• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Kranium31

Rouge browser extentions in chrome

Recommended Posts

Hi Kranium31,

1. Have you selected to use a proxy server when connecting to internet or is it an adware/malware that has done that?

2. Which two extensions are you trying to remove?


3. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3442750687-2903251054-143670318-1000\...\MountPoints2: {a3df8fd6-e1d5-11e6-9d38-806e6f6e6963} - F:\setup.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicy\User: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR Extension: (Dealz) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\manaobgbdfpjjjnheogfghmjbikhjnlf [2017-03-14]
CHR Extension: (Chrome Media Router) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-14]
CHR HKLM\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]
S1 {fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw; system32\drivers\{fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw.sys [X]
Task: {5FD72B6A-FAE7-47B3-B899-6D350F1EFC53} - System32\Tasks\Winupdate => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
Task: {B0ADDCDE-76A5-436E-B83A-E7C070D08E9D} - System32\Tasks\EssentialUpdateMachine => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
AlternateDataStreams: C:\Users\Cast-2\Desktop\FRST.exe:BDU [0]
AlternateDataStreams: C:\Users\Cast-2\Downloads\0008-32bit_Win7_Win8_Win81_Win10_R281.exe:BDU [0]
AlternateDataStreams: C:\Users\Cast-2\Downloads\dxwebsetup (1).exe:BDU [0]
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.


4. These are old Java versions with known vulnerabilities (security holes), it is very easy to infect the computer now, please uninstall them. Most persons don't need to have Java installed but if you do, always use the latest version.
Java 7 Update 79
Java SE Development Kit 7

Share this post


Link to post
Share on other sites

It was the malware that changed to the proxy server. I also can't shut off third party extensions anymore.

 

Doing this now.

Edited by Kranium31

Share this post


Link to post
Share on other sites

Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.Fixlog.txt

Edited by Kranium31

Share this post


Link to post
Share on other sites

Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.attachicon.gifFixlog.txt

 

1. The following should remove all proxy settings.

 

Please, start Notepad.

Copy all text that is in the box:

 

CreateRestorePoint:
CloseProcesses:
RemoveProxy:
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
Reboot:
and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your reply.

 

 

2. Start FRST.

Select Addition.txt and then let it scan the computer.

Attach the two new log files, FRST.txt and Addition.txt.

Share this post


Link to post
Share on other sites

Can you uninstall Bing and Urban Ladder in Firefox's settings for add-ons?


1. The following script will delete all content of trash bin and temporary folders, please check that you haven't anything in those locations that you want to keep.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
FF Extension: (Bing Search) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\[email protected] [2017-03-14]
FF Extension: (Urban Ladder) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\[email protected] [2015-06-02] [not signed]
FF SearchPlugin: C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\searchplugins\bing-.xml [2017-03-14]
FF Extension: (Urban Ladder) - C:\Program Files\Mozilla Firefox\browser\extensions\[email protected] [2015-06-02] [not signed]
CHR Extension: (EverSave) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2017-03-14]
CHR HKLM\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

2. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s1].txt.

 

3. Run an online scan with Eset (easiest with Internet Explorer) by following the instruction on http://support.eset.com/kb2921/ .
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important due to false positives).

Select:
Scan Archives
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

Share this post


Link to post
Share on other sites

Here are the first 2 log files.

 

Fixlog.txt

 

 

# AdwCleaner v6.044 - Logfile created 16/03/2017 at 20:07:14
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# Username : Cast-2 - CAST-2-PC
# Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found: C:\Users\Cast-2\AppData\Local\slimware utilities inc
Folder Found: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc
Folder Found: C:\ProgramData\Games Bot
Folder Found: C:\ProgramData\Application Data\Games Bot
Folder Found: C:\Users\Public\Documents\Downloaded Installers
Folder Found: C:\Program Files\SlimDrivers


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc
Key Found: HKCU\Software\SlimWare Utilities Inc
Key Found: HKLM\SOFTWARE\SlimWare Utilities Inc


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - fcfenmboojpjinhpgggodefccipikbpd

*************************

C:\AdwCleaner\AdwCleaner[s0].txt - [1866 Bytes] - [16/03/2017 20:07:14]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1939 Bytes] ##########

 

Share this post


Link to post
Share on other sites

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[C1].txt

 

2. Go through the list of what Eset's scanner found and decide yourself which files and programs you want to delete. I wouldn't keep cracks but maybe you want to do that even if they might do something harmful too. The first file in the Quarantine of FRST will be deleted at the end of this topic.

Share this post


Link to post
Share on other sites

# AdwCleaner v6.044 - Logfile created 17/03/2017 at 18:19:40

# Updated on 28/02/2017 by Malwarebytes

# Database : 2017-03-17.2 [server]

# Operating System : Windows 7 Home Premium Service Pack 1 (X86)

# Username : Cast-2 - CAST-2-PC

# Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\Cast-2\AppData\Local\slimware utilities inc

[#] Folder deleted on reboot: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc

[-] Folder deleted: C:\ProgramData\Games Bot

[#] Folder deleted on reboot: C:\ProgramData\Application Data\Games Bot

[-] Folder deleted: C:\Users\Public\Documents\Downloaded Installers

[-] Folder deleted: C:\Program Files\SlimDrivers

 

 

***** [ Files ] *****

 

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\service1

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

[-] Key deleted: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc

[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc

[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc

 

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: aol.com

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: ask.com

[-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: fcfenmboojpjinhpgggodefccipikbpd

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [1911 Bytes] - [17/03/2017 18:19:40]

C:\AdwCleaner\AdwCleaner[s0].txt - [2018 Bytes] - [16/03/2017 20:07:14]

C:\AdwCleaner\AdwCleaner[s1].txt - [2173 Bytes] - [17/03/2017 18:18:57]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2130 Bytes] ##########

 

Share this post


Link to post
Share on other sites

Do you've any problems now?

If everything is well, I'll give you the instruction for how to uninstall FRST and AdwCleaner.

Share this post


Link to post
Share on other sites

Great!

You're welcome :)

 

To remove FRST and AdwCleaner, and to delete all system restore points except the last one:

Save Delfix on the Desktop: http://www.bleepingcomputer.com/download/delfix/
Start the program.

Select the following, but nothing else:
* Remove disinfection tools
* Create registry backup
* Purge system restore
* Reset System Settings

Click the Run button.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this