• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved Chrome extension resistant to being removed

Status
Not open for further replies.

AfroGufo

PCHF Member
May 7, 2021
19
1
26
Hello everyone, first time asking for help here.

The issue started a couple weeks ago, when after doing a Google search another tab opened itself with the same search but on Bing. After checking the extensions, I noticed one called xHostGoogle, so I removed it but next time I started Chrome it was there again. I then tried several other methods which I'll list below, but everytime even if it worked Chrome would shut down after a few minutes, then reopen with the same pages and the extension up an running again. Here's a list of what I've tried thus far:
- removing the extension
- disabling the extension
- checking the extension's ID and manually deleting it on Windows' registry
- running Windows Defender and Malwarebytes, both of which found nothing
- running AdwCleaner and Junkware Removal Tool, both of which keep finding 2 to 3 issues, quarantining and deleting them, but for it to being as usual a few minutes later
- uninstalling Chrome, removing the leftover folders and files and re-installing
- disabling account sync, doing all of the above before and after

What I've found out:
- the issue is local, as my laptop on shared network with a synced Chrome does not have the issue
- the issue is not dependant on internet access
- the issue is cross-user, as I have two Windows 10 accounts running on the machine
- AdwCleaner says the problem is associated with a certain Speedbit, but no similar program is present on the list of installed apps, nor does it appear to be running or be allowed at the system startup
- when inspected, the extension leads to a hidden folder in Programs with 4 files in it, consisting of a transparent image file, one json file and two info files
- after the execution of the more successful methods (i.e. those who manage to make the extension go away at least for a few minutes), the extension comes back by closing any active Chrome window, processing for a few seconds, then reopening all windows and tabs, with the extension now running again
- the extension seems to be loaded everytime Chrome is launched, as for several seconds no Chrome button works at startup (bookmarks, options etc)

That is all I've gathered thus far. The problem, in all fairness, is little more than a nuisance, but it's fairly disturbing for me personally since I've always managed to either keep my machines clean or resolve any issues by myself. Thank you in advance for the help.
 
Hello and welcome to PCHF :)

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.

Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu.

icon2-jpg.794


If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
Frst will open with two dialogue boxes, accept the disclaimer.

frst-disclaimer-jpg.795

Accept the default whitelist options,
If the additions.txt options box is not checked please select it.
Then select "Scan"

frst-jpg.796


Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.

2016-08-12_152002-jpg.797


Please Copy and Paste the contents of these logs in your next post for review by our Security Team
 
Thanks for the rapid reply, jmarket. I tried to post the logs but they are quite lenghty, so much so that I think the forum doesn't much like them because it won't let me post them. Is there a way I can attach the txt files or put the text into a collapsible that won't break the forum?
 
Thank you for the upload :) Sometimes if the log is too big it will reject it but I'm working on a way to upload bigger log files in excess of 2MB.

Give me some time to review your logs and I'll have some feedback for you :)
 
Thanks a bunch!
On a side note, my Instagram profile has just been hacked and I've been made to follow 300+ accounts, it's probably related somehow. Instagram was the only place I didn't have two-factors authentication for, my bad.
 
Oh no.

Were you logged into Instagram when your account got hacked? If so, you most likely have cookie-stealing malware.

I'm still reviewing your logs here. I would advise if you're able to log out of Instagram on your infected computer and change your password on an uninfected device.
 
I'm not sure, certainly I wasn't logged into it via the infected computer. I accessed my IG profile with it only once months ago.
For now, I have logged out of all other devices other than my phone, enabled two-factors authentication and updated all my passwords for good measure.

Btw, thanks for the effort and advices, and for running this community, I mean it.
 
  • Like
Reactions: jmarket
Thank you for your patience.

I have a fix here for you, but before I can give you that, I do see that you have Bittorrent installed. This MUST be removed before we can begin cleaning your machine. I believe you have received malware from a torrent you downloaded.
 
Hello there! No worries, I imagined there was some kind of hold up and the situation is not so dire as to require immediate help ^^ thanks anyways for doing it!

One new symptom has arised, as in sometimes a new tab opens with random advertising.

Yes, I removed BitTorrent shortly after I sent the logs here as I was pretty much sure it had something to do with it (this whole thing likely spurred from me being careless and downloading files I shouldn't have in search of a rare application, so to speak). So yeah, ready when you are I guess!
 
That would explain the mysterious firewall entries :) I'm going to have you follow some steps, and it's important you follow each one and post logs as requested :)

Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system. Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

We will need a log from AdwCleaner for further information.

Please go HERE and download AdwCleaner to your Desktop. Once downloaded right click the new icon and select Run as Administrator from the context menu to open the program. It will open at the Dashboard tab and no further changes to the program are necessary at this stage.

Click the Scan Now button.

oklj3amfOpqEpPVXnuqk79lHRApDnhPQVXn6z6Y3NoRuEOwdc4_mOGQu11P43d4Fb8OGSEeDJ_AsebIM9FWRakQeH_rBtmEr8_ua1VJwBd_Ws3-miUSngeShjQ7W5K4p6SytCWs2=w2400


Allow AdwCleaner to start scanning and depending on the amount of data on your PC it may take some time. At the conclusion of the scan any content considered unnecessary will be displayed in the Scan Results box. Ensure all items are selected for removal and click "Clean & Repair"

7pQdUft-ojpPn88OGfzif4Zs2nG7cOkKWXOxq2hnIP5ll37IPbMzLUh9W3aC0wQonD-NEIwql19Hh7DJiYPOF1HL71bdqy81MiaqpcsP5f0JtykiLSk-l96KByQKj1ou2rexlOpo=w2400


After selecting "Clean & Repair" another dialogue box may appear asking to restart now or later. If so choose "Clean & Restart Now"


Once the PC has restarted if AdwCleaner does not restart then open it again and click "Log Files" tab on the left. All log files will be listed. If you have used the program previously you may have several logs to select from so double click the most recent "Clean" log and it will open a notepad file on your Desktop.

Please COPY and PASTE the contents of that file in your next post :)

Download ResetBrowser to your desktop.

Now close all open browsers. All browsers MUST be closed during this operation!

Right click and Run as Administrator

vwueyaz-png.1017


Click on Reset Chrome-- Allow completion.
Click on Reset Firefox-- Allow completion.
Click on Reset Internet Explorer-- Allow completion.

Now reboot your machine.
 

Attachments

  • fixlist.txt
    19 KB · Views: 11
Wowee, a personalized script!
I'm attaching the logs below. The extension came back again a few minutes after I restarted the system and having completed all of the above. Sigh.
 

Attachments

  • AdwCleaner log.txt
    3.3 KB · Views: 8
Status
Not open for further replies.