Virus/Malware issue, unable to permanently detect or remove from anti-virus

Anonymous

Hello,

I'm dealing with a browser extension name "zHelpBlock" (virus or malware). It's folder path is "C:ProgramData:"Tjdu" which is a hidden folder. While it says EMPTY but on opening there is a sub folder (who's name changes every time). In "Tjdu" folder there's a sub folder "E8BE540A" and within which there are 4 files, one called "background" (JavaScript File) "icon128" (PNG File) "manifest.json" (JSON File) and "skghe" (File).

This extension is causing unwanted tabs and websites to open on all browsers without my approval. It does not allow me to scan the computer through Chrome's in-built scanner and I have tried to remove the extension and folder/ files through various methods as suggested on the internet but i'm unable to get rid of it completely. It comes back post restarting the machine. I contacted my anti-virus provider, who has taken the pc logs but hasn't got back to me on the solution to this. They were not able to help me in the initial trials. I have tried everything and thus I'm writing this seeking help.

I have gone through the below link, which is much similar to my issue:

https://answers.microsoft.com/en-us/protect/forum/all/hi-i-need-help-with-a-very-stubborn-virus-who/59977fb0-e116-4101-b7c4-04087f3acfb9

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

13 answers

_AW_ 67,421 Reputation points Volunteer Moderator

2021-07-17T00:13:32+00:00

Hi Dilip

For STATUS_INVALID_IMAGE_HASH look through

https://support.google.com/chrome/thread/40711305?hl=en

https://support.google.com/chrome/thread/42231261?hl=en

https://support.google.com/accounts/thread/41689406?hl=en

If nothing there fixes it, you may need to do a complete Chrome uninstall then install.

It would appear that the malware has been on your computer since July 8, and the file that kept reinstalling the mal extension was

C:\Program Files (x86)\AgentBackground\SdttingsEame\KRDIAI_LlockeMPR.dll

run from the scheduled task \Hewlett-Packard\Avgvrzbkok

:)
Was this answer helpful?

1 person found this answer helpful.

0 comments No comments
_AW_ 67,421 Reputation points Volunteer Moderator

2021-07-16T10:33:11+00:00

Hi Dilip,

This should sort things out for you.

Select all the text between the asterisks so that it is highlighted, then press Ctrl + C to copy it to the clipboard.

Run FRST as administrator and press the Fix button.

The computer will restart to complete the cleaning process.

A fixlog.txt file will be created in the FRST directory, attach this to your next reply.

*******************************************************************************

Start::

CreateRestorePoint:

CloseProcesses:

HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

Task: {B495BEFC-FF0E-4785-BFE5-D5EAAB3B12B3} - System32\Tasks\Hewlett-Packard\Avgvrzbkok => C:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\AgentBackground\SdttingsEame\KRDIAI_LlockeMPR.dll" /nologo /u /silent

VirusTotal: C:\Program Files (x86)\AgentBackground\SdttingsEame\KRDIAI_LlockeMPR.dll

C:\ProgramData\Tjdu

C:\Program Files (x86)\AgentBackground

S4 HPPrintScanDoctorService; "C:\Program Files\HPPrintScanDoctor\HPPrintScanDoctorService.exe" [X]

S4 WirelessKB850NotificationService; %SystemRoot%\system32\WirelessKB850NotificationService.exe [X]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\1624293810doc.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\BOI RECEIPT 1.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\Drawing.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\ESBTR Generation Process - Step by Step Guide.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\HDFC SEC CKYC FORM.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Desktop\IGR - HDFC.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\Affidavit.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\Application (1).pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\Application.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\FLORA DA COPY 1.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\FLORA DA COPY 2.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\FLORA DA COPY.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\SALE AGREEMENT-1.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\SALE AGREEMENT-2.pdf:SandBoxSafeFile [0]

AlternateDataStreams: C:\Users\Dilip Kothari\Downloads\Statement.pdf:SandBoxSafeFile [0]

FirewallRules: [{E9AF449C-C9FD-456D-A975-0F8E325D75C7}] => (Allow) C:\Users\Dilip Kothari\AppData\Roaming\Zoom\bin\airhost.exe => No File

FirewallRules: [{28A1DDFA-CCF1-421B-BE4F-0DEEFCC2EB34}] => (Allow) C:\Users\Dilip Kothari\AppData\Roaming\Zoom\bin\airhost.exe => No File

FirewallRules: [{7B80975D-FAAA-4C00-8E6A-A5EBCCCDAFCA}] => (Allow) C:\windows\rss\csrss.exe => No File

EmptyTemp:

End::

*******************************************************************************

There also seems to be a problem with your Windows Update service.

Download the following registry file. Double click the reg file and allow it to merge with the registry, then restart your computer.

https://www.tenforums.com/attachments/tutorials/267530d1582122655-restore-default-services-windows-10-a-windows_update.reg

See if you are able to successfully check for any Windows updates.

Let me know how things are running.
Was this answer helpful?

1 person found this answer helpful.

0 comments No comments
Anonymous

2021-07-16T05:09:19+00:00

Hey Carlo!

Hope you're having a good day.

I tried the above but sadly the malware was not detected in system. Do you have any other suggestions on how to go about it?

Wishing you have a fantastic weekend ahead!

Regards,

Dilip.
Was this answer helpful?

0 comments No comments
Reza-Ameri 45,816 Reputation points Volunteer Moderator

2021-07-15T16:47:23+00:00

Collect all sample of this malware and place them into a zip file and submit them to Microsoft.

Take a look at Submit a file for malware analysis - Microsoft Security Intelligence
Was this answer helpful?

0 comments No comments
Anonymous

2021-07-15T15:52:59+00:00

Good Day Dilip-Kothari,

My name is Carlo, I'm an Independent Advisor and community member like you.

I am also using Windows 10 pc. Let us work together to sort this out.

First, try boot your computer is safemode.

-Press the Windows logo key + R.

-Type msconfig and hit enter

-Select the Boot tab.

-Under Boot options, clear the Safe boot checkbox.

-Click "Network" below Safeboot for you to have internet connection while on Safemode

-Click Apply then ok.

Once your computer on Safemode, go to this link below and download the free version of Malwarebytes scanner to check if there are malwares or adware running in your system.

https://www.malwarebytes.com/mwb-download/thank...

Once downloaded and installed, open the app and perform a scan.

Check if there are malwares detected , restart your computer once the scan is done.

I hope the information above helps. Please let me know how it goes.

Have a wonderful day ahead and stay safe.

Sincerely,

Carlo T.

Standard Disclaimer: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.
Was this answer helpful?

0 comments No comments

Share via

Virus/Malware issue, unable to permanently detect or remove from anti-virus

13 answers