Rouge browser extentions in chrome

[Kranium31 0]

I can't seem to get rid of 2 extensions in chrome. I deleted the folders they were in and they keep coming back.The FRST logs are below.

 

Thanks in advance.

 

FRST.txtAddition.txt

Edited March 15 by Kranium31

[CeciliaB 403]

Hi Kranium31,

1. Have you selected to use a proxy server when connecting to internet or is it an adware/malware that has done that?

2. Which two extensions are you trying to remove?


3. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3442750687-2903251054-143670318-1000\...\MountPoints2: {a3df8fd6-e1d5-11e6-9d38-806e6f6e6963} - F:\setup.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicy\User: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR Extension: (Dealz) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\manaobgbdfpjjjnheogfghmjbikhjnlf [2017-03-14]
CHR Extension: (Chrome Media Router) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-14]
CHR HKLM\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]
S1 {fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw; system32\drivers\{fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw.sys [X]
Task: {5FD72B6A-FAE7-47B3-B899-6D350F1EFC53} - System32\Tasks\Winupdate => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
Task: {B0ADDCDE-76A5-436E-B83A-E7C070D08E9D} - System32\Tasks\EssentialUpdateMachine => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
AlternateDataStreams: C:\Users\Cast-2\Desktop\FRST.exe:BDU [0]
AlternateDataStreams: C:\Users\Cast-2\Downloads\0008-32bit_Win7_Win8_Win81_Win10_R281.exe:BDU [0]
AlternateDataStreams: C:\Users\Cast-2\Downloads\dxwebsetup (1).exe:BDU [0]
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.


4. These are old Java versions with known vulnerabilities (security holes), it is very easy to infect the computer now, please uninstall them. Most persons don't need to have Java installed but if you do, always use the latest version.
Java 7 Update 79
Java SE Development Kit 7

[Kranium31 0]

It was the malware that changed to the proxy server. I also can't shut off third party extensions anymore.

 

Doing this now.

Edited March 16 by Kranium31

[Kranium31 0]

Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.Fixlog.txt

Edited March 16 by Kranium31

[CeciliaB 403]

Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.Fixlog.txt

 

1. The following should remove all proxy settings.

 

Please, start Notepad.

Copy all text that is in the box:

 

CreateRestorePoint:
CloseProcesses:
RemoveProxy:
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
Reboot:

and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your reply.

 

 

2. Start FRST.

Select Addition.txt and then let it scan the computer.

Attach the two new log files, FRST.txt and Addition.txt.

[Kranium31 0]

FRST failed to update after reboot. There is still am extension that I cannot remove in chrome(eversave 1.0.1.31).

 

Here are the logs as requested.FRST.txtAddition.txt

[Kranium31 0]

Windows update and java update are still blocked.

[CeciliaB 403]

Can you uninstall Bing and Urban Ladder in Firefox's settings for add-ons?

1. The following script will delete all content of trash bin and temporary folders, please check that you haven't anything in those locations that you want to keep.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
FF Extension: (Bing Search) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\[email protected] [2017-03-14]
FF Extension: (Urban Ladder) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\[email protected] [2015-06-02] [not signed]
FF SearchPlugin: C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\searchplugins\bing-.xml [2017-03-14]
FF Extension: (Urban Ladder) - C:\Program Files\Mozilla Firefox\browser\extensions\[email protected] [2015-06-02] [not signed]
CHR Extension: (EverSave) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2017-03-14]
CHR HKLM\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

2. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s1].txt.

 

3. Run an online scan with Eset (easiest with Internet Explorer) by following the instruction on http://support.eset.com/kb2921/ .
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important due to false positives).

Select:
Scan Archives
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

[Kranium31 0]

I was able to remove the FF extensions and the updates are working again.

 

Brb with log files.

[Kranium31 0]

Here are the first 2 log files.

 

Fixlog.txt

 

 

# AdwCleaner v6.044 - Logfile created 16/03/2017 at 20:07:14
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# Username : Cast-2 - CAST-2-PC
# Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found: C:\Users\Cast-2\AppData\Local\slimware utilities inc
Folder Found: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc
Folder Found: C:\ProgramData\Games Bot
Folder Found: C:\ProgramData\Application Data\Games Bot
Folder Found: C:\Users\Public\Documents\Downloaded Installers
Folder Found: C:\Program Files\SlimDrivers


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc
Key Found: HKCU\Software\SlimWare Utilities Inc
Key Found: HKLM\SOFTWARE\SlimWare Utilities Inc


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - fcfenmboojpjinhpgggodefccipikbpd

*************************

C:\AdwCleaner\AdwCleaner[s0].txt - [1866 Bytes] - [16/03/2017 20:07:14]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1939 Bytes] ##########

 

[Kranium31 0]

Here is the last log file.

 

esetlog.txt

[CeciliaB 403]

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[C1].txt

 

2. Go through the list of what Eset's scanner found and decide yourself which files and programs you want to delete. I wouldn't keep cracks but maybe you want to do that even if they might do something harmful too. The first file in the Quarantine of FRST will be deleted at the end of this topic.

[Kranium31 0]

# AdwCleaner v6.044 - Logfile created 17/03/2017 at 18:19:40

# Updated on 28/02/2017 by Malwarebytes

# Database : 2017-03-17.2 [server]

# Operating System : Windows 7 Home Premium Service Pack 1 (X86)

# Username : Cast-2 - CAST-2-PC

# Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\Cast-2\AppData\Local\slimware utilities inc

[#] Folder deleted on reboot: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc

[-] Folder deleted: C:\ProgramData\Games Bot

[#] Folder deleted on reboot: C:\ProgramData\Application Data\Games Bot

[-] Folder deleted: C:\Users\Public\Documents\Downloaded Installers

[-] Folder deleted: C:\Program Files\SlimDrivers

 

 

***** [ Files ] *****

 

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\service1

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

[-] Key deleted: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc

[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc

[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc

 

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: aol.com

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: ask.com

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: fcfenmboojpjinhpgggodefccipikbpd

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [1911 Bytes] - [17/03/2017 18:19:40]

C:\AdwCleaner\AdwCleaner[s0].txt - [2018 Bytes] - [16/03/2017 20:07:14]

C:\AdwCleaner\AdwCleaner[s1].txt - [2173 Bytes] - [17/03/2017 18:18:57]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2130 Bytes] ##########

 

[CeciliaB 403]

Do you've any problems now?

If everything is well, I'll give you the instruction for how to uninstall FRST and AdwCleaner.

[Kranium31 0]

Everything seems to be back to normal now. Back to linux I go.

 

Thanks for the help.

Edited March 18 by Kranium31

[CeciliaB 403]

Great!

You're welcome

 

To remove FRST and AdwCleaner, and to delete all system restore points except the last one:

Save Delfix on the Desktop: http://www.bleepingcomputer.com/download/delfix/
Start the program.

Select the following, but nothing else:
* Remove disinfection tools
* Create registry backup
* Purge system restore
* Reset System Settings

Click the Run button.