Skip to main content

Rouge browser extentions in chrome

Comments

16 comments

  • Support

    Hi Kranium31,

    1. Have you selected to use a proxy server when connecting to internet or is it an adware/malware that has done that?

    2. Which two extensions are you trying to remove?


    3. Please, start Notepad.
    Copy all text that is in the box:


    CreateRestorePoint:
    CloseProcesses:
    HKU\S-1-5-21-3442750687-2903251054-143670318-1000\...\MountPoints2: {a3df8fd6-e1d5-11e6-9d38-806e6f6e6963} - F:\setup.exe
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    GroupPolicy\User: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    CHR Extension: (Dealz) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\manaobgbdfpjjjnheogfghmjbikhjnlf [2017-03-14]
    CHR Extension: (Chrome Media Router) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-14]
    CHR HKLM\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - hxxps://clients2.google.com/service/update2/crx
    R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]
    S1 {fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw; system32\drivers\{fb002fdf-f22a-4065-b792-03a9daf94ef2}Gw.sys [X]
    Task: {5FD72B6A-FAE7-47B3-B899-6D350F1EFC53} - System32\Tasks\Winupdate => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
    Task: {B0ADDCDE-76A5-436E-B83A-E7C070D08E9D} - System32\Tasks\EssentialUpdateMachine => C:\Windows\chp.exe [2007-10-28] (www.commandline.co.uk) <==== ATTENTION
    AlternateDataStreams: C:\Users\Cast-2\Desktop\FRST.exe:BDU [0]
    AlternateDataStreams: C:\Users\Cast-2\Downloads\0008-32bit_Win7_Win8_Win81_Win10_R281.exe:BDU [0]
    AlternateDataStreams: C:\Users\Cast-2\Downloads\dxwebsetup (1).exe:BDU [0]
    Reboot:

    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.


    4. These are old Java versions with known vulnerabilities (security holes), it is very easy to infect the computer now, please uninstall them. Most persons don't need to have Java installed but if you do, always use the latest version.
    Java 7 Update 79
    Java SE Development Kit 7

    0
  • Customer

    It was the malware that changed to the proxy server. I also can't shut off third party extensions anymore.

     

    Doing this now.

    0
  • Customer

    Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.Fixlog.txt

    0
  • Support

    Here is the log file. When I rebooted firefox told me it was setup to run a proxy and wouildn't connect. I was able to change the setting though.There are new extensions in FF as well now. (bing search 1.0.0.8 and urban ladder 0.2). Java update will not update stating proxy settings are wrong.Fixlog.txt


     

    1. The following should remove all proxy settings.

     

    Please, start Notepad.

    Copy all text that is in the box:

     

    CreateRestorePoint:
    CloseProcesses:
    RemoveProxy:
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    Reboot:
    and paste in Notepad. Check that no files have been split on two lines.

    Save the file as fixlist.txt on the desktop.

     

    Exit all programs.

    Start FRST, please.

    Click the Fix button.

    Wait until the tool has finished.

     

    It creates a log file, called Fixlog.txt, on the desktop.

    Please, paste the content of that file in your reply.

     

     

    2. Start FRST.

    Select Addition.txt and then let it scan the computer.

    Attach the two new log files, FRST.txt and Addition.txt.

    0
  • Customer

    FRST failed to update after reboot. There is still am extension that I cannot remove in chrome(eversave 1.0.1.31).

     

    Here are the logs as requested.FRST.txtAddition.txt

    0
  • Customer

    Windows update and java update are still blocked.

    0
  • Support

    Can you uninstall Bing and Urban Ladder in Firefox's settings for add-ons?


    1. The following script will delete all content of trash bin and temporary folders, please check that you haven't anything in those locations that you want to keep.

     

    Please, start Notepad.
    Copy all text that is in the box:


    CreateRestorePoint:
    CloseProcesses:
    FF Extension: (Bing Search) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\bingsearch.full@microsoft.com.xpi [2017-03-14]
    FF Extension: (Urban Ladder) - C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\Extensions\jid1-sXWNoXABeFqKYg@jetpack.xpi [2015-06-02] [not signed]
    FF SearchPlugin: C:\Users\Cast-2\AppData\Roaming\Mozilla\Firefox\Profiles\z5bibrx9.default\searchplugins\bing-.xml [2017-03-14]
    FF Extension: (Urban Ladder) - C:\Program Files\Mozilla Firefox\browser\extensions\jid1-sXWNoXABeFqKYg@jetpack.xpi [2015-06-02] [not signed]
    CHR Extension: (EverSave) - C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2017-03-14]
    CHR HKLM\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-3442750687-2903251054-143670318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    CMD: ipconfig /release
    CMD: ipconfig /renew
    EmptyTemp:
    Reboot:

    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.

     

     

    2. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

    Turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Log file button.
    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s1].txt.

     

    3. Run an online scan with Eset (easiest with Internet Explorer) by following the instruction on http://support.eset.com/kb2921/ .
    To shorten the scanning time disable your antivirus program while scanning.

    Select Enable detection of potentially unwanted applications.
    Click Advanced Settings.

    Deselect Remove found threats (important due to false positives).

    Select:
    Scan Archives
    Enable detection of potentially unsafe applications
    Enable detection of suspicious applications
    Enable Anti-Stealth Technology

    Click Start.

    When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

    0
  • Customer

    I was able to remove the FF extensions and the updates are working again.

     

    Brb with log files.

    0
  • Customer

    Here are the first 2 log files.

     

    Fixlog.txt

     

     

    # AdwCleaner v6.044 - Logfile created 16/03/2017 at 20:07:14
    # Updated on 28/02/2017 by Malwarebytes
    # Database : 2017-03-15.2 [server]
    # Operating System : Windows 7 Home Premium Service Pack 1 (X86)
    # Username : Cast-2 - CAST-2-PC
    # Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe
    # Mode: Scan
    # Support : https://www.malwarebytes.com/support



    ***** [ Services ] *****

    No malicious services found.


    ***** [ Folders ] *****

    Folder Found: C:\Users\Cast-2\AppData\Local\slimware utilities inc
    Folder Found: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc
    Folder Found: C:\ProgramData\Games Bot
    Folder Found: C:\ProgramData\Application Data\Games Bot
    Folder Found: C:\Users\Public\Documents\Downloaded Installers
    Folder Found: C:\Program Files\SlimDrivers


    ***** [ Files ] *****

    No malicious files found.


    ***** [ DLL ] *****

    No malicious DLLs found.


    ***** [ WMI ] *****

    No malicious keys found.


    ***** [ Shortcuts ] *****

    No infected shortcut found.


    ***** [ Scheduled Tasks ] *****

    No malicious task found.


    ***** [ Registry ] *****

    Key Found: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Found: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc
    Key Found: HKCU\Software\SlimWare Utilities Inc
    Key Found: HKLM\SOFTWARE\SlimWare Utilities Inc


    ***** [ Web browsers ] *****

    No malicious Firefox based browser items found.
    Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
    Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
    Chrome pref Found: [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - fcfenmboojpjinhpgggodefccipikbpd

    *************************

    C:\AdwCleaner\AdwCleaner[s0].txt - [1866 Bytes] - [16/03/2017 20:07:14]

    ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1939 Bytes] ##########


     

    0
  • Customer

    Here is the last log file.

     

    esetlog.txt

    0
  • Support

    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Clean button.

    Click on OK.
    Click on OK on any message that pops up.
    The computer will be restarted.

    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[C1].txt

     

    2. Go through the list of what Eset's scanner found and decide yourself which files and programs you want to delete. I wouldn't keep cracks but maybe you want to do that even if they might do something harmful too. The first file in the Quarantine of FRST will be deleted at the end of this topic.

    0
  • Customer

    # AdwCleaner v6.044 - Logfile created 17/03/2017 at 18:19:40

    # Updated on 28/02/2017 by Malwarebytes

    # Database : 2017-03-17.2 [server]

    # Operating System : Windows 7 Home Premium Service Pack 1 (X86)

    # Username : Cast-2 - CAST-2-PC

    # Running from : C:\Users\Cast-2\Desktop\adwcleaner_6.044.exe

    # Mode: Clean

    # Support : https://www.malwarebytes.com/support

     

     

     

    ***** [ Services ] *****

     

     

     

    ***** [ Folders ] *****

     

    [-] Folder deleted: C:\Users\Cast-2\AppData\Local\slimware utilities inc

    [#] Folder deleted on reboot: C:\Users\Cast-2\AppData\Local\SlimWare Utilities Inc

    [-] Folder deleted: C:\ProgramData\Games Bot

    [#] Folder deleted on reboot: C:\ProgramData\Application Data\Games Bot

    [-] Folder deleted: C:\Users\Public\Documents\Downloaded Installers

    [-] Folder deleted: C:\Program Files\SlimDrivers

     

     

    ***** [ Files ] *****

     

     

     

    ***** [ DLL ] *****

     

     

     

    ***** [ WMI ] *****

     

     

     

    ***** [ Shortcuts ] *****

     

     

     

    ***** [ Scheduled Tasks ] *****

     

     

     

    ***** [ Registry ] *****

     

    [-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\service1

    [-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

    [-] Key deleted: HKU\S-1-5-21-3442750687-2903251054-143670318-1000\Software\SlimWare Utilities Inc

    [#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc

    [-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc

     

     

    ***** [ Web browsers ] *****

     

    [-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: aol.com

    [-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default\Web data] [search Provider] Deleted: ask.com

    [-] [C:\Users\Cast-2\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: fcfenmboojpjinhpgggodefccipikbpd

     

     

    *************************

     

    :: "Tracing" keys deleted

    :: Winsock settings cleared

     

    *************************

     

    C:\AdwCleaner\AdwCleaner[C0].txt - [1911 Bytes] - [17/03/2017 18:19:40]

    C:\AdwCleaner\AdwCleaner[s0].txt - [2018 Bytes] - [16/03/2017 20:07:14]

    C:\AdwCleaner\AdwCleaner[s1].txt - [2173 Bytes] - [17/03/2017 18:18:57]

     

    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2130 Bytes] ##########

     

    0
  • Support

    Do you've any problems now?

    If everything is well, I'll give you the instruction for how to uninstall FRST and AdwCleaner.

    0
  • Customer

    Everything seems to be back to normal now. Back to linux I go.

     

    Thanks for the help.

    0
  • Support

    Great!

    You're welcome

     

    To remove FRST and AdwCleaner, and to delete all system restore points except the last one:

    Save Delfix on the Desktop: http://www.bleepingcomputer.com/download/delfix/
    Start the program.

    Select the following, but nothing else:
    * Remove disinfection tools
    * Create registry backup
    * Purge system restore
    * Reset System Settings

    Click the Run button.

    0
  • Support

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.Everyone else please begin a New Topic.Thank you !

    0

Please sign in to leave a comment.