Jump to content

Removal instructions for Browser Checkup for Chrome by Doctor


Recommended Posts

  • Staff

What is Browser Checkup for Chrome by Doctor?

The Malwarebytes research team has determined that Browser Checkup for Chrome by Doctor is a browser hijacker. This particular one uses web push notifications.
It may also give users a false sense of security.

How do I know if my computer is affected by Browser Checkup for Chrome by Doctor?

You may see this browser extension:

main.png

these warnings during install:

warning1.png

warning2.png

and these screens during operations:

warning3.png

warning5.png

How did Browser Checkup for Chrome by Doctor get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:

webstore.png

after a redirect from their website:

website.png

How do I remove Browser Checkup for Chrome by Doctor?

Our program Malwarebytes can detect and remove this potentially unwanted program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of Browser Checkup for Chrome by Doctor?

  • No, Malwarebytes' Anti-Malware removes Browser Checkup for Chrome by Doctor completely.
  • If you have allowed the notifications you can read here how to disable them.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes would have protected you against the Browser Checkup for Chrome by Doctor hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.


 

protection1.png

 

Technical details for experts

Possible signs in FRST logs:

 

CHR Extension: (Browser Checkup for Chrome by Doctor) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd [2021-02-18]

Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0
       Adds the file 11eabca2251325cfc5589c9c6fb57b46.ttf"="12/27/2020 11:01 AM, 171272 bytes, A
       Adds the file bb20bd82505e606d2271e1aa308d62f2.otf"="12/27/2020 11:01 AM, 43024 bytes, A
       Adds the file doctor.js"="12/27/2020 11:01 AM, 133801 bytes, A
       Adds the file index.html"="12/27/2020 11:01 AM, 292 bytes, A
       Adds the file index.js"="12/27/2020 11:01 AM, 406601 bytes, A
       Adds the file manifest.json"="2/18/2021 8:48 AM, 1355 bytes, A
       Adds the file style.css"="12/27/2020 11:01 AM, 90776 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0\_metadata
       Adds the file computed_hashes.json"="2/18/2021 8:48 AM, 10289 bytes, A
       Adds the file verified_contents.json"="12/27/2020 2:36 PM, 2344 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0\icons
       Adds the file 128.png"="2/18/2021 8:48 AM, 14638 bytes, A
       Adds the file 16.png"="2/18/2021 8:48 AM, 937 bytes, A
       Adds the file 48.png"="2/18/2021 8:48 AM, 4228 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd
       Adds the file 000003.log"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file CURRENT"="2/18/2021 8:48 AM, 16 bytes, A
       Adds the file LOCK"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file LOG"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file MANIFEST-000001"="2/18/2021 8:48 AM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd
       Adds the file 000003.log"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file CURRENT"="2/18/2021 8:48 AM, 16 bytes, A
       Adds the file LOCK"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file LOG"="2/18/2021 8:48 AM, 0 bytes, A
       Adds the file MANIFEST-000001"="2/18/2021 8:48 AM, 41 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
       "okjdbeegldeilceaflghgfdemobmfhbd"="REG_SZ", "8EDF3CA2D1CDF7B4C6FE4153E9C347733168B0B490E1357CF25B81DDB33B02C6"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/18/21
Scan Time: 8:55 AM
Log File: bb4af140-71be-11eb-ac72-080027235d76.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37251
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}-PC\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 233218
Threats Detected: 16
Threats Quarantined: 16
Time Elapsed: 2 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.PushNotifications, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , 
PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , 
PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, 1.0.37251, , ame, , , 

File: 12
PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 14952, 909426, , , , , C0C5AE2E8EF88CAF8AFC316D166F28C6, 40E2F80853F65AFC68A784C0A42D580D85F0A299DDBC47C4FB4EDD985935BC23
PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 909426, , , , , BDB58078307E32DB3FBC075D7E714622, 7DC3260265AD0A47FF07D3288CE5FB736ADC8AD2F3DDB19C1F4A8D9A905E6467
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\000003.log, Quarantined, 14952, 909426, , , , , C200AA6EF85C072E48CDC579DD93D116, A30EC27E693304C9D62B80E7D6635EA425778CC32124991B458786CB6E1B28FF
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\CURRENT, Quarantined, 14952, 909426, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOCK, Quarantined, 14952, 909426, , , , , , 
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOG, Quarantined, 14952, 909426, , , , , ADE422FE8F73F3761612F9F86E261CC4, 4D8DF8172CBEA9B918724F3164FB1C51D4ACE1ECA68279B8C118B1A71117FD0B
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\MANIFEST-000001, Quarantined, 14952, 909426, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\000003.log, Quarantined, 14952, 909426, , , , , 528D256930B32BD45C9413B94A22BDAE, E4DF5514FA61302CEFDC0A2DC338B80677353F9DCE3F6A711067A6E0897D57B6
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\CURRENT, Quarantined, 14952, 909426, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOCK, Quarantined, 14952, 909426, , , , , , 
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOG, Quarantined, 14952, 909426, , , , , AACDC0AB59A0D8F5368CBBE87A636EA1, 1F2620C233369DC798868E5CF2F6CAC7125C8B2283BCB82EAF45E5D07D9EB16F
PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\MANIFEST-000001, Quarantined, 14952, 909426, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.