Jump to content

Unknown extension will be reinstalled even though it is constantly removed


Go to solution Solved by AdvancedSetup,

Recommended Posts

This extension is called vEmbedGoogle, and I tested this is why I always redirect the new tab to another search engine when I search for data using a browser. I was tried the adwcleaner by malwarebytes and another antivirus tools to scan the whole computer but only the adwcleaner can permently remove this extention, but after reboot the computer, when i was running a browser for certain minutes, the browser will restart again(the previous page will reload, and whole brwoser looks like close and reopen)

So, I want to ask someone for help to solve this problem...It makes me very troublesome in dairy (the browser always closes and opens when the browser is first started when this extension reinstalling)

1.PNG

2.PNG

Link to post
Share on other sites

Yes, today im using the malwarebytes and the database was up to date also, result shows scanned something and im make sure everything been deleted and restart my computer, when restart im also run the adwCleaner scanned and delete, same process with previous.But the browser still will auto-refresh and reinstalling extension back.

Link to post
Share on other sites

Hi,

 

sorry for my interaction.

I assume that MBAM does not detect the loading point (maybe a task) of this malware.

So I suggest to run FRST as well  @alexkhor1983 to get an overview of your system.

 

 

Step 1

  • If you already have Malwarebytes installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it.
  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

Step 2

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Check the box in front of Shortcut.txt.
  • Press the Scan button.
  • FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

Edited by MKDB
Link to post
Share on other sites

  • Root Admin
  • Solution

Thank you for the logs @alexkhor1983

 

This computer shows as a US English installation of Microsoft Windows 10 Home Single Language Version 21H1 19043.1348 (X64) (2021-07-05 14:15:01) 

Is your native language Chinese? Why the installation of non English security software?

 

You have the following listed as an installed security application which is not English.

AV: 电脑管家系统防护 (Enabled - Up to date) {512E2CB6-FF66-A088-DF66-EC454CC3ED03}
AS: 电脑管家系统防护 (Enabled - Up to date) {EA4FCD52-D95C-AF06-E5D6-D7373744A7BE}

That translates to:  Computer Butler System Protection

Did you install that on your system on purpose?

 

You also have the following installed

搜狗输入法 9.5正式版 (HKLM-x32\...\Sogou Input) (Version: 9.5.0.3517 - Sogou.com)

Sogou input method 9.5 official version

星际争霸II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)

Starcraft II

 

 

电脑管家 (HKLM-x32\...\QQPCMgr) (Version: 15.0.22122.210 - 腾讯科技(深圳)有限公司) <==== ATTENTION

Computer Manager (HKLM-x32\...\QQPCMgr) (Version: 15.0.22122.210-Tencent Technology (Shenzhen) Co., Ltd.)

The Farbar program considers this to be some type of potential threat. Did  you install it on purpose? Trend Micro antivirus appears to believe this is at least an Adware unwanted program too

(Tencent Technology(Shenzhen) Company Limited -> ) C:\Program Files (x86)\Tencent\QQPCMgr\15.0.22122.210\qmbsrv.exe
(Tencent Technology(Shenzhen) Company Limited -> Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\15.0.22122.210\QQPCRealTimeSpeedup.exe
(Tencent Technology(Shenzhen) Company Limited -> Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\15.0.22122.210\QQPCRTP.exe
(Tencent Technology(Shenzhen) Company Limited -> Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\15.0.22122.210\QQPCTray.exe

 

 

 

 

What are these entries? The Google Translator does not appear to know the language

Network Binding:
=============
VPN - VPN Client: SoftEther Lightweight Network Protocol -> SeLow (enabled)
VPN - VPN Client: QQ¹Ü¼ÒARP·À»ðǽ. -> MS_TxArp (enabled)
Bluetooth Network Connection: SoftEther Lightweight Network Protocol -> SeLow (enabled)
PdaNet Broadband Connection: SoftEther Lightweight Network Protocol -> SeLow (enabled)
PdaNet Broadband Connection: QQ¹Ü¼ÒARP·À»ðǽ. -> MS_TxArp (enabled)
Ethernet: SoftEther Lightweight Network Protocol -> SeLow (enabled)
Ethernet: QQ¹Ü¼ÒARP·À»ðǽ. -> MS_TxArp (enabled)
Wi-Fi 2: SoftEther Lightweight Network Protocol -> SeLow (enabled)
Wi-Fi 2: QQ¹Ü¼ÒARP·À»ðǽ. -> MS_TxArp (enabled)
Wi-Fi: QQ¹Ü¼ÒARP·À»ðǽ. -> MS_TxArp (enabled)
Wi-Fi: SoftEther Lightweight Network Protocol -> SeLow (enabled)

 

 

It looks like you may have some type of Cryptography Protocol issue possibly

Error: (11/20/2021 08:56:25 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

 

You have old, compromised versions of Java installed. They should be uninstalled from the Control Panel

  • Java 8 Update 261 (64-bit)
  • Java SE Development Kit 8 Update 152

 

This Scheduled task looks to be a feedback mechanism for Microsoft but the folder it's reporting about looks a tad suspicious.

Task: {3E0B6FB5-1727-4478-9A50-A4FC1D97B5C5} - System32\Tasks\Microsoft\Windows\Feedback\System.IGRATE => C:\WINDOWS\microsoft.net\framework\v4.0.30319\RegAsm.exe /U C:\ProgramData\WinsExtra\RamovkAalue\CBTJOwj_Medi002.dll

 

 

Unless is the paid version this may be an Ad sponsored version. Most computer experts warn against the use of automated driver update software as it can sometimes be wrong and install or update the wrong version and lock the computer or even prevent it from starting. If you really need a driver update it's best to visit the manufacture website and download the needed driver yourself than to risk automated driver updates in general.

Driver Easy 5.7.0

 

Our older program FileASSASSIN is not compatible with some of our newer software. It is recommended that you uninstall this.

 

The logs also show there is some type of Proxy being set on the computer. Did you set this proxy on purpose?

ProxyServer: [S-1-5-21-1159081498-3890423590-1157298889-1001] => 127.0.0.1:8325

 

There are multiple non English drivers installed and running on the system. Are you 100% sure that every single one of them is safe and not problematic or a possible threat?

 

The Malwarebytes scan log indicates that you either ran the scan before doing a Google Chrome cleanup or you did not perform the Google Chrome cleanup as those files are in the Google Chrome folders.

 

 

Please provide some updates about the items listed above and we'll proceed to help you clean up the computer as best as possible.

Thank you

 

 

 

Link to post
Share on other sites

  • Root Admin

Okay, please uninstall the items you spoke about. Then run the Google clean up.

Then scan again with Malwarebytes. This time it should come back clean on the scan and if cleaned properly I don't currently see a reason for the extension to reinstall itself.

Once those are all done please run the following ESET scan to double-check and see if it finds any malware threats.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

Thank you

 

Link to post
Share on other sites

Yes, done ESET scan by today, and here is the log file.But actually after uninstalling the things that you mention above, and removing anything that malwarebytes and adwScanner scanned, that extension didn't appear again.And C:\ProgramData\WinsExtra\RamovkAalue\CBTJOwj_Medi002.dll, this file i didn't found at that folder, and i also have check any hidden files at there.I think it was be deleted or missing?

esetLogFile.txt

Link to post
Share on other sites

  • Root Admin

Please go ahead and run a new Farbar scan. Click on the Scan button and make sure you have a check mark in the Addition.txt check box and attach both new log files please @alexkhor1983

Then also run the following for me.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • 4 months later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.