Jump to content

Recommended Posts

recently there has been this extension called "UHomeMail" that keeps downloading on brave(my web browser which uses chrome). I have searched for the extensions ID in the extensions folder of my browser but I cant find it and the location it gives doesn't exist in my device. I went to the chrome extensions to search for the extension but it doesn't exist there. I used adwcleaner and and it deleted some stuff but it keeps downloading the extension. I also used malwarebytes but it didn't detect anything. Is there any way to fix this?

Link to post
Share on other sites

Hello @Shourya     :welcome:

My name is Maurice.  I will guide you.  The first thing I need is to get a set of reports about the condition of the system, including about Brave.

That is the first step.  I will then review and use that to guide us along.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Cheers.

Link to post
Share on other sites

Thank you so much for the report.  As a first step, we want to be sure that the version of Malwarebytes for Windows on this machine is absolutely the latest most current release.

So we need to do the following.

Do a new  very special scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

[ 2 ]  Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

[ 3 ] Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉  Please just only attach reports as we go alog.

This is not the cure-all.  Just first measures.   We will do more after this.

Link to post
Share on other sites

This is a long way off from being cleared.  This last run found a bunch of trojans and also Spyware.PasswordStealer.  The latter was in a sub-folder ADOBE FILMS. Did someone possibly do some dodgy downloads ?  Possibly 16 December in afternoon or early evening ?

I have noticed a slew of oddly named scrambled alphabet folder names, as well as EXE files that are in locations where they are not expected..

I also noticed a explicit block on the Malwarebytes licensing server, indicating a likelyhood of usage of a hacked download of the Malwarebytes program from a dodgy source.  That dodgy source likely has put several infections on this box.

would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications.   ( P U A  or  P U P ).

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report. 

 

Edited by Maurice Naggar
Link to post
Share on other sites

Be very cautious of any Youtube video that makes an assertion that it provides a legitimate Premium program that is not purchased from Malwarebytes or an authorized vendor.

Pirated programs very often come packaged with real dangerous malware.

This last scan with ESET found and removed 3 trojans + some  potentially unsafe applications.  P U A / P U P

>

Next, a custom script to do other checks & some other cleanups.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  SHOURYA  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.  It will reset the HOSTS file to standard.

It will attempt to remove the extension UHomeMail from Brave browser.  It will empty the Brave browser cache.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTEENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
added notes
Link to post
Share on other sites

Thank you.

The System File Checker did make some fixes. The run was as intended. We need to make one quick follow-up to remove 1 exclusion in Microsoft Defender's exclusions. There is a exclusion at present to exclude the foler Windows\system32\ folder from being protected.

First, Delete the prior Fixlist.txt  that I had you save.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  SHOURYA  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  attempt to remove one excluded folder on Microsoft Defender antivirus from its exclusion list.  This run should be very quick.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTEENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[    2    ]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi. I have reviewed the log. Unfortunately, it was unable to remove the exclusion of C:\WINDOWS\system32\

I would like for you to look into the exclusions on the Microsoft Defender antivirus.  Look at what is shown.  and if you see the exclsuion for C:\WINDOWS\system32\

then to manually remove that entry.

Go to this Microsoft Support link 

Use the procedure at the lower half title "To Remove a exclusion"

Cheers.

Link to post
Share on other sites

I do wonder "how" you would have "removed" Microsoft Defender ?

This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[    2    ]

I would recommend getting a readout report as to update status of some key apps.

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Please only just attach the report.

Edited by Maurice Naggar
Link to post
Share on other sites

The FSS report indicates that this Windows Operating system is missing 3 Windows services, which we need to get back to this system so that it is propely secure. The 3 services are SecurityHealthService Service + wscsvc Service (Windows Security Center) + WinDefend Service.
These next steps are how to go about getting those back to standard-default for Windows OS.
There will be 3 downloads, each one to be saved first, before applying.
 download, save, Merge for each of the other 3 services.

RIGHT click each link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to a folder ( do not double click / do not 'run' the file / nor open

win 10 SecurityHealthService 

With you mouse, do a RIGHT-click on the .reg file  and select Merge

Let it do that & insure it finishes ok.

[ 2 ]

Windows 10 Windows Security Center service

Save, then Merge Wscsvc.reg

With you mouse, do a RIGHT-click on the .reg file  and select Merge

Let it do that & insure it finishes ok.

[  3   ]

Microsoft Defender Antivirus service 

Save, then Merge Windefend.reg

With you mouse, do a RIGHT-click on the .reg file  and select Merge

Let it do that & insure it finishes ok.

[ 4 ]

Now do a Windows RESTART.

[ 5  ]

Find where you saved the FSS.exe.  Now do a new run of FSS to get a new report.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

 

Link to post
Share on other sites

  • 4 weeks later...

Hey! Sorry I had forgotten about this. I had too much fun on my trip 😅

There seems to be nothing wrong with my system anymore

I have also started using a password managing and generating app called Bitwarden password manager and have changed the password using the passwords from the app and keep different passwords for everything.

I have also stopped clicking on sketchy links and a system scan through Malwarebytes twice a day and nothing seems to be wrong for now.

Thanks for all your help!

 

Link to post
Share on other sites

Hello.  Sounds fine & well.  I just want us to be very sure you have Merged the files I listed for you to do on a earlier reply, back in December   https://forums.malwarebytes.com/topic/281978-random-extension-keeps-downloading/?do=findComment&comment=1494371

 

Link to post
Share on other sites

Hello Shourya.

This Windows system is not good to go yet. It is missing 3 security files needed by Windows. 1 EXE file + 2 DLL files.
C:\Windows\System32\SecurityHealthService.exe FILE IS MISSING.
C:\Windows\System32\wscsvc.dll FILE IS MISSING.
C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING.

One way to get squared away is to do a Windows-repair-upgrade-in place. That is a mouthful. But basically to have Windows up and running, and without any open applications on your side, to do a upgrade-in-place using special Microsoft methods.
These next steps can be referred to as a repair-install in place.

If this machine is a laptop or notebook, be sure it is connected to power thru a regular power cord to regular electric power.
( that is to say, not be on battery power).

1. Back up your personal data and files to an external hard drive, USB thumb drive.
2. Ensure you are signed in or have administrator rights to do a repair install
3. Unplug all external peripherals except for the Mouse, Keyboard, and LAN cable before starting

Download the media creation tool MCT    (Click Download tool now) and save it to your computer.
https://www.microsoft.com/en-us/software-download/windows10

After it is completely saved.
Start the tool and select "Upgrade this PC now."

Make sure to select " Keep personal files and apps. "

It will take some time to run & complete. Your computer will restart a few times, Make sure you don’t turn off your PC
If you see a dark screen at times, do not fret.  Just simply move the mouse pointer around the screen or press the space bar to trigger a screen display refresh.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.