Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frustrating SpyWare that I cannot remove


  • Please log in to reply
12 replies to this topic

#1 anonomus01

anonomus01

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 03 January 2015 - 12:21 AM

I recently noticed that when I opened up Chrome, it would open a new page with an ad on every link I clicked.  I checked the extensions and there was an extension called "uniisaales" that I removed.  Doing a search for that comes up with nothing, but I did find unisales removal tools.  However, none of the removal guides work for me.  There are no odd programs in the control panel, no processes that I'm not sure of.  Also, since installing Malware Bytes (which has not been able to find anything), I get a message saying that 
"tbs.lilykhin.com" has been blocked.  A search for this also turned up absolutely nothing.

 

I'm going crazy, and I just want it fixed!

 

Thanks in advance for any help.



BC AdBot (Login to Remove)

 


#2 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 January 2015 - 02:21 AM

Argh, I just copped this today as well.
It's pretty nasty. Very severe web browser hijack in Google chrome. No processes running, no programs to remove, no extensions there. Malware bytes got nothing, ad aware got nothing. Literally dead in the water with no idea what to do.

It absulutely punishes any page by the second with ads by browser shop and right coupon among others. The web link is as stated above lilykhin.

#3 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 January 2015 - 02:23 AM

The problem is internal to chrome.exe from what I can glean

#4 Hybrid_XYZ

Hybrid_XYZ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 03 January 2015 - 02:40 AM

Hey guys!

So I had this problem and I dunno if I got it fixed but it seems to be running ok for me so far. So I noticed you guys removed the extensions on the web browser and (if there were) any weird programs in the control panel. I did a few things after that; first I checked my c:program files folder and looked for any weird looking folders (some were even named the as the extensions) and just deleted them (I also have a folder called program files (x86) and some were in there too.) Second i did the same thing to the c:programdata folder. Thirdly I ran Malware Bytes again (i have mozilla installed too and it kept finding stuff on that) and a program called AdwCleaner which you can find a link for on the site (google searching it for me gives me it as the second result).  I ran that a few times, rebooted my computer when it promoted me too and so far the extensions have not come back.

Try it out and let me know what happens!
 

If anyone has anything else to add let us know

hope it helps!



#5 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 January 2015 - 02:44 AM

Haven't been any programs to remove, and each of those two anti malwares found nothing. Doing a manual look through c: drive now.

#6 Hybrid_XYZ

Hybrid_XYZ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 03 January 2015 - 02:49 AM

let me know what you find in the c drives. I had some folders that were the same names as the extensions and some that were a bunch of letters and numbers and when i opened them had sub folders that were the same names as the extensions



#7 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 January 2015 - 06:09 AM

Nope, not a thing in there.
I also noticed I open chrome wth only one tab and actually have 6 chrome processes running in tskmgr

Edited by Don s 939, 03 January 2015 - 06:10 AM.


#8 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 January 2015 - 10:17 AM

Ok, FIXED!!!!!!!!!!!!!!!

 

It is an internal chrome extension after all.

 

Run your anti malwares clean, then open up Chrome.

 

Go to the extensions tab under settings. Delete ALL of them. Every single one. Then check the Developer Mode box and do the same. Uncheck the enable, and then delete ALL.

 

Now close Chrome, and then re-open, and check settings and extensions page again. There should be one that will have re-started itself. Mine was named UniSaale or something similar.

 

Beside the permissions button, there should be another to show it's location in your computer. With Chrome still open, click it, and it will take you to the folder location, most likely something titled in jargon words under Program Data. Go back one folder level and delete the entire folder this file is in (the jargon words folder NOT the Program Data). Then again, disable and delete the extension in Chrome, check Developer Mode and do the same. Close Chrome. Re-open and voila. It's gone for good.



#9 JoPCWoes

JoPCWoes

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 05 January 2015 - 06:51 PM

Don s 939! I have created this account just to share my thanks! Your method worked and was quick and easy even with my severe lack of computer knowledge!

 

Now, I was meant to take a photo of my extensions, but forgot in my excitement. Is there an easy way to get them back...? The non-malicious ones, I mean! I can't remember them all..!

 

Anyway, thanks again (all of you) and yes, I will be more careful from now on.



#10 anonomus01

anonomus01
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 05 January 2015 - 10:19 PM

Thank you so much Don. I finally got rid of it after a week of tearing my hair out.

 

Scans are coming back clean now.



#11 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 05 January 2015 - 10:46 PM

Very welcome guys, pleasure to help and share.

I wouldn't worry too much about the other extensions Jo. Most of them, at least what I had, we're all but useless anyway, and just another option for possible infection, even when they were all turned off.

I say this because interestingly this unisaale one I had was not only partly disabled the whole time anyway, but had been on my chrome for years with no problem. I'm not even sure it was the problem, or if this infection was just hiding in any old random extension, which is why you have to get rid of them all to be sure.

Edited by Don s 939, 05 January 2015 - 10:47 PM.


#12 Don s 939

Don s 939

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 05 January 2015 - 10:50 PM

Ps. If you simply must have the others back, try checking the other folders in the program data. There may be traces left but I cannot be sure.
Probably worth mentioning that you should screenshot before the mass extension deletes. I'm not big on extensions for the obvious reasons so I only had 3.
As said, I think anythineg that has possible browser privelages and permissions is a bad idea

Edited by Don s 939, 05 January 2015 - 10:53 PM.


#13 1sam1

1sam1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 27 June 2015 - 08:51 PM

Don S 939,

This worked. That thing was on my computer for months. Every other site said a bunch of BS just trying to sell software. Thanks so much for taking the time to post the solution. I also found a bunch of other numeric folders in there that I deleted. So far nothing has gone wrong so I don't think I deleted anything worth having.

Thanks again






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users