Jump to content

Trojan browser hijack extension keeps coming back


Go to solution Solved by Maurice Naggar,

Recommended Posts

He had the same problem like me. His moderator is talking about shortcut.txt file . I think you should also check this.

although i am gonna first do the fix you shared above. 
As his problem is resolved that is why i am sharing this with you
 

Link to post
Share on other sites

hey in the fix you provided, the following line

C:\ProgramData\Kmmxw\Xyaczs\3AC0A560

on my laptop, folder Xyaczs has changed to Nyxbh

rest are same Kmmxw and 3AC0A560

what should i do? fix with your fixlist or you gonna make a new custom fix?

Link to post
Share on other sites

When you get to a point where you are caught up.  There is a very pesky Extension on the EDGE browser that is tied to the pest at hand.   It is named uHelpShow

You need to remove / uninstall that Extension on the EDGE browser

Edge Extension: (uHelpShow)


 

Apply the methods in this guide at TenFroums

https://www.tenforums.com/tutorials/166175-how-add-remove-extensions-microsoft-edge-chromium.html


 

Next, a new Fixlist.   Do the same that I had you do on the last Fix run.

There is just 1  odd looking quick link to Edge.   This fix ought to remove it.

Fixlist.txt

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

i think the previous fix has worked, the extension is not showing in egde and the folder is also not there in program data. but i will wait for 1 hour and restart and see if the problem is gone completely or not.

for removing the uhelpshow, i have done it 100 times already once i remove it , it comes after  30 minutes so . this used to happen. 

but lets see if it comes now or not. 

i will let you know in some time.

if it comes, i will do the new fix you provided.

Link to post
Share on other sites

  • Solution

I have read this last note.   I need to convey the significant importance of removing UHelpShow from EDGE browser.   It is related to the beast we have been trying to remove.

Perhaps I should refer you to Tenforums to remove the EDGE browser altogether.  Then if you still want EDGE, then you could re-install it from Microsoft.

 

I need for you to attach the last Fixlog from the last run.   By the way, it is quite possible that now you will have a easier time to remove uHelpShow since this last run removed the quick link shortcut to Edge.   That is why I would appreciate you doing that now  ( like a new college try ).

  • Like 1
Link to post
Share on other sites

as it was only for edge quick launch. I performed the fix.

as the kmmxw folder was already removed by the previous fix. so it was not found. 

i think the problem has gone away. as the extension is not showing in edge extensions and also the folder is also not there in program data.

but i will monitor for some time. so please dont close the thread 

Fixlog.txt

Link to post
Share on other sites

Thanks for that log.   Bravo,  Now a inquiry that does not take much time at all.

Request a new query report using Windows Powershell.    This is just a inquiry to the system for the Edge browser.

Start a Elevated Powershell command prompt-window. On the Windows taskbar, on the Search box, type in

powershell

Wait and look for the results list. Click on the line that shows Powershell with "Run as Administrator".

 

Then you will see the Powershell window. Into that, we want to Copy & Paste this entire line as is

 

Get-AppxPackage *uhelpshow* 

then tap the Enter-key and wait and watch the result.

When it has displayed a blue screen with lots of info , when done, then use the mouse pointer and do a RIGHT-Click on the top title bar of Powershell window.

Select "Select all"

Next then 

Select COPY

Next, on this forum topic, in a new Reply, Right click the white reply box 

And select PASTE 

 

Thank you   😎

  • Thanks 1
Link to post
Share on other sites

Yes, that is good.  You may close the Powershell window.    Thanks.

Let me suggest you do one scan with Adwcleaner to check for adwares.   It will not take much time,

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

  • Like 1
Link to post
Share on other sites

Hello.  I would appreciate collecting from this pc the Quarantine folder from FRST.  These would be the copies of items removed by the FRST tool.

Using File Explorer, go to the left side of the left hand tree  & expand the C drive.   Look for C:\FRST\Quarantine

With your mouse do a RIGHT click and then select "Send to compressed folder".

When done it will have created a ZIP file.    Please attach that in a new Reply.   Lets do that first, please.

I would like to have that so that it can be reviewed.

.

Once that is done, then we can proceed to tools cleanup.

  • To remove the FRST64  tool & its work files & the Quarantine folder, do this.  Go to your Desktop folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe

 

Then run that ( double click on it)  to begin the cleanup process.

  • Delete MBAR.exe
  • Delete the folder \MBAR

Adwcleaner you may keep & run as needed on-demand to check for adwares.  It is a stand-alone utility.  It is not installed.

Any other download file I had you download, you may delete.   I wish you all the best.  Stay safe.

Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.