Trojan Browser Hijack keeps coming back [Extension + Files in ProgramData]

[mumar97]

I have been having issues with certain files in Programdata folder as well as a particular extension (zTube something) which keeps coming back in chrome and edge. I have removed it manually multiple times but after 30 minutes or so it comes back. Initially windows defender didnt pick up anything so I dowloaded Malwarebytes which detects the files in ProgramData as Trojan Browser Hijack and quarantines them but they come back again. I have referred to similar posts and turned on scan for rootkits and use expert system algorithms for the most recent scan. I have attached the scan results below. After running the scan and quarantining the threats I also ran FRST scan as recommended in some posts. I have attached the files produced from there as well. This is the first time I have got a virus on my laptop and since I use this laptop for work as well as studies it has a lot of important documents. I am also worried about this virus stealing information from my browser therefore I uninstalled and reinstalled chrome.

ScanResults.txt Addition.txt FRST.txt

[Maurice Naggar]

Hello @mumar97   

My name is Maurice.  I will guide you.   Thanks for the reports.   I 'll  get back with you after a few minutes. 

[Maurice Naggar]

Hello.  The Malwarebytes for Windows found  ( identified)  Trojan.BrowserHijack   but notice that the last report said  No Action By User

You need . must Review all lines once the scan phas is done & Then TICK  all lines so they are selected & then QUARANTINE d

 

Now a fresh new scan with Malwarebytes for Windows.

• In Malwarebytes for Windows program, we want to do a special scan.
•  
• Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.
•  
• Then click the Security tab.   
• Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈
•  
• Click it to get it ON if it does not show a blue-color
• .
• Next, click the small x on the Settings line to go to the main Malwarebytes Window.
•  
• Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

There will be much more to do after this.   Please stick with me & be prompt about doing suggestions & getting back here with Reply.   Thanks in advance

[mumar97]

Hi, sorry my bad the report was exported just before I quarantined the threats. I have attached the post quarantine report below. I have also run the scan again as directed, no threats were detected since I had previously quarantined them a few minutes ago, it usually takes 30 mins to 1 hour for the files to come back. The clean report is also attached below.

PostQuarantine.txt LatestScan.txt

[TwinHeadedEagle]

Hi,

I will step in until Maurice returns.

 

Fix with Farbar Recovery Scan Tool

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

Once the fix is done please upload Date|Time.zip archive from your Desktop.

Thank you!

 

fixlist.txt

Edited June 14, 2021 by TwinHeadedEagle

[mumar97]

Hi, I ran the fixlist as directed and attached the fixlog below

Fixlog.txt

[mumar97]

Also the date time zip is below

14.06.2021_23.33.44.zip

[TwinHeadedEagle]

It couldn't pick up that DLL, let's try one more fix, same instructions as previous.
 

 

fixlist.txt

[mumar97]

New files after fix

14.06.2021_23.42.23.zip Fixlog.txt

[Maurice Naggar]

Thanks.  OK, here are the follow-ups we need to do to insure the main pest is all gone, plus, to insure nothing else is a threat or a malware.

First steps is to insure Windows show ALL files & folders.   Use the tips of Option ONE or TWO of this article.

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[    2    ]

This next custom Fix script is intended to do a few things.

Mainly to insure the rogue sub-folder  C:\ProgramData\Qsdk is gone.

To see that MS Windows Defender is re-Enabled & ON

To run the Windows System File Checker to check / verify Windows system files.

To reset Winsock

There are a few  ( non-malware ) Tasks that can be removed, which will make your system a tad bit faster on its tasks.   e.g. clearing the deadwood.

.

Save this next file Fixlist.txt      AS IS  the same place where the last one was saved.   The DESKTOP

Fixlist.txt

 

Close any open work files / or edits that you might have currently.   This run will do a RESTART.

 

• Right-click on  FRST64       icon and select  Run as Administrator to start the tool.
   
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

Edited June 14, 2021 by Maurice Naggar

[mumar97]

Show all files and folders done, New fixlist run and latest fixlog attached below

Fixlog.txt

[Maurice Naggar]

Bravo !  1 trojan DLL has been removed  & the rogue sub-folder is deleted.

C:\Users\Umar\AppData\Local\FileExtensions\SpeeehShow\dfvskft_BBEN.dll => moved successfully
C:\ProgramData\Qsdk => moved successfully

 

Thanks for the report.   The next thing I suggest you do is:  Update definitions for MS Windows Defender & then do a Quick scan with it.

I would like to suggest that you do a manual scan with Microsoft Defender antivirus.   Do the Check for Update first  ( see bottom below ) & then click on Quick Scan button  ( see example at bottom).

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

 

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

 

 

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

 

[mumar97]

Checked for Defender updates and Did a manual scan. No new threats were found. Thanks for the help, I will monitor the laptop today, hopefully the extension and files wont come back.

Thanks for the quick resolution, appreciate it!

[Maurice Naggar]

You are very welcome.

As a additional check, let me suggest one other scan  ( free )  that would be worthwhile.

Please download and run the following Kaspersky antivirus scanner to remove any found threats.

 

Kaspersky Virus Removal Tool

Kaspersky KVRT Reports are saved here C:\KVRT_data\Reports and look similar to this report_20210614_103821.klr 

Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.

[mumar97]

Hi this morning I scanned using KVRT, no threats were found, the ProgramData folder and files havent returned and the extension seems to have gone as well. Here is the KVRT report below.

report_2021.06.15_08.20.32.txt

[Maurice Naggar]

Good morning.   Thanks.

[    1   ]

Another thing you can do is to see about adding the Malwarebytes Browser Guard to those of your browsers that can handle it.

See https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

[    2    ]

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

• If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Cheers.

[mumar97]

Browser guard is added to the browsers. Ran the security check, log attached below.

SecurityCheck.txt

[Maurice Naggar]

Thanks for the report.  These add-on programs / apps  need your follow-up so that they have the latest security patches / version.

Adobe Shockwave Player 12.0 v.12.0.4.144 Warning! This software is no longer supported. Please uninstall it.

swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.

 

Python 3.7.8 (64-bit) v.3.7.8150.0 Warning! Download Update

Dropbox v.123.4.4832 Warning! Download Update

Foxit Reader v.7.2.2.929 Warning! Download Update

TeamViewer v.15.8.3 Warning! Download Update

WinRAR 5.01 (64-bit) v.5.01.0 Warning! Download Update
 
Picasa 3 v.3.9.140.248 Warning! This software is no longer supported.

Cisco Webex Meetings v.41.5.4 Warning! Download Update

Discord v.0.0.308 Warning! Download Update
 
Zoom v.5.6.5 (823) Warning! Download Update

Skype™ 7.36 v.7.36.101 Warning! Download Update
 
µTorrent v.3.5.5.45966 Warning! Ad-supported P2P-client.
 
Java 8 Update 281 v.8.0.2810.9 Warning! Download Update
Uninstall old version and install new one (jre-8u291-windows-i586.exe).
 
VLC media player v.3.0.12 Warning! Download Update

 

Then, to insure that Microsoft Defender is enabled   ( this will not affect any protection of the Trial of Malwarebytes for Windows ).

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes.

[Maurice Naggar]

Hello.   I am very pleased to have worked with you & to have helped you.

It's good to know of your success.

To remove the FRST  tool & its work files, do this.  Go to your Desktop folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete KVRT.exe

Delete SecurityCheck.exe

Any other download I had you get you may delete.

All the best to you.   Stay safe.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you