Waiting for reply Stubborn browser hijacker

This thread is waiting for a member reply to continue
Status
Not open for further replies.

Plumduff

New Member
Thread author
May 15, 2024
8
Evening. Ok, been scrolling through various topics, but looking at walls of info.

I have a stubborn browser hijacker, currently named AnciCubel, but is coming back under various weird names.

I've done several resets of group policies which clears it for a bit, but it just comes back, displaying 'managed by your organisation' message when clicking on Chrome's 3 dots.

Anyone got any permanent solutions?
 

Plumduff

New Member
Thread author
May 15, 2024
8
Fair do's.

I did the FRST scane and saw this attached to Edge:

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default [2024-05-17]
Edge Extension: (MagnusSpheren) - C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fdphiaidaabnllehegghhiokpoligeja [2024-05-17] [UpdateUrl:hxxps://disablenotificationupdate.com/crx/updates.php] <==== ATTENTION
Edge Extension: (Google Docs Offline) - C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2024-05-10]
Edge Extension: (Adblock Plus - free ad blocker) - C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gmgoamodcdcjnbaobigkjelfplakmdhh [2024-05-10]
Edge Extension: (Edge relevant text changes) - C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2024-05-11]
Edge Extension: (LunaAzureor) - C:\Users\Big Naddy\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\odkkpfmbfpamgddknpijhonhinfmepeo [2024-05-17] [UpdateUrl:hxxps://disablenotificationupdate.com/crx/updates.php] <==== ATTENTION
Edge HKLM-x32\...\Edge\Extension: [odkkpfmbfpamgddknpijhonhinfmepeo] - C:\\Users\\Big Naddy\\AppData\\Local\\apps.crx [2024-05-13]

LunaAzureor is the current name of the browser hijacker extension, so I've deleted that and anything else I didn't like the look of, but it's still showing on the extension, albeit looking inactive. However, I'd also done this on previous occasions when it was cropping up under different names and it eventually pops back under a new name, so it must be hiding elsewhere then activating randomly.

Any ideas?
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,536
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give you sound advice I need to see the complete logs or FRST.TXTand Additional.txt created by the Farbar program.

Please the complete log or attach the files for my review.

I wiill review them advise.
 

Plumduff

New Member
Thread author
May 15, 2024
8
Files added. The extension is now calling itself HelioSpheror
 

Attachments

  • FRST.txt
    52.6 KB · Views: 6
  • Addition.txt
    46.1 KB · Views: 2

Plumduff

New Member
Thread author
May 15, 2024
8
Kicked back in again after all of those extensions deleted, now called FairyArgentius.
 

Plumduff

New Member
Thread author
May 15, 2024
8
Just to add, this is what Malwarebytes found and quarantined, now removed but the hijacker is still looking at me on the extensions
 

Attachments

  • AdwCleaner[C00].txt
    2.1 KB · Views: 5
  • AdwCleaner[S00].txt
    2.1 KB · Views: 2

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,536
Hi,

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • Fixlist.txt
    7.2 KB · Views: 5

Plumduff

New Member
Thread author
May 15, 2024
8
Attached is the fixlog, and the extension now isn't showing on Chrome itself, but there is this lurking in the chrome > user data > default > estensions folder (2md attachment)
 

Attachments

  • Fixlog.txt
    18.3 KB · Views: 2
  • 562_119_1.png
    562_119_1.png
    4.4 KB · Views: 7
Last edited:

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,536
Hi,

CHR Extension: (Chrome Web Store Payments) - C:\Users\Big Naddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Is a (Potentially Unwanted Programs) and Malware Often Pretend to be Legitimate Applications.

Read about it.

To remove it run this fix attached.


Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===



Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • Fixlist.txt
    752 bytes · Views: 4

Plumduff

New Member
Thread author
May 15, 2024
8
Fixlog attached. Nmmhkkegccagdldgiimedpiccmgmieda was still in the extensions folder though. Maybe it was a genuine google wallet ext, although I never use that. Got rid of it for now.
 

Attachments

  • Fixlog.txt
    4.1 KB · Views: 2
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top