Jump to content

Metallica

Staff
  • Content Count

    2,535
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

171,652 profile views
  1. What is 101Sweets Search?The Malwarebytes research team has determined that 101Sweets Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by 101Sweets Search?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:and these warnings during install:How did 101Sweets Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove 101Sweets Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of 101Sweets Search? No, Malwarebytes removes 101Sweets Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the 101Sweets Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://services.101sweets-svc.com/search/{searchTerms} CHR DefaultSearchKeyword: Default -> {searchTerms} CHR DefaultSuggestURL: Default -> hxxps://sug.101sweets-svc.com/sug/?s={searchTerms} CHR Extension: (101Sweets) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh [2020-02-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0 Adds the file manifest.json"="2/21/2020 8:48 AM, 2122 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\_metadata Adds the file computed_hashes.json"="2/21/2020 8:48 AM, 2709 bytes, A Adds the file verified_contents.json"="9/17/2019 3:26 PM, 4028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\background Adds the file contextMenus.js"="9/17/2019 3:26 PM, 634 bytes, A Adds the file ext.js"="9/17/2019 3:26 PM, 4653 bytes, A Adds the file index.html"="9/17/2019 3:26 PM, 534 bytes, A Adds the file listeners.js"="9/17/2019 3:26 PM, 1130 bytes, A Adds the file omni.js"="9/17/2019 3:26 PM, 788 bytes, A Adds the file search.js"="9/17/2019 3:26 PM, 847 bytes, A Adds the file settings.js"="9/17/2019 3:26 PM, 305 bytes, A Adds the file startup.js"="9/17/2019 3:26 PM, 2707 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\icons Adds the file 128.png"="2/21/2020 8:48 AM, 14237 bytes, A Adds the file 16.png"="2/21/2020 8:48 AM, 653 bytes, A Adds the file 32.png"="2/21/2020 8:48 AM, 1728 bytes, A Adds the file 48.png"="2/21/2020 8:48 AM, 3759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\options Adds the file options.css"="9/17/2019 3:26 PM, 170 bytes, A Adds the file options.html"="9/17/2019 3:26 PM, 486 bytes, A Adds the file options.js"="9/17/2019 3:26 PM, 134 bytes, A Adds the file tabContent.js"="9/17/2019 3:26 PM, 1770 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\popup Adds the file popup.css"="9/17/2019 3:26 PM, 309 bytes, A Adds the file popup.html"="9/17/2019 3:26 PM, 644 bytes, A Adds the file popup.js"="9/17/2019 3:26 PM, 297 bytes, A Adds the file tabContent.js"="9/17/2019 3:26 PM, 1427 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\prompt Adds the file green-up-arrow.png"="9/17/2019 3:26 PM, 18156 bytes, A Adds the file ok-green-square.png"="9/17/2019 3:26 PM, 28442 bytes, A Adds the file prompt.js"="9/17/2019 3:26 PM, 3327 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh Adds the file 000003.log"="2/21/2020 8:48 AM, 801 bytes, A Adds the file CURRENT"="2/21/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="2/21/2020 8:48 AM, 0 bytes, A Adds the file LOG"="2/21/2020 8:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/21/2020 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh Adds the file 000003.log"="2/21/2020 8:48 AM, 83 bytes, A Adds the file CURRENT"="2/21/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="2/21/2020 8:48 AM, 0 bytes, A Adds the file LOG"="2/21/2020 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/21/2020 8:48 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bhbnogofnebnbocodmijnbmobmeakcdh"="REG_SZ", "15DC3F633D7F423DA767B2F951C1591AC6D70CD8A0F9FD87039C40B492BEF22C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/20 Scan Time: 8:57 AM Log File: d560ec7c-547f-11ea-af09-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19536 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235977 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 37 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TightRopeInteractive.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BHBNOGOFNEBNBOCODMIJNBMOBMEAKCDH, Quarantined, 15100, 792704, 1.0.19536, , ame, File: 13 PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\000003.log, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\CURRENT, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOCK, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOG, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\MANIFEST-000001, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\000003.log, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\CURRENT, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOCK, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOG, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\MANIFEST-000001, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BHBNOGOFNEBNBOCODMIJNBMOBMEAKCDH\1.1.19.916_0\MANIFEST.JSON, Quarantined, 15100, 792704, 1.0.19536, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is TinyChill? The Malwarebytes research team has determined that TinyChill is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by TinyChill? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: and if you have allowed notifications you may see popups like this one: How did TinyChill get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TinyChill? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TinyChill? No, Malwarebytes removes TinyChill completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the TinyChill hijacker. They would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.tinychill.com CHR DefaultSearchURL: Default -> hxxps://feed.tinychill.com/?q={searchTerms}&publisher=tinychill&barcodeid=568620000000000 CHR DefaultSearchKeyword: Default -> TinyChill CHR DefaultSuggestURL: Default -> hxxps://api.tinychill.com/suggest/get?q={searchTerms} CHR Extension: (TinyChill) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac [2020-02-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0 Adds the file manifest.json"="2/20/2020 9:13 AM, 2038 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/20/2020 9:13 AM, 6135 bytes, A Adds the file verified_contents.json"="1/21/2020 10:49 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\images\icons Adds the file 128x128.png"="2/20/2020 9:13 AM, 9616 bytes, A Adds the file 16x16.png"="2/20/2020 9:13 AM, 703 bytes, A Adds the file 64x64.png"="2/20/2020 9:13 AM, 4415 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\scripts Adds the file background.js"="1/21/2020 10:49 AM, 513868 bytes, A Adds the file sitecontent.js"="1/21/2020 10:49 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_djlopnkmcpkkdnhgpffbnllnpinagcac Adds the file TinyChill.ico"="2/20/2020 9:13 AM, 202567 bytes, A Adds the file TinyChill.ico.md5"="2/20/2020 9:13 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "djlopnkmcpkkdnhgpffbnllnpinagcac"="REG_SZ", "FB8C6BEA0FCE4428CA8080CAF7ED4521D682EFDAA84AA0DA090D197E99C2F880" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/20/20 Scan Time: 9:26 AM Log File: a4494b36-53ba-11ea-be46-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19482 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235874 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 30 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TinyChill, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|djlopnkmcpkkdnhgpffbnllnpinagcac, Quarantined, 15071, 790797, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC, Quarantined, 15071, 790797, 1.0.19482, , ame, File: 6 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC\1.0.0_0\MANIFEST.JSON, Quarantined, 15071, 790797, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789477, 1.0.19482, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is SearchYA? The Malwarebytes research team has determined that SearchYA is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchYA? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did SearchYA get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchYA? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchYA? No, Malwarebytes removes SearchYA completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the SearchYA hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.search-ya.com CHR DefaultSearchURL: Default -> hxxps://feed.search-ya.com/?q={searchTerms}&publisher=searchya&barcodeid=568630000000000 CHR DefaultSearchKeyword: Default -> SearchYA CHR DefaultSuggestURL: Default -> hxxps://api.search-ya.com/suggest/get?q={searchTerms} CHR Extension: (SearchYA) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd [2020-02-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0 Adds the file manifest.json"="2/19/2020 8:59 AM, 2032 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/19/2020 8:59 AM, 6135 bytes, A Adds the file verified_contents.json"="1/20/2020 10:15 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\images\icons Adds the file 128x128.png"="2/19/2020 8:59 AM, 4365 bytes, A Adds the file 16x16.png"="2/19/2020 8:59 AM, 544 bytes, A Adds the file 64x64.png"="2/19/2020 8:59 AM, 2224 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\scripts Adds the file background.js"="1/20/2020 10:15 AM, 513853 bytes, A Adds the file sitecontent.js"="1/20/2020 10:15 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hleencoclkeflkjlikhldjhafcpdgjjd Adds the file SearchYA.ico"="2/19/2020 8:59 AM, 178477 bytes, A Adds the file SearchYA.ico.md5"="2/19/2020 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hleencoclkeflkjlikhldjhafcpdgjjd"="REG_SZ", "0DD3C99E34CC2F160E4CD8AE8CF7CA1EF12BD63E355675C19850F799320FDE5B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/19/20 Scan Time: 9:09 AM Log File: 1e3656fe-52ef-11ea-9658-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19438 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235896 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 3 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchYa, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hleencoclkeflkjlikhldjhafcpdgjjd, Quarantined, 411, 791984, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD, Quarantined, 411, 791984, 1.0.19438, , ame, File: 6 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD\1.0.0_0\MANIFEST.JSON, Quarantined, 411, 791984, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789466, 1.0.19438, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Email Search Tools? The Malwarebytes research team has determined that Email Search Tools is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Email Search Tools? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Email Search Tools get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Email Search Tools? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Email Search Tools? No, Malwarebytes removes Email Search Tools completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Email Search Tools hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.emailsearchtools.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qs CHR Extension: (EmailSearchTools) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb [2020-02-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0 Adds the file background.js"="9/18/2019 1:42 PM, 14032 bytes, A Adds the file icon.png"="2/18/2020 9:27 AM, 5491 bytes, A Adds the file manifest.json"="2/18/2020 9:27 AM, 1540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_locales\en Adds the file messages.json"="2/18/2020 9:27 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_metadata Adds the file computed_hashes.json"="2/18/2020 9:27 AM, 630 bytes, A Adds the file verified_contents.json"="1/8/2020 4:17 PM, 1893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\html\popup Adds the file description.html"="9/5/2019 2:07 PM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb Adds the file 000003.log"="2/18/2020 9:27 AM, 141 bytes, A Adds the file CURRENT"="2/18/2020 9:27 AM, 16 bytes, A Adds the file LOCK"="2/18/2020 9:27 AM, 0 bytes, A Adds the file LOG"="2/18/2020 9:30 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/18/2020 9:27 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jghejomglpmejfcphjbfeplpdndfccbb"="REG_SZ", "97E0F3A7AB704677C53A02393F770EDAD534C32F242AD71AAE6161493AF5A4A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/20 Scan Time: 9:49 AM Log File: a112250e-522b-11ea-b7ee-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19396 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235882 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 33 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB, Quarantined, 205, 774169, 1.0.19396, , ame, File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\000003.log, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\CURRENT, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOCK, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOG, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\MANIFEST-000001, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB\1.3_0\BACKGROUND.JS, Quarantined, 205, 774169, 1.0.19396, , ame, PUP.Optional.Spigot.PN, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 220, 786325, 1.0.19396, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Search Pulse?The Malwarebytes research team has determined that Search Pulse is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also changes the newtab page.How do I know if my computer is affected by Search Pulse?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:these changed settings:and these warnings during install:How did Search Pulse get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website.How do I remove Search Pulse?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Pulse? No, Malwarebytes removes Search Pulse completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search Pulse hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://iifkpdclgffdnbijholnpbojbgpblhil/newtab/newtab.html" CHR DefaultSearchURL: Default -> hxxp://search.searchpulse.net/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> Search Pulse CHR Extension: (Search Pulse) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil [2020-02-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0 Adds the file manifest.json"="2/17/2020 8:46 AM, 1785 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\_metadata Adds the file computed_hashes.json"="2/17/2020 8:46 AM, 1058 bytes, A Adds the file verified_contents.json"="12/6/2016 3:27 PM, 2005 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\html Adds the file modal.css"="12/1/2016 4:25 PM, 2230 bytes, A Adds the file modal.html"="12/6/2016 3:27 PM, 141 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\images Adds the file icon48.png"="2/17/2020 8:46 AM, 1175 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\newtab Adds the file newtab.html"="12/6/2016 3:27 PM, 267 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\scripts Adds the file background.js"="12/6/2016 3:27 PM, 25711 bytes, A Adds the file foreground.js"="12/6/2016 3:27 PM, 17886 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil Adds the file 000003.log"="2/17/2020 8:52 AM, 865 bytes, A Adds the file CURRENT"="2/17/2020 8:46 AM, 16 bytes, A Adds the file LOCK"="2/17/2020 8:46 AM, 0 bytes, A Adds the file LOG"="2/17/2020 8:52 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/17/2020 8:46 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iifkpdclgffdnbijholnpbojbgpblhil"="REG_SZ", "ED9C51F6282C4009FF7E79F3DC4BBC0BB4BFE7135FF8C71EC67C5083E5294B60" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/17/20 Scan Time: 9:02 AM Log File: e8e64304-515b-11ea-bc79-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19332 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235898 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 10 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchPulse, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iifkpdclgffdnbijholnpbojbgpblhil, Quarantined, 279, 790802, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IIFKPDCLGFFDNBIJHOLNPBOJBGPBLHIL, Quarantined, 279, 790802, 1.0.19332, , ame, File: 9 PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\000003.log, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\CURRENT, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\LOCK, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\LOG, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\MANIFEST-000001, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IIFKPDCLGFFDNBIJHOLNPBOJBGPBLHIL\1.7_0\MANIFEST.JSON, Quarantined, 279, 790802, 1.0.19332, , ame, PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 279, 790803, 1.0.19332, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Encrypted Search? The Malwarebytes research team has determined that Encrypted Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Encrypted Search? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Encrypted Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Encrypted Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Encrypted Search? No, Malwarebytes removes Encrypted Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Encrypted Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.encryptedsearch.org/encsearch?q={searchTerms} CHR DefaultSearchKeyword: Default -> ens CHR DefaultSuggestURL: Default -> hxxps://www.encryptedsearch.org/encsuggest?q={searchTerms} CHR Extension: (Encrypted Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad [2020-02-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0 Adds the file background.html"="7/1/2019 1:13 PM, 160 bytes, A Adds the file manifest.json"="2/14/2020 8:56 AM, 2266 bytes, A Adds the file panel.html"="7/1/2019 1:13 PM, 2090 bytes, A Adds the file settings.html"="7/1/2019 1:13 PM, 11545 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\_metadata Adds the file computed_hashes.json"="2/14/2020 8:56 AM, 8205 bytes, A Adds the file verified_contents.json"="7/1/2019 1:13 PM, 3067 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\css Adds the file tooltip.css"="7/1/2019 1:13 PM, 1300 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\img\ens Adds the file icon128.png"="2/14/2020 8:56 AM, 6316 bytes, A Adds the file icon16.png"="2/14/2020 8:56 AM, 499 bytes, A Adds the file icon16_disabled.png"="2/14/2020 8:56 AM, 499 bytes, A Adds the file icon48.png"="2/14/2020 8:56 AM, 1825 bytes, A Adds the file input-checked.png"="7/1/2019 1:13 PM, 318 bytes, A Adds the file input-unchecked.png"="7/1/2019 1:13 PM, 154 bytes, A Adds the file si-logo.png"="7/1/2019 1:13 PM, 18589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\lib Adds the file bg.js"="7/1/2019 1:13 PM, 391577 bytes, A Adds the file page-protection.js"="7/1/2019 1:13 PM, 70172 bytes, A Adds the file panel.js"="7/1/2019 1:13 PM, 58322 bytes, A Adds the file savesettings.js"="7/1/2019 1:13 PM, 65834 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad Adds the file 000003.log"="2/14/2020 8:56 AM, 0 bytes, A Adds the file CURRENT"="2/14/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="2/14/2020 8:56 AM, 0 bytes, A Adds the file LOG"="2/14/2020 8:56 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/14/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad Adds the file 000003.log"="2/14/2020 8:56 AM, 0 bytes, A Adds the file CURRENT"="2/14/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="2/14/2020 8:56 AM, 0 bytes, A Adds the file LOG"="2/14/2020 8:56 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/14/2020 8:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iobcdcioiildgbfeojoadlcicdnadpad"="REG_SZ", "D123F8CFEFB53CC496BE4BA4BEAC7D15B29C24B934D823B74E59C4B8CF889167" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/14/20 Scan Time: 9:07 AM Log File: 0807a1f4-4f01-11ea-a0ef-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19198 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236120 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 9 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.EncryptedSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, 1.0.19198, , ame, File: 14 PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\000003.log, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\CURRENT, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOCK, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOG, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\MANIFEST-000001, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\000003.log, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\CURRENT, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOCK, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOG, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\MANIFEST-000001, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733510, 1.0.19198, , ame, PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733510, 1.0.19198, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is MyPrintScreen? The Malwarebytes research team has determined that MyPrintScreen is a potentially unwanted program that behaves like a trojan. It downloads other threats to the affected system. How do I know if my computer is affected by MyPrintScreen? You may see this warning during install: this control on your desktop: this entry in your start menu: and this entry in your list of installed Programs and Features: You will see this menu when you make a screenshot: How did MyPrintScreen get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from their website: How do I remove MyPrintScreen? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MyPrintScreen? You can uninstall MyPrintScreen after the reboot if you no longer wish to use it. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this potentially unwanted program. As you can see below the full version of Malwarebytes would have protected you against the MyPrintScreen PUP. It would have blocked the installer before it became too late. and both Malwarebytes Premium and Browser Guard would have blocked their domain: Technical details for experts Possible signs in FRST logs: (GenericTools Company) [File not signed] C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe (АЙ СI СI, ТОВ -> MyPrintScreen Company) C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe HKCU\...\Run: [MyPrintScreen] => C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe [442512 2018-01-19] (АЙ СI СI, ТОВ -> MyPrintScreen Company) HKCU\...\Run: [GenericTools] => C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe [233984 2020-02-04] (GenericTools Company) [File not signed] HKCU\...\Run: [SiSoft] => C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe [184832 2020-01-08] (SiSoft LTD) [File not signed] C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPrintScreen C:\Users\{username}\AppData\Local\MyPrintScreen C:\Users\{username}\AppData\Local\GenericTools MyPrintScreen (HKCU\...\MyPrintScreen_is1) (Version: 3.3.1.0 - MyPrintScreen Company) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\GenericTools Adds the file GenericTools.exe"="2/4/2020 4:15 PM, 233984 bytes, A Adds the file libcurl.dll"="11/28/2017 4:27 PM, 318976 bytes, A Adds the file libeay32.dll"="11/21/2017 10:00 AM, 1178112 bytes, A Adds the file msvcp100.dll"="6/11/2011 2:58 AM, 421200 bytes, A Adds the file msvcr100.dll"="6/11/2011 2:58 AM, 773968 bytes, A Adds the file QtCore4.dll"="8/7/2013 5:32 PM, 2598912 bytes, A Adds the file QtGui4.dll"="6/27/2013 12:16 PM, 8581632 bytes, A Adds the file QtNetwork4.dll"="6/27/2013 12:10 PM, 1053696 bytes, A Adds the file QtScript4.dll"="6/27/2013 11:23 AM, 1341440 bytes, A Adds the file QtWebKit4.dll"="6/27/2013 12:29 PM, 13112320 bytes, A Adds the file SiSoft.exe"="1/8/2020 3:23 PM, 184832 bytes, A Adds the file ssleay32.dll"="5/10/2012 10:10 PM, 265216 bytes, A Adds the file ws"="2/13/2020 10:37 AM, 7876 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyPrintScreen Adds the file msvcp100.dll"="6/11/2011 2:58 AM, 421200 bytes, A Adds the file msvcr100.dll"="6/11/2011 2:58 AM, 773968 bytes, A Adds the file MyPrintScreen.exe"="1/19/2018 5:42 PM, 442512 bytes, A Adds the file QtCore4.dll"="8/7/2013 5:32 PM, 2598912 bytes, A Adds the file QtGui4.dll"="6/27/2013 12:16 PM, 8581632 bytes, A Adds the file QtNetwork4.dll"="6/27/2013 12:10 PM, 1053696 bytes, A Adds the file unins000.dat"="2/13/2020 10:37 AM, 16128 bytes, A Adds the file unins000.exe"="2/13/2020 10:36 AM, 1287881 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats Adds the file qgif4.dll"="11/26/2012 12:31 PM, 26624 bytes, A Adds the file qico4.dll"="11/26/2012 12:31 PM, 28672 bytes, A Adds the file qjpeg4.dll"="11/26/2012 12:31 PM, 201216 bytes, A Adds the file qmng4.dll"="11/26/2012 12:31 PM, 222208 bytes, A Adds the file qsvg4.dll"="11/26/2012 12:31 PM, 21504 bytes, A Adds the file qtga4.dll"="11/26/2012 12:32 PM, 19968 bytes, A Adds the file qtiff4.dll"="11/26/2012 12:31 PM, 287232 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPrintScreen Adds the file How to use MyPrintScreen.url"="2/13/2020 10:37 AM, 54 bytes, A Adds the file MyPrintScreen.lnk"="2/13/2020 10:37 AM, 1142 bytes, A Adds the file Uninstall MyPrintScreen.lnk"="2/13/2020 10:37 AM, 1117 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\GenericTools] "insterra"="REG_SZ", "191112" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "GenericTools"="REG_SZ", "C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe" "MyPrintScreen"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe" "SiSoft"="REG_SZ", "C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPrintScreen_is1] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe" "DisplayName"="REG_SZ", "MyPrintScreen" "DisplayVersion"="REG_SZ", "3.3.1.0" "EstimatedSize"="REG_DWORD", 44930 "Inno Setup: App Path"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen" "Inno Setup: Icon Group"="REG_SZ", "MyPrintScreen" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.3 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200213" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 3 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "MyPrintScreen Company" "QuietUninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\MyPrintScreen\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\MyPrintScreen\unins000.exe"" [HKEY_CURRENT_USER\Software\myprintscreen.com\MyPrintScreen] "first"="REG_SZ", "false" "Language"="REG_SZ", "en" "Show snap button"="REG_SZ", "true" [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats] "qgif4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:46 gif " "qico4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:58 ico " "qjpeg4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:44 jpeg jpg " "qmng4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:50 mng " "qtga4.dll"="REG_MULTI_SZ, "2012-11-26T12:32:00 tga " "qtiff4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:56 tiff tif " [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats] "qgif4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:46 " "qico4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:58 " "qjpeg4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:44 " "qmng4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:50 " "qsvg4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:52 " "qtga4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:32:00 " "qtiff4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:56 " Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/13/20 Scan Time: 12:17 PM Log File: 63d4d3bc-4e52-11ea-8df3-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19150 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236126 Threats Detected: 33 Threats Quarantined: 32 Time Elapsed: 14 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , Module: 15 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libcurl.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtScript4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtWebKit4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , Registry Key: 0 (No malicious items detected) Registry Value: 2 RiskWare.Redirector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|GenericTools, Quarantined, 4849, 467517, , , , RiskWare.Redirector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SiSoft, Quarantined, 4849, 467517, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS, whitelisted, 4849, 467517, 1.0.19150, 0C000076D500000028AD977C, dds, File: 13 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, 1.0.19150, 0C000076D500000028AD977C, dds, 00588077 RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libcurl.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtScript4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtWebKit4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ws, Quarantined, 4849, 467517, , , , PUP.Optional.SoundFrost, C:\USERS\{username}\DESKTOP\WEBSOFT.EXE, Quarantined, 161, 789932, 1.0.19150, , ame, PUP.Optional.SoundFrost, C:\USERS\{username}\DESKTOP\MYPRINTSCREEN.EXE, Quarantined, 161, 788387, 1.0.19150, 5BF1AFA902506587052E1825, dds, 00588077 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Access Gov Docs Tab? The Malwarebytes research team has determined that Access Gov Docs Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Access Gov Docs Tab? You may see this browser extension: these warnings during install: You may see this new startpage: and this new setting: How did Access Gov Docs Tab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website. How do I remove Access Gov Docs Tab? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Access Gov Docs Tab? No, Malwarebytes' Anti-Malware removes Access Gov Docs Tab completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Access Gov Docs Tab hijacker. It blocks their domains: Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://accessgovdocs.net CHR NewTab: Default -> Active:"chrome-extension://pkcbnkckeahemigpmionfaiclhdeellf/newtabhtml/newtabpage.html" CHR Extension: (Access Gov Docs Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf [2020-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0 Adds the file central.js"="11/4/2019 4:54 PM, 2612 bytes, A Adds the file icon.png"="2/12/2020 8:57 AM, 5222 bytes, A Adds the file manifest.json"="2/12/2020 8:57 AM, 1363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_locales\en Adds the file messages.json"="2/12/2020 8:57 AM, 206 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_metadata Adds the file computed_hashes.json"="2/12/2020 8:57 AM, 1609 bytes, A Adds the file verified_contents.json"="11/4/2019 4:54 PM, 3027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\html\bAction Adds the file about.html"="11/4/2019 4:54 PM, 4050 bytes, A Adds the file newtabpage.html"="11/4/2019 4:54 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\js Adds the file browseraction.js"="11/4/2019 4:54 PM, 992 bytes, A Adds the file config.js"="11/4/2019 4:54 PM, 1014 bytes, A Adds the file dailyFeature.js"="11/4/2019 4:54 PM, 3479 bytes, A Adds the file diagnostic.js"="11/4/2019 4:54 PM, 874 bytes, A Adds the file log.js"="11/4/2019 4:54 PM, 880 bytes, A Adds the file newTab.js"="11/4/2019 4:54 PM, 2418 bytes, A Adds the file search.js"="11/4/2019 4:54 PM, 857 bytes, A Adds the file store.js"="11/4/2019 4:54 PM, 235 bytes, A Adds the file utility.js"="11/4/2019 4:54 PM, 2534 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\newtabhtml Adds the file newtabpage.html"="11/4/2019 4:54 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf Adds the file 000003.log"="2/12/2020 8:57 AM, 436 bytes, A Adds the file CURRENT"="2/12/2020 8:57 AM, 16 bytes, A Adds the file LOCK"="2/12/2020 8:57 AM, 0 bytes, A Adds the file LOG"="2/12/2020 9:03 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/12/2020 8:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pkcbnkckeahemigpmionfaiclhdeellf"="REG_SZ", "1EC6E39BCCAD8954D53C75484C0712E68018C6906F0131AD4AEEA10CD5CC19FC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/20 Scan Time: 9:08 AM Log File: e61a4dbe-4d6e-11ea-9609-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19088 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235857 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 11 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , File: 8 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\000003.log, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\CURRENT, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOCK, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOG, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\MANIFEST-000001, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PKCBNKCKEAHEMIGPMIONFAICLHDEELLF\1.0_0\JS\DAILYFEATURE.JS, Quarantined, 205, 752296, 1.0.19088, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Searchsio? The Malwarebytes research team has determined that Searchsio is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Searchsio? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Searchsio get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Searchsio? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Searchsio? No, Malwarebytes removes Searchsio completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Searchsio hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchsio.com/?q={searchTerms}&publisher=searchsio&barcodeid=568580000000000 CHR DefaultSearchKeyword: Default -> Searchsio CHR DefaultSuggestURL: Default -> hxxps://api.searchsio.com/suggest/get?q={searchTerms} CHR Extension: (Searchsio) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj [2020-02-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0 Adds the file manifest.json"="2/11/2020 8:56 AM, 2038 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/11/2020 8:56 AM, 6135 bytes, A Adds the file verified_contents.json"="1/19/2020 12:43 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\images\icons Adds the file 128x128.png"="2/11/2020 8:56 AM, 10948 bytes, A Adds the file 16x16.png"="2/11/2020 8:56 AM, 747 bytes, A Adds the file 64x64.png"="2/11/2020 8:56 AM, 4478 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\scripts Adds the file background.js"="1/19/2020 12:43 PM, 513868 bytes, A Adds the file sitecontent.js"="1/19/2020 12:43 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bolckdodmilglagkpefcempiidghfbgj Adds the file Searchsio.ico"="2/11/2020 8:56 AM, 204420 bytes, A Adds the file Searchsio.ico.md5"="2/11/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bolckdodmilglagkpefcempiidghfbgj"="REG_SZ", "967457670AE6AA3FA28F271A327F7B20F3610E5515640159CB153281AF11517A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/11/20 Scan Time: 9:09 AM Log File: da61f928-4ca5-11ea-96bc-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.19028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235809 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 12 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Searchsio, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bolckdodmilglagkpefcempiidghfbgj, Quarantined, 2197, 789280, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\bolckdodmilglagkpefcempiidghfbgj, Quarantined, 2197, 789280, 1.0.19028, , ame, File: 2 PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 2197, 789280, , , , PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 2197, 789280, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is FreeTemplateFinder? The Malwarebytes research team has determined that FreeTemplateFinder is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. FreeTemplateFinder is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by FreeTemplateFinder? You may see these browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did FreeTemplateFinder get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. and the Chrome extension was also available in the webstore: How do I remove FreeTemplateFinder? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FreeTemplateFinder? No, Malwarebytes' Anti-Malware removes FreeTemplateFinder completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the FreeTemplateFinder hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid} FF Homepage: Mozilla\Firefox\Profiles\{profile}.default -> moz-extension://b64f0546-a727-453a-96f5-8565da717b6d/dynamicHomePage.html FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _psMembersttab03_@www.freetemplatefinder.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _psMembersttab03_@www.freetemplatefinder.com FF Extension: (FreeTemplateFinder) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_psMembersttab03_@www.freetemplatefinder.com.xpi [2020-02-10] [UpdateUrl:hxxps://updates.tb.ask.com/updateXpi.json?id=237229520&version=8.937.17.22630&track=TTAB03&trackRevision=1&fromId=_psMembersttab03_%40www.freetemplatefinder.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://jinolcibcadgfapgambehioklcionlpg/ntp1.html" CHR Extension: (FreeTemplateFinder) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg [2020-02-10] C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\freetemplatefinder.exe FreeTemplateFinder Internet Explorer Homepage and New Tab (HKCU\...\FreeTemplateFinderTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: Monitored program FreeTemplateFinder Setup 2.8.1.1000 Monitored on 2/10/2020 9:11:50 AM Monitored program path File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab Adds the file TooltabExtension.dll"="12/7/2019 12:25 AM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0 Adds the file manifest.json"="2/10/2020 9:09 AM, 2537 bytes, A Adds the file ntp1.html"="1/13/2020 4:34 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\_metadata Adds the file computed_hashes.json"="2/10/2020 9:09 AM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 4:34 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\config Adds the file config.json"="1/13/2020 4:34 PM, 1463 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\icons Adds the file icon128.png"="2/10/2020 9:09 AM, 6251 bytes, A Adds the file icon16.png"="1/13/2020 4:34 PM, 1540 bytes, A Adds the file icon19disabled.png"="1/13/2020 4:34 PM, 1562 bytes, A Adds the file icon19on.png"="2/10/2020 9:09 AM, 701 bytes, A Adds the file icon48.png"="2/10/2020 9:09 AM, 2440 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\js Adds the file ajax.js"="1/13/2020 4:34 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 4:34 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 4:34 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 4:34 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 4:34 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 4:34 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 4:34 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 4:34 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 4:34 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 4:34 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 4:34 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 4:34 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 4:34 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 4:34 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 4:34 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 4:34 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 4:34 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 4:34 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 4:34 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 4:34 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 4:34 PM, 875 bytes, A Adds the file product.js"="1/13/2020 4:34 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 4:34 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 4:34 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 4:34 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 4:34 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 4:34 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 4:34 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 4:34 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 4:34 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 4:34 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 4:34 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 4:34 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg Adds the file 000003.log"="2/10/2020 9:09 AM, 4661 bytes, A Adds the file CURRENT"="2/10/2020 9:09 AM, 16 bytes, A Adds the file LOCK"="2/10/2020 9:09 AM, 0 bytes, A Adds the file LOG"="2/10/2020 9:11 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/10/2020 9:09 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _psMembersttab03_@www.freetemplatefinder.com.xpi"="2/10/2020 9:05 AM, 271344 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FreeTemplateFinder] "Start Page"="REG_SZ", "https://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}{tab}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jinolcibcadgfapgambehioklcionlpg"="REG_SZ", "24B7D5F9475527EED993E75CDD7750E8174B2D8BB72858E8529ED92D9A004E67" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeTemplateFinderTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FreeTemplateFinder Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab\TooltabExtension.dll" U uninstall:FreeTemplateFinder" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/10/20 Scan Time: 9:19 AM Log File: 1db22c34-4bde-11ea-a4d0-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18978 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235811 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 11 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab\TooltabExtension.dll, Quarantined, 1799, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FreeTemplateFinderTooltab Uninstall Internet Explorer, Quarantined, 1799, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder, Quarantined, 1799, 444113, 1.0.18978, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder|START PAGE, Quarantined, 1799, 444113, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder|UNINSTALLSURVEYURL, Quarantined, 1799, 769449, 1.0.18978, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FreeTemplateFinderTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 696, 352442, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jinolcibcadgfapgambehioklcionlpg, Quarantined, 1799, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 696, 293497, 1.0.18978, , ame, Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab, Quarantined, 1799, 356944, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG, Quarantined, 1799, 443121, 1.0.18978, , ame, File: 12 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab\TooltabExtension.dll, Quarantined, 1799, 356944, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_psMembersttab03_@www.freetemplatefinder.com.xpi, Quarantined, 1799, 782571, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\000003.log, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\CURRENT, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\LOCK, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\LOG, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\MANIFEST-000001, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG\13.921.17.10811_0\MANIFEST.JSON, Quarantined, 1799, 443121, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG\13.921.17.10811_0\CONFIG\CONFIG.JSON, Quarantined, 1799, 456842, 1.0.18978, , ame, PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FREETEMPLATEFINDER.EXE, Quarantined, 696, 365288, 1.0.18978, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Adware.Adposhel? The Malwarebytes research team has determined that Adware.Adposhel is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one changes Chrome policies to allow their own web push notifications. How do I know if my computer is affected by Adware.Adposhel? You may see this warnings after install: the installer runs Chrome with a new tab pointing to one of their sites and you may see these changed settings: with this text if you hover over one of the icons: How did Adware.Adposhel get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a bundler. How do I remove Adware.Adposhel? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Adware.Adposhel? No, Malwarebytes removes Adware.Adposhel completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the Adware.Adposhel adware. It would have blocked the installer before it became too late. Installers of this type can be detected as Adware.Adpohel if the detection is based on file recognition: or as Virus.Agent if the detection is done heuristically: Technical details for experts Possible signs in FRST logs: CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Significant changes made by the installer: Registry details ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "DefaultNotificationsSetting"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls] "1"="REG_SZ", "https://[*.]aclassigned.info" "2"="REG_SZ", "https://[*.]insupposity.info" "3"="REG_SZ", "https://[*.]enclosely.info" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/3/20 Scan Time: 3:59 PM Log File: bfcb66f0-4695-11ea-bafa-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18646 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235809 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 30 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, Registry Value: 2 Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Adware.Adposhel, C:\USERS\{username}\DOWNLOADS\ADPOSHEL.EXE, Quarantined, 535, 508655, 1.0.18646, 1AE8D283FBBFE5398D87D6EB, dds, 00573913 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Finding Forms Pro? The Malwarebytes research team has determined that Finding Forms Pro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Finding Forms Pro? You may see this browser extension: these warnings during install: this new startpage: and these new settings: How did Finding Forms Pro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Finding Forms Pro? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Finding Forms Pro? No, Malwarebytes' Anti-Malware removes Finding Forms Pro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard would have protected you against the Finding Forms Pro hijacker. It blocks some of their domains: Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://hp.hformshere.com CHR NewTab: Default -> Active:"chrome-extension://dlefdpnpkfggdjonedjkccpfdclfgegg/newtabhtml/newtabpage.html" CHR Extension: (Finding Forms Pro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg [2020-02-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0 Adds the file central.js"="1/24/2020 3:54 PM, 2344 bytes, A Adds the file icon.png"="2/6/2020 10:56 AM, 5222 bytes, A Adds the file manifest.json"="2/6/2020 10:56 AM, 1325 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\_locales\en Adds the file messages.json"="2/6/2020 10:56 AM, 204 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\_metadata Adds the file computed_hashes.json"="2/6/2020 10:56 AM, 1499 bytes, A Adds the file verified_contents.json"="1/29/2020 11:17 AM, 2912 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\html\bAction Adds the file about.html"="1/24/2020 3:54 PM, 3726 bytes, A Adds the file newtabpage.html"="1/24/2020 3:54 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\js Adds the file browseraction.js"="1/24/2020 3:54 PM, 988 bytes, A Adds the file config.js"="1/24/2020 3:54 PM, 1014 bytes, A Adds the file dailyFeature.js"="1/24/2020 3:54 PM, 3475 bytes, A Adds the file log.js"="1/24/2020 3:54 PM, 872 bytes, A Adds the file newTab.js"="1/24/2020 3:54 PM, 1507 bytes, A Adds the file search.js"="1/24/2020 3:54 PM, 1033 bytes, A Adds the file store.js"="1/24/2020 3:54 PM, 235 bytes, A Adds the file utility.js"="1/24/2020 3:54 PM, 2522 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\newtabhtml Adds the file newtabpage.html"="1/24/2020 3:54 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg Adds the file 000003.log"="2/6/2020 10:56 AM, 447 bytes, A Adds the file CURRENT"="2/6/2020 10:56 AM, 16 bytes, A Adds the file LOCK"="2/6/2020 10:56 AM, 0 bytes, A Adds the file LOG"="2/6/2020 11:00 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/6/2020 10:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dlefdpnpkfggdjonedjkccpfdclfgegg"="REG_SZ", "2A8D7CDFC553DD0C308830FDFAD3332E59991F14F3C52A4FAFAA9D68DC9F7F00" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/6/20 Scan Time: 11:05 AM Log File: 3da51bf0-48c8-11ea-9dcc-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18788 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235813 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 20 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\000003.log, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\CURRENT, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\LOCK, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\LOG, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\MANIFEST-000001, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DLEFDPNPKFGGDJONEDJKCCPFDCLFGEGG\1.2_0\JS\DAILYFEATURE.JS, Quarantined, 205, 752296, 1.0.18788, , ame, PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 156, 787624, 1.0.18788, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Flight Tab Pro? The Malwarebytes research team has determined that Flight Tab Pro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Flight Tab Pro? You may see this browser extension: these warnings during install: You may see this icon in your browsers menu-bar: this new startpage: and these new settings: How did Flight Tab Pro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Flight Tab Pro? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Flight Tab Pro? No, Malwarebytes' Anti-Malware removes Flight Tab Pro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Flight Tab Pro hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://flighttabpro.com CHR NewTab: Default -> Active:"chrome-extension://feokompmcbjpdcgbagmmgeflalabmkeh/html/index.html" CHR Extension: (Flight Tab Pro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh [2020-02-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0 Adds the file background.js"="10/9/2019 10:10 AM, 9541 bytes, A Adds the file contentScript.js"="10/9/2019 10:10 AM, 5018 bytes, A Adds the file manifest.json"="2/5/2020 8:10 AM, 1573 bytes, A Adds the file misc.js"="10/9/2019 10:10 AM, 1733 bytes, A Adds the file util.js"="10/9/2019 10:10 AM, 5815 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\_metadata Adds the file computed_hashes.json"="2/5/2020 8:10 AM, 1425 bytes, A Adds the file verified_contents.json"="10/9/2019 10:10 AM, 2435 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\distJs Adds the file constants.js"="10/9/2019 10:10 AM, 4762 bytes, A Adds the file distribution.js"="10/9/2019 10:10 AM, 1744 bytes, A Adds the file helper.js"="10/9/2019 10:10 AM, 18598 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\html Adds the file index.html"="10/9/2019 10:10 AM, 156 bytes, A Adds the file init.js"="10/9/2019 10:10 AM, 1372 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\icons Adds the file icon128.png"="2/5/2020 8:10 AM, 4011 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "feokompmcbjpdcgbagmmgeflalabmkeh"="REG_SZ", "D636DAB31DE24573A9C40029C5A070C78818040A1EC43C2EFE0B881647553EC2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/20 Scan Time: 8:23 AM Log File: 7676f858-47e8-11ea-96c9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18728 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235802 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 27 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FlightTabPro, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|feokompmcbjpdcgbagmmgeflalabmkeh, Quarantined, 338, 787172, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FEOKOMPMCBJPDCGBAGMMGEFLALABMKEH, Quarantined, 338, 787172, 1.0.18728, , ame, File: 4 PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 338, 787172, , , , PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 338, 787172, , , , PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FEOKOMPMCBJPDCGBAGMMGEFLALABMKEH\1.0.0.3_0\MANIFEST.JSON, Quarantined, 338, 787172, 1.0.18728, , ame, PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 338, 787228, 1.0.18728, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Max Uninstaller?The Malwarebytes research team has determined that Max Uninstaller is a "system tool". These so-called "system tools" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.How do I know if I am infected with Max Uninstaller?This is how the main screen of the system tool looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these types of screens during "operations":You may see this entry in your list of installed programs:How did Max Uninstaller get on my computer?These so-called system tools use different methods of getting installed. This particular one was downloaded from their website:How do I remove Max Uninstaller?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Max Uninstaller? No, Malwarebytes removes Max Uninstaller completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Max Uninstaller installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Ideakee Inc -> ) C:\Program Files (x86)\Max Uninstaller\MU.exe C:\Users\Public\Desktop\Max Uninstaller.lnk C:\ProgramData\Desktop\Max Uninstaller.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller C:\Program Files (x86)\Max Uninstaller (hxxps://www.maxuninstaller.com/ ) C:\Users\{username}\Desktop\MaxUninstaller_Setup.exe Max Uninstaller version 3.8 (HKLM-x32\...\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1) (Version: 3.8 - hxxps://www.maxuninstaller.com/) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Max Uninstaller Adds the file ALMU.exe"="12/7/2016 11:03 AM, 849608 bytes, A Adds the file installedsoftware.txt"="2/4/2020 9:01 AM, 919 bytes, A Adds the file j_fixcs.dll"="4/8/2014 2:42 PM, 1937608 bytes, A Adds the file License.txt"="12/7/2016 11:13 AM, 6381 bytes, A Adds the file MU.exe"="5/9/2017 10:37 AM, 5458632 bytes, A Adds the file MU_UCC.exe"="12/7/2016 11:03 AM, 3222720 bytes, A Adds the file MU_Update.exe"="12/7/2016 11:04 AM, 2013896 bytes, A Adds the file s_fixcs.dll"="3/31/2014 4:14 PM, 3829960 bytes, A Adds the file sqlite3.dll"="3/31/2014 4:14 PM, 651936 bytes, A Adds the file unins000.dat"="2/4/2020 9:01 AM, 9055 bytes, A Adds the file unins000.exe"="2/4/2020 9:00 AM, 1190896 bytes, A Adds the file unins000.msg"="2/4/2020 9:01 AM, 22701 bytes, A Adds the file Uninstall.ico"="11/18/2011 3:35 PM, 17542 bytes, A Adds the file UnZip.dll"="3/3/2014 3:16 PM, 1223368 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1050 bytes, A Adds the file Uninstall Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1174 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1056 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1032 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller\Uninstall.ico" "DisplayName"="REG_SZ", "Max Uninstaller version 3.8" "DisplayVersion"="REG_SZ", "3.8" "EstimatedSize"="REG_DWORD", 20754 "HelpLink"="REG_SZ", "https://www.maxuninstaller.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "Max Uninstaller" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,quicklaunchicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200204" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 8 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "https://www.maxuninstaller.com/" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Max Uninstaller\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Max Uninstaller\unins000.exe"" "URLInfoAbout"="REG_SZ", "https://www.maxuninstaller.com/" "URLUpdateInfo"="REG_SZ", "https://www.maxuninstaller.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MU_FROM] "Id"="REG_EXPAND_SZ, "all" "LastUn"="REG_EXPAND_SZ, "no" "Site"="REG_EXPAND_SZ, "maxuninstaller.com" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/20 Scan Time: 9:11 AM Log File: e9422a74-4725-11ea-81d2-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18684 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235914 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 18 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , Module: 1 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , Registry Key: 2 PUP.Optional.MaxUninstaller, HKLM\SOFTWARE\WOW6432NODE\MU_FROM, Quarantined, 6959, 786754, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1, Quarantined, 3170, 786750, , , , Registry Value: 1 PUP.Optional.MaxUninstaller, HKLM\SOFTWARE\WOW6432NODE\MU_FROM|SITE, Quarantined, 6959, 786754, 1.0.18684, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MaxUnInstaller, C:\PROGRAM FILES (X86)\MAX UNINSTALLER, Quarantined, 3170, 786750, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MAX UNINSTALLER, Quarantined, 3170, 786751, 1.0.18684, , ame, File: 27 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\ALMU.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\installedsoftware.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\j_fixcs.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\License.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU_UCC.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU_Update.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\RAConfig.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SIConfig.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_FI.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_FL.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_RG.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\sqlite3.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\s_fixcs.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.dat, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.msg, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\Uninstall.ico, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\uninstalledsoftware.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\UnZip.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\USERS\PUBLIC\Desktop\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller\Max Uninstaller.lnk, Quarantined, 3170, 786751, , , , PUP.Optional.MaxUnInstaller, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller\Uninstall Max Uninstaller.lnk, Quarantined, 3170, 786751, , , , PUP.Optional.MaxUnInstaller, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{435EC95C-BD80-49EA-BF45-9949E3ED7A71}-MAXUNINSTALLER_SETUP.EXE, Quarantined, 3170, 786767, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, C:\USERS\{username}\DESKTOP\MAXUNINSTALLER_SETUP.EXE, Quarantined, 3170, 786767, 1.0.18684, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is TotalRecipeSearch?The Malwarebytes research team has determined that TotalRecipeSearch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.TotalRecipeSearch is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by TotalRecipeSearch?You may see this browser extension:these warnings during install:You may see this entry in your list of installed software:this new setting:and this new homepage in the affected browsers:How did TotalRecipeSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove TotalRecipeSearch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TotalRecipeSearch? No, Malwarebytes' Anti-Malware removes TotalRecipeSearch completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the TotalRecipeSearch hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and Malwarebytes Premium as well as Browser Guard block traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}02&ptb={ptb}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://hlibgmpcgdamndobbdakjacfkachfgoi/ntp1.html" CHR Extension: (TotalRecipeSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi [2020-02-03] C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\TotalRecipeSearch.exe TotalRecipeSearch Internet Explorer Homepage and New Tab (HKCU\...\TotalRecipeSearchTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0 Adds the file manifest.json"="2/3/2020 9:02 AM, 2537 bytes, A Adds the file ntp1.html"="1/13/2020 5:51 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata Adds the file computed_hashes.json"="2/3/2020 9:02 AM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 5:51 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\config Adds the file config.json"="1/13/2020 5:51 PM, 1457 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons Adds the file icon128.png"="2/3/2020 9:02 AM, 17561 bytes, A Adds the file icon16.png"="1/13/2020 5:51 PM, 1662 bytes, A Adds the file icon19disabled.png"="1/13/2020 5:51 PM, 1490 bytes, A Adds the file icon19on.png"="2/3/2020 9:02 AM, 809 bytes, A Adds the file icon48.png"="2/3/2020 9:02 AM, 4062 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js Adds the file ajax.js"="1/13/2020 5:51 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 5:51 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 5:51 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 5:51 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 5:51 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 5:51 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 5:51 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 5:51 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 5:51 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 5:51 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 5:51 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 5:51 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 5:51 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 5:51 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 5:51 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 5:51 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 5:51 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 5:51 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 5:51 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 5:51 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 5:51 PM, 875 bytes, A Adds the file product.js"="1/13/2020 5:51 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 5:51 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 5:51 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 5:51 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 5:51 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 5:51 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 5:51 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 5:51 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 5:51 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 5:51 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 5:51 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 5:51 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi Adds the file 000003.log"="2/3/2020 9:02 AM, 4583 bytes, A Adds the file CURRENT"="2/3/2020 9:02 AM, 16 bytes, A Adds the file LOCK"="2/3/2020 9:02 AM, 0 bytes, A Adds the file LOG"="2/3/2020 9:04 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/3/2020 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab Adds the file TooltabExtension.dll"="11/27/2019 8:45 PM, 273008 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hlibgmpcgdamndobbdakjacfkachfgoi"="REG_SZ", "6A08FA3902E5605314C09378C194E229DC78D6C3767B242DB6CC87A7781D8D11" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TotalRecipeSearchTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "TotalRecipeSearch Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll" U uninstall:TotalRecipeSearch" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\TotalRecipeSearch] "Start Page"="REG_SZ", "https://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}{tab}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/3/20 Scan Time: 9:11 AM Log File: c261019c-465c-11ea-864b-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18624 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235928 Threats Detected: 87 Threats Quarantined: 87 Time Elapsed: 18 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll, Quarantined, 694, 766239, , , , Registry Key: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TotalRecipeSearchTooltab Uninstall Internet Explorer, Quarantined, 694, 766239, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch, Quarantined, 1802, 444113, 1.0.18624, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch|START PAGE, Quarantined, 1802, 444113, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch|UNINSTALLSURVEYURL, Quarantined, 1802, 769449, 1.0.18624, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TotalRecipeSearchTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 694, 352442, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hlibgmpcgdamndobbdakjacfkachfgoi, Quarantined, 1802, 456842, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 694, 293497, 1.0.18624, , ame, Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\TOTALRECIPESEARCHTOOLTAB, Quarantined, 694, 766239, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es_419, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_BR, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_PT, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\de, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\en, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\fr, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\it, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\ja, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\config, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0, Quarantined, 1802, 456842, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI, Quarantined, 1802, 443121, 1.0.18624, , ame, File: 61 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll, Quarantined, 694, 766239, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\000003.log, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\CURRENT, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\LOCK, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\LOG, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\MANIFEST-000001, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0\CONFIG\CONFIG.JSON, Quarantined, 1802, 456842, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon128.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon16.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon19disabled.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon19on.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon48.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\ajax.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babClickHandler.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babContentScript.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babContentScriptAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\background.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\browserUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\chrome.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\contentScriptConnectionManager.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dateTimeUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dlp.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dlpHelper.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\extensionDetect.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\index.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\localStorageContentScript.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\logger.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\meta.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\offerService.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\pageUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\PartnerId.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\polyfill.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\product.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\remoteConfigLoader.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\searchBoxFocusSetterEdge.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\splashPageRedirectHandler.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\storageUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\TemplateParser.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\ul.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\urlFragmentActions.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\urlUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\util.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\webtooltabAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\webTooltabAPIProxy.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\de\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\en\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es_419\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\fr\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\it\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\ja\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_BR\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_PT\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata\computed_hashes.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata\verified_contents.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\ntp1.html, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0\MANIFEST.JSON, Quarantined, 1802, 443121, 1.0.18624, , ame, PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\TOTALRECIPESEARCH.EXE, Quarantined, 694, 365288, 1.0.18624, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.