Settings line to go to the main Malwarebytes Window.


Next click the blue button marked Scan.


When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.


You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈


Then click on Quarantine selected.


Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4


We will do more, later. 

Link to post
Share on other sites

Alright.  Even that being the case, I would urge you do all my last suggestions, including that new special scan, which would only take a few minutes.

I have those 2 posts mentioned above.

Once all done, all those will give me a much better set of details in order to best get a better reading for what all is going on.

Link to post
Share on other sites

There is a number of 'boogers' here.  Browser hijacker .

This here is a custom fix.

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved somehere on Desktop


The custom script on this post is ONLY for this machine and NO other.   

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.


  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.


The system will be rebooted after the script has run.


Please save the (attached file named) FIXLIST.txt   to the  Desktop folder



Start the Windows Explorer and then, to the Desktop


  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run

  the tool. If the tool warns you the version is outdated, please download and run the updated version.

  • IF Windows prompts you about running this, select YES to allow it to proceed.


  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.


  • on the FRST window:

Click the Fix button just once, and wait.


PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.


Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Do let me know how things are overall,  after all this.

Edited by Maurice Naggar
Link to post
Share on other sites

after restarting , the folder came up again, just like before. with the same folder name but different subfolder and file names. this is what happened all the time for the past 20 days or so, since i got this infection on my system. I don't think this fix has worked. malwarebytes premium also detects it and removes it and it comes again. there is something that is triggering  the extension again and again. please tell me what would be the working solution of this. because scanning and fixing with anti viruses is not helping here. can window's refresh would get rid of it or reset is the only option ?


Link to post
Share on other sites

Thanks for the report. The run overall was good in that it did what it was set to do.

I would encourage you to have added patience & stick with me here. I have helped one or two others with a similar issue.

You have only been here Saturday, Monday & part of today .

I realize you are frustrated. A Refresh or Reset may not succeed.

Unless perhaps you tried Reset and kept Nothing.  That's perhaps if you have no need to keep personal files.


I would stick around.

By the way, Yes you want the internet on while we do any fixes or scans or procedures.

One of the things I noticed before was that the Edge browser had a Extension named uHelpshow that needs to be uninstalled.

Kindly see about removing it or else, see about starting Edge in it's Safe mode & remove uHelpshow.



[  Next ]

Next.  get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.


Disregard the title subject of the topic.

Run the MBAR tool as listed here 



when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.


Both files can be found in the extracted MBAR folder on your Desktop.


Please attach both files in your next reply.

[ 3 ]

New reports by running FRST64 on the Desktop

Double-click FRST64  to run it. When the tool opens click Yes to disclaimer.

Be sure to TICK the check-box marked Addition.

Press the Scan button.


It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

 it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you.

Edited by Maurice Naggar
Link to post
Share on other sites

Sorry for the late reply.

in safe mode, the extension does not show up in internet explorer. But the folder is there in program data. I also tried the safe mood with networking. The extension does not show up there also. I will do the two scans now and share the logs.

Link to post
Share on other sites

Thanks for all reports.   Now, here, I have a new custom Fixlist  ( attached below).

First, look on Desktop.   Delete the old file Fixlist.txt.


Save this Fixlist.txt  to the Desktop'



Then do a new FIX   run like before ( same ways as on this post)   https://forums.malwarebytes.com/topic/274606-trojan-browser-hijack-extension-keeps-coming-back/?do=findComment&comment=1459892



Note:  The previous run of MBAR would have done a cleanup after one Restart.  and the last FRST does not show any rogue sub-folder.

After this task is done, you should do a new scan with Malwarebytes for Windows.

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.