Jump to content

Metallica

Staff
  • Content Count

    2,624
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

174,323 profile views
  1. What is Serp App? The Malwarebytes research team has determined that Serp App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Serp App? You may see this entry in your list of installed Chrome extensions: and you may have noticed these warnings during install: and this new search page: Note the extra o in the address How did Serp App get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Serp App? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Serp App? No, Malwarebytes removes Serp App completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Serp App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Serp App) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmdaigicalbbnbafdmlnolgjoebkhgao [2020-07-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmdaigicalbbnbafdmlnolgjoebkhgao\1.4_0 Adds the file background.js"="6/19/2020 4:37 AM, 4614 bytes, A Adds the file manifest.json"="7/3/2020 9:00 AM, 1223 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmdaigicalbbnbafdmlnolgjoebkhgao\1.4_0\_metadata Adds the file computed_hashes.json"="7/3/2020 9:00 AM, 183 bytes, A Adds the file verified_contents.json"="6/19/2020 4:39 AM, 2237 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmdaigicalbbnbafdmlnolgjoebkhgao\1.4_0\assets\icons\app_icons Adds the file icon128.png"="7/3/2020 9:00 AM, 12346 bytes, A Adds the file icon16.png"="7/3/2020 9:00 AM, 520 bytes, A Adds the file icon48.png"="7/3/2020 9:00 AM, 3091 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmdaigicalbbnbafdmlnolgjoebkhgao\1.4_0\assets\icons\ba_icons Adds the file icon128.png"="7/3/2020 9:00 AM, 1228 bytes, A Adds the file icon16.png"="7/3/2020 9:00 AM, 167 bytes, A Adds the file icon48.png"="7/3/2020 9:00 AM, 483 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao Adds the file 000003.log"="7/3/2020 9:00 AM, 51 bytes, A Adds the file CURRENT"="7/3/2020 9:00 AM, 16 bytes, A Adds the file LOCK"="7/3/2020 9:00 AM, 0 bytes, A Adds the file LOG"="7/3/2020 9:15 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/3/2020 9:00 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fmdaigicalbbnbafdmlnolgjoebkhgao"="REG_SZ", "F8DE46E2DC7E985223575406B2F0297596E3BD73C6F6CD2C683A2C651D89C295" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/3/20 Scan Time: 9:21 AM Log File: d2781aa8-bcfd-11ea-8321-00ffdcc6fdfc.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.972 Update Package Version: 1.0.26337 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232259 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 5 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fmdaigicalbbnbafdmlnolgjoebkhgao, Quarantined, 15214, 832194, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMDAIGICALBBNBAFDMLNOLGJOEBKHGAO, Quarantined, 15214, 832194, 1.0.26337, , ame, File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao\000003.log, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao\CURRENT, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao\LOCK, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao\LOG, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fmdaigicalbbnbafdmlnolgjoebkhgao\MANIFEST-000001, Quarantined, 15214, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMDAIGICALBBNBAFDMLNOLGJOEBKHGAO\1.4_0\MANIFEST.JSON, Quarantined, 15214, 832194, 1.0.26337, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is PC Reviver?PC Reviver is a system optimizer that triggers our PUP detection rules. By doing so we offer users a choice to consider whether they want to use this software. More information can be found on our Malwarebytes Labs blog.How do I know if I am affected by PC Reviver?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these windows during install:and this type of screens during operations:You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did PC Reviver get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Reviver?Our program Malwarebytes can detect and remove this PUP, but it is advisable to use the built-in uninstaller first.You can use a Malwarebytes scan to check if everthing was removed. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PC Reviver? No, Malwarebytes removes PC Reviver completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. What if I want to keep PC Reviver?Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it. Open Malwarebytes for Windows. Click the Detection History Click the Allow List To add an item to the Allow List, click Add. Select the exclusion type Allow a file or folder and use the Select a folder button to select the main folder for the software that you wish to keep. Repeat this for any secondary files or folder(s) that belong to the software. If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access.How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you in dealing with this system optimizer.As you can see below the full version of Malwarebytes would have warned you against the PC Reviver installer. Technical details for expertsYou may see these entries in FRST logs: (Corel Corporation -> Corel Corporation) C:\Program Files\ReviverSoft\PC Reviver\PC Reviver.exe (Corel Corporation -> Corel Corporation) C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe (Corel Corporation -> Corel Corporation) C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoftSmartMonitor.exe Task: {04EF5175-9FA0-4994-BD25-DCA724CD1538} - System32\Tasks\Start PC Reviver Schedule => C:\Program Files\ReviverSoft\PC Reviver\PC Reviver.exe [12460360 2020-02-04] (Corel Corporation -> Corel Corporation) Task: {6F9517D6-101D-431D-BB2F-CD4BD838D4A8} - System32\Tasks\Start PC Reviver for {computername}@{username}(logon) => C:\Program Files\ReviverSoft\PC Reviver\PC Reviver.exe [12460360 2020-02-04] (Corel Corporation -> Corel Corporation) Task: {D8971EF3-4824-4B7E-99D6-5B1320DDE99A} - System32\Tasks\Start PC Reviver Update => C:\Program Files\ReviverSoft\PC Reviver\PC Reviver.exe [12460360 2020-02-04] (Corel Corporation -> Corel Corporation) R2 ReviverSoft Smart Monitor Service; C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe [1463112 2020-04-15] (Corel Corporation -> Corel Corporation) C:\Windows\system32\Tasks\Start PC Reviver Schedule C:\Windows\system32\Tasks\Start PC Reviver Update C:\Windows\system32\Tasks\Start PC Reviver for {computername}@{username}(logon) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ReviverSoft C:\Users\Public\Desktop\PC Reviver.lnk C:\ProgramData\Desktop\PC Reviver.lnk C:\ProgramData\ReviverSoft C:\Program Files\ReviverSoft PC Reviver (HKLM\...\PC Reviver) (Version: 3.9.0.24 - Corel Corporation) ContextMenuHandlers1: [PC Reviver] -> {D59EA345-8611-4433-A2B6-302339608B90} => C:\Program Files\ReviverSoft\PC Reviver\windowscontextmenuhandler-vc141-mt.dll [2020-02-04] (Corel Corporation -> Corel Corporation) ContextMenuHandlers2: [PC Reviver] -> {D59EA345-8611-4433-A2B6-302339608B90} => C:\Program Files\ReviverSoft\PC Reviver\windowscontextmenuhandler-vc141-mt.dll [2020-02-04] (Corel Corporation -> Corel Corporation) ContextMenuHandlers4: [PC Reviver] -> {D59EA345-8611-4433-A2B6-302339608B90} => C:\Program Files\ReviverSoft\PC Reviver\windowscontextmenuhandler-vc141-mt.dll [2020-02-04] (Corel Corporation -> Corel Corporation) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\ReviverSoft\PC Reviver Adds the file 7za.exe"="7/2/2020 9:05 AM, 591176 bytes, A Adds the file api-ms-win-core-console-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-datetime-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-debug-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-errorhandling-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-file-l1-1-0.dll"="11/18/2019 11:42 AM, 22208 bytes, A Adds the file api-ms-win-core-file-l1-2-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-file-l2-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-handle-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-heap-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-interlocked-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-libraryloader-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-localization-l1-2-0.dll"="11/18/2019 11:42 AM, 21184 bytes, A Adds the file api-ms-win-core-memory-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-namedpipe-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-processenvironment-l1-1-0.dll"="11/18/2019 11:42 AM, 19648 bytes, A Adds the file api-ms-win-core-processthreads-l1-1-0.dll"="11/18/2019 11:42 AM, 20672 bytes, A Adds the file api-ms-win-core-processthreads-l1-1-1.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-profile-l1-1-0.dll"="11/18/2019 11:42 AM, 18112 bytes, A Adds the file api-ms-win-core-rtlsupport-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-string-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-synch-l1-1-0.dll"="11/18/2019 11:42 AM, 20672 bytes, A Adds the file api-ms-win-core-synch-l1-2-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-core-sysinfo-l1-1-0.dll"="11/18/2019 11:42 AM, 19648 bytes, A Adds the file api-ms-win-core-timezone-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-core-util-l1-1-0.dll"="11/18/2019 11:42 AM, 18624 bytes, A Adds the file api-ms-win-crt-conio-l1-1-0.dll"="11/18/2019 11:42 AM, 19648 bytes, A Adds the file api-ms-win-crt-convert-l1-1-0.dll"="11/18/2019 11:42 AM, 22720 bytes, A Adds the file api-ms-win-crt-environment-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-crt-filesystem-l1-1-0.dll"="11/18/2019 11:42 AM, 20672 bytes, A Adds the file api-ms-win-crt-heap-l1-1-0.dll"="11/18/2019 11:42 AM, 19648 bytes, A Adds the file api-ms-win-crt-locale-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file api-ms-win-crt-math-l1-1-0.dll"="11/18/2019 11:42 AM, 27840 bytes, A Adds the file api-ms-win-crt-multibyte-l1-1-0.dll"="11/18/2019 11:42 AM, 26816 bytes, A Adds the file api-ms-win-crt-private-l1-1-0.dll"="11/18/2019 11:42 AM, 70848 bytes, A Adds the file api-ms-win-crt-process-l1-1-0.dll"="11/18/2019 11:42 AM, 19648 bytes, A Adds the file api-ms-win-crt-runtime-l1-1-0.dll"="11/18/2019 11:42 AM, 23232 bytes, A Adds the file api-ms-win-crt-stdio-l1-1-0.dll"="11/18/2019 11:42 AM, 24768 bytes, A Adds the file api-ms-win-crt-string-l1-1-0.dll"="11/18/2019 11:42 AM, 24768 bytes, A Adds the file api-ms-win-crt-time-l1-1-0.dll"="11/18/2019 11:42 AM, 21184 bytes, A Adds the file api-ms-win-crt-utility-l1-1-0.dll"="11/18/2019 11:42 AM, 19136 bytes, A Adds the file concrt140.dll"="11/18/2019 11:42 AM, 333632 bytes, A Adds the file CrashHelper.mab"="2/4/2020 12:52 PM, 143535 bytes, A Adds the file disk_explorer-vc141-mt.dll"="2/4/2020 12:52 PM, 3827016 bytes, A Adds the file DiskCleaner.mab"="2/4/2020 12:52 PM, 291716 bytes, A Adds the file DiskTools.mab"="2/4/2020 12:52 PM, 285747 bytes, A Adds the file DriverUpdater.mab"="2/4/2020 12:52 PM, 944456 bytes, A Adds the file duplicates_finder_component-vc141-mt.dll"="2/4/2020 12:52 PM, 3767112 bytes, A Adds the file FileExtensionManager.mab"="2/4/2020 12:52 PM, 173935 bytes, A Adds the file FileExtensionManager-vc141-mt.dll"="2/4/2020 12:52 PM, 336712 bytes, A Adds the file helper.exe"="2/4/2020 12:52 PM, 279368 bytes, A Adds the file helper.st"="7/2/2020 9:05 AM, 362 bytes, A Adds the file lci.lci"="7/2/2020 9:06 AM, 667 bytes, HA Adds the file LGPL.txt"="11/18/2019 11:42 AM, 7853 bytes, A Adds the file mass_file_renamer_component-vc141-mt.dll"="2/4/2020 12:52 PM, 2821960 bytes, A Adds the file msvcp140.dll"="11/18/2019 11:42 AM, 633152 bytes, A Adds the file OpenSSL_License.txt"="5/8/2018 2:41 PM, 6281 bytes, A Adds the file PC Reviver.exe"="2/4/2020 12:52 PM, 12460360 bytes, A Adds the file PC Reviver.mab"="2/4/2020 12:52 PM, 1896277 bytes, A Adds the file PCRNotifier.exe"="2/4/2020 12:52 PM, 2366280 bytes, A Adds the file PCRNotifier.mab"="2/4/2020 12:52 PM, 803269 bytes, A Adds the file PCRNotifierTray.exe"="2/4/2020 12:52 PM, 689992 bytes, A Adds the file PCRNotifierTray.mab"="2/4/2020 12:52 PM, 150627 bytes, A Adds the file ProcessLibrary.mab"="2/4/2020 12:52 PM, 143778 bytes, A Adds the file Qt5Core.dll"="2/4/2020 12:52 PM, 5637960 bytes, A Adds the file Qt5Gui.dll"="2/4/2020 12:52 PM, 5827912 bytes, A Adds the file Qt5PrintSupport.dll"="2/4/2020 12:52 PM, 320840 bytes, A Adds the file Qt5Widgets.dll"="2/4/2020 12:52 PM, 5511496 bytes, A Adds the file Qt5WinExtras.dll"="2/4/2020 12:52 PM, 287048 bytes, A Adds the file RegistryDefrag.mab"="2/4/2020 12:52 PM, 286519 bytes, A Adds the file RegistryOptimizer.mab"="2/4/2020 12:52 PM, 632330 bytes, A Adds the file StartupManager.mab"="2/4/2020 12:52 PM, 237166 bytes, A Adds the file system_exclusions"="11/18/2019 1:12 PM, 11957 bytes, A Adds the file SystemDetails.mab"="2/4/2020 12:52 PM, 229481 bytes, A Adds the file SystemInfo-vc141-mt.dll"="2/4/2020 12:52 PM, 2157384 bytes, A Adds the file SystemInfo-vc141-mt.mab"="2/4/2020 12:52 PM, 889761 bytes, A Adds the file ucrtbase.dll"="11/18/2019 11:42 AM, 982720 bytes, A Adds the file uninst.exe"="2/4/2020 12:52 PM, 199856 bytes, A Adds the file Uninstaller.mab"="2/4/2020 12:52 PM, 696931 bytes, A Adds the file vccorlib140.dll"="11/18/2019 11:42 AM, 395592 bytes, A Adds the file vcruntime140.dll"="11/18/2019 11:42 AM, 87888 bytes, A Adds the file windowscontextmenuhandler-vc141-mt.dll"="2/4/2020 12:52 PM, 392008 bytes, A Adds the file windowscontextmenuhandler-vc141-mt.mab"="2/4/2020 12:52 PM, 102173 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\apps Adds the file C_apps"="2/4/2020 12:27 PM, 640 bytes, A Adds the file MJ_apps"="2/4/2020 12:27 PM, 4912 bytes, A Adds the file P_apps"="2/4/2020 12:27 PM, 1360 bytes, A Adds the file RS_apps"="2/4/2020 12:27 PM, 4544 bytes, A Adds the file SS_apps"="2/4/2020 12:27 PM, 3024 bytes, A Adds the file WZ_apps"="2/4/2020 12:27 PM, 3328 bytes, A Adds the file WZC_apps"="2/4/2020 12:27 PM, 384 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\imageformats Adds the file qdds.dll"="2/4/2020 12:52 PM, 55624 bytes, A Adds the file qgif.dll"="2/4/2020 12:52 PM, 35656 bytes, A Adds the file qicns.dll"="2/4/2020 12:52 PM, 43336 bytes, A Adds the file qico.dll"="2/4/2020 12:52 PM, 37704 bytes, A Adds the file qjpeg.dll"="2/4/2020 12:52 PM, 243528 bytes, A Adds the file qsvg.dll"="2/4/2020 12:52 PM, 29512 bytes, A Adds the file qtga.dll"="2/4/2020 12:52 PM, 29000 bytes, A Adds the file qtiff.dll"="2/4/2020 12:52 PM, 360776 bytes, A Adds the file qwbmp.dll"="2/4/2020 12:52 PM, 27464 bytes, A Adds the file qwebp.dll"="2/4/2020 12:52 PM, 439112 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\languages\wcmh Adds the file Brazilian.xml"="11/18/2019 3:42 PM, 431 bytes, A Adds the file Danish.xml"="11/18/2019 3:42 PM, 389 bytes, A Adds the file Dutch.xml"="11/18/2019 3:42 PM, 404 bytes, A Adds the file English.xml"="11/18/2019 3:42 PM, 357 bytes, A Adds the file Finnish.xml"="11/18/2019 3:42 PM, 386 bytes, A Adds the file French.xml"="11/18/2019 3:42 PM, 425 bytes, A Adds the file German.xml"="11/18/2019 3:42 PM, 438 bytes, A Adds the file Italian.xml"="11/18/2019 3:42 PM, 414 bytes, A Adds the file Japanese.xml"="11/18/2019 3:42 PM, 416 bytes, A Adds the file Norwegian.xml"="11/18/2019 3:42 PM, 398 bytes, A Adds the file Russian.xml"="11/18/2019 3:42 PM, 557 bytes, A Adds the file Spanish.xml"="11/18/2019 3:42 PM, 400 bytes, A Adds the file Swedish.xml"="11/18/2019 3:42 PM, 415 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\PC Reviver Adds the folder C:\Program Files\ReviverSoft\PC Reviver\platforms Adds the file qwindows.dll"="2/4/2020 12:52 PM, 1222472 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins Adds the file CrashHelper.dll"="2/4/2020 12:52 PM, 584008 bytes, A Adds the file DiskCleaner.dll"="2/4/2020 12:52 PM, 966984 bytes, A Adds the file DiskTools.dll"="2/4/2020 12:52 PM, 1018184 bytes, A Adds the file DriverUpdater.dll"="2/4/2020 12:52 PM, 10716488 bytes, A Adds the file FileExtensionManager.dll"="2/4/2020 12:52 PM, 648520 bytes, A Adds the file ProcessLibrary.dll"="2/4/2020 12:52 PM, 585032 bytes, A Adds the file RegistryDefrag.dll"="2/4/2020 12:52 PM, 1649480 bytes, A Adds the file RegistryOptimizer.dll"="2/4/2020 12:52 PM, 5604680 bytes, A Adds the file StartupManager.dll"="2/4/2020 12:52 PM, 956744 bytes, A Adds the file SystemDetails.dll"="2/4/2020 12:52 PM, 761160 bytes, A Adds the file Uninstaller.dll"="2/4/2020 12:52 PM, 2113352 bytes, A Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\CrashHelper Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\DiskCleaner Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\DiskTools Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\DriverUpdater Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\FileExtensionManager Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\ProcessLibrary Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\RegistryDefrag Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\RegistryOptimizer Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\StartupManager Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\SystemDetails Adds the folder C:\Program Files\ReviverSoft\PC Reviver\plugins\Uninstaller Adds the folder C:\Program Files\ReviverSoft\PC Reviver\printsupport Adds the file windowsprintersupport.dll"="2/4/2020 12:52 PM, 46920 bytes, A Adds the folder C:\Program Files\ReviverSoft\Smart Monitor Adds the file apps"="4/15/2020 3:08 PM, 4544 bytes, A Adds the file ReviverSoft Smart Monitor Service.exe"="4/15/2020 3:40 PM, 1463112 bytes, A Adds the file ReviverSoft Smart Monitor Service.mab"="4/15/2020 3:40 PM, 416624 bytes, A Adds the file ReviverSoftSmartMonitor.exe"="4/15/2020 3:40 PM, 5490504 bytes, A Adds the file ReviverSoftSmartMonitor.mab"="4/15/2020 3:40 PM, 1066640 bytes, A Adds the file Settings.exe"="4/15/2020 3:40 PM, 1084232 bytes, A Adds the file Settings.mab"="4/15/2020 3:40 PM, 303456 bytes, A Adds the file Uninstall.exe"="4/15/2020 3:40 PM, 186032 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ReviverSoft\PC Reviver Adds the file PC Reviver.lnk"="7/2/2020 9:05 AM, 1012 bytes, A Adds the file Uninstall.lnk"="7/2/2020 9:05 AM, 990 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver Adds the file PCReviver.ini"="7/2/2020 9:05 AM, 75 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier} Adds the file du_statistic"="7/2/2020 9:07 AM, 32768 bytes, A Adds the file PCReviver.ini"="7/2/2020 9:07 AM, 491 bytes, A Adds the file ro_statistic"="7/2/2020 9:07 AM, 28672 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Disk Cleaner Adds the file scanStatisticInfo"="7/2/2020 9:07 AM, 133 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater Adds the file Exclusions.xml"="7/2/2020 9:05 AM, 391 bytes, A Adds the file Request.xml"="7/2/2020 9:07 AM, 27989 bytes, A Adds the file Response.xml"="7/2/2020 9:07 AM, 975 bytes, A Adds the file scanStatisticInfo"="7/2/2020 9:07 AM, 120 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\backups Adds the file BackupInfo.xml"="7/2/2020 9:05 AM, 399 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Driver Updater Adds the file DR_manager.log"="7/2/2020 9:07 AM, 776 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Registry Cleaner Adds the file logRegScan.log"="7/2/2020 9:07 AM, 16024 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Registry Cleaner Adds the file scan.ini"="7/2/2020 9:07 AM, 120 bytes, A Adds the file Settings.ini"="7/2/2020 9:05 AM, 52 bytes, A Adds the folder C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins Adds the file ToolbarPlugin64.dll"="2/4/2020 12:52 PM, 647496 bytes, A Adds the file UninstallManagerPlugin64.dll"="2/4/2020 12:52 PM, 137544 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Smart Monitor\{admin identifier} Adds the file settings.data"="7/2/2020 9:06 AM, 676 bytes, A Adds the file smsettings"="7/2/2020 9:06 AM, 44 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Reviver.lnk"="7/2/2020 9:05 AM, 988 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Start PC Reviver for {computername}@{username}(logon)"="7/2/2020 9:05 AM, 3104 bytes, A Adds the file Start PC Reviver Schedule"="7/2/2020 9:05 AM, 3438 bytes, A Adds the file Start PC Reviver Update"="7/2/2020 9:05 AM, 3370 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PC Reviver] "(Default)"="REG_SZ", "{D59EA345-8611-4433-A2B6-302339608B90}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\.exe] "AppID"="REG_SZ", "{72FDEF43-1464-4451-9DC0-28CA990841F8}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2A2423AE-1AD9-4B60-A021-BBD75766C2FD}] "(Default)"="REG_SZ", "ReviverSoft Smart Monitor Service" "LocalService"="REG_SZ", "ReviverSoft Smart Monitor Service" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\ReviverSoftSmartMonitor.exe] "IsHostApp"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D59EA345-8611-4433-A2B6-302339608B90}\InProcServer32] "(Default)"="REG_SZ", "C:\Program Files\ReviverSoft\PC Reviver\windowscontextmenuhandler-vc141-mt.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF12FA28-28F0-4A9D-B9B7-ECEF6F82AAFC}\LocalServer32] "(Default)"="REG_SZ", ""C:\Program Files\ReviverSoft\Smart Monitor\Settings.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PC Reviver] "(Default)"="REG_SZ", "{D59EA345-8611-4433-A2B6-302339608B90}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57518937-293A-46FC-A749-DE2AED21AE23}] "(Default)"="REG_SZ", "ISMSettings" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C214F44-DEE2-4F73-86CC-7427C4CAA32C}] "(Default)"="REG_SZ", "ISMSettings2" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReviverSoft.SMSettings] "(Default)"="REG_SZ", "SMSettings Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A520B992-6390-4231-9C89-F06B3587AB80}] "(Default)"="REG_SZ", "SMSettings" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{D59EA345-8611-4433-A2B6-302339608B90}"="REG_SZ", "PC Reviver" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Reviver] "BID"="REG_SZ", "0" "DisplayIcon"="REG_SZ", "C:\Program Files\ReviverSoft\PC Reviver\PC Reviver.exe" "DisplayName"="REG_SZ", "PC Reviver" "DisplayVersion"="REG_SZ", "3.9.0.24" "EstimatedSize"="REG_DWORD", 86786 "InstallLocation"="REG_SZ", "C:\Program Files\ReviverSoft\PC Reviver" "InstallPath"="REG_SZ", "C:\Program Files\ReviverSoft\PC Reviver" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 9 "OSOURCE"="REG_SZ", "" "Publisher"="REG_SZ", "Corel Corporation" "TID"="REG_SZ", "" "UninstallString"="REG_SZ", "C:\Program Files\ReviverSoft\PC Reviver\uninst.exe" "URLInfoAbout"="REG_SZ", "https://www.reviversoft.com/support/pc-reviver" "VersionMajor"="REG_DWORD", 3 "VersionMinor"="REG_DWORD", 9 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ReviverSoft Smart Monitor Service] "DependOnService"="REG_MULTI_SZ, "RPCSS " "Description"="REG_SZ", "ReviverSoft Smart Monitor Service" "DisplayName"="REG_SZ", "ReviverSoft Smart Monitor Service" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ...................... "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/2/20 Scan Time: 9:18 AM Log File: 39241632-bc34-11ea-ac19-00ffdcc6fdfc.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.972 Update Package Version: 1.0.26289 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232406 Threats Detected: 66 Threats Quarantined: 65 Time Elapsed: 6 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PC REVIVER.EXE, Quarantined, 3308, 469266, , , , Module: 7 PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins\ToolbarPlugin64.dll, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins\UninstallManagerPlugin64.dll, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PC REVIVER.EXE, Quarantined, 3308, 469266, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PLUGINS\REGISTRYOPTIMIZER.DLL, Quarantined, 3308, 469266, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\FILEEXTENSIONMANAGER-VC141-MT.DLL, Quarantined, 3308, 469266, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PLUGINS\DRIVERUPDATER.DLL, Quarantined, 3308, 469266, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\WINDOWSCONTEXTMENUHANDLER-VC141-MT.DLL, Quarantined, 3308, 469266, , , , Registry Key: 12 PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Start PC Reviver for {computername}@{username}(logon), Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6F9517D6-101D-431D-BB2F-CD4BD838D4A8}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{6F9517D6-101D-431D-BB2F-CD4BD838D4A8}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Start PC Reviver Schedule, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{04EF5175-9FA0-4994-BD25-DCA724CD1538}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{04EF5175-9FA0-4994-BD25-DCA724CD1538}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Start PC Reviver Update, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D8971EF3-4824-4B7E-99D6-5B1320DDE99A}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{D8971EF3-4824-4B7E-99D6-5B1320DDE99A}, Quarantined, 3308, 383077, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PC Reviver, Quarantined, 3308, 480851, 1.0.26289, , ame, PUP.Optional.PCReviver, HKLM\SOFTWARE\CLASSES\CLSID\{D59EA345-8611-4433-A2B6-302339608B90}, Quarantined, 3308, 469266, , , , PUP.Optional.PCReviver, HKLM\SOFTWARE\CLASSES\CLSID\{D59EA345-8611-4433-A2B6-302339608B90}\InprocServer32, Quarantined, 3308, 469266, , , , Registry Value: 5 PUP.Optional.PCReviver, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|PC REVIVER.EXE, Quarantined, 3308, 483623, 1.0.26289, , ame, PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{04EF5175-9FA0-4994-BD25-DCA724CD1538}|PATH, Quarantined, 3308, 383080, 1.0.26289, , ame, PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6F9517D6-101D-431D-BB2F-CD4BD838D4A8}|PATH, Quarantined, 3308, 383080, 1.0.26289, , ame, PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D8971EF3-4824-4B7E-99D6-5B1320DDE99A}|PATH, Quarantined, 3308, 383080, 1.0.26289, , ame, PUP.Optional.PCReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\APPROVED|{D59EA345-8611-4433-A2B6-302339608B90}, Quarantined, 3308, 469266, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.PCReviver, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REVIVERSOFT\PC REVIVER, Quarantined, 3308, 336928, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\backups, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Registry Cleaner, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Driver Updater, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Registry Cleaner, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Disk Cleaner, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\PROGRAMDATA\REVIVERSOFT\PC REVIVER, Delete-on-Reboot, 3308, 336927, 1.0.26289, , ame, File: 28 PUP.Optional.PCReviver, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REVIVERSOFT\PC REVIVER\PC REVIVER.LNK, Quarantined, 3308, 336928, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ReviverSoft\PC Reviver\Uninstall.lnk, Quarantined, 3308, 336928, , , , PUP.Optional.PCReviver, C:\WINDOWS\SYSTEM32\TASKS\Start PC Reviver for {computername}@{username}(logon), Quarantined, 3308, 383077, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\WINDOWS\SYSTEM32\TASKS\Start PC Reviver Schedule, Quarantined, 3308, 383077, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\WINDOWS\SYSTEM32\TASKS\Start PC Reviver Update, Quarantined, 3308, 383077, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\USERS\PUBLIC\DESKTOP\PC REVIVER.LNK, Quarantined, 3308, 336929, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\PROGRAMDATA\REVIVERSOFT\PC REVIVER\{admin identifier}\PCREVIVER.INI, Quarantined, 3308, 336927, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Disk Cleaner\scanStatisticInfo, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\backups\BackupInfo.xml, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\Exclusions.xml, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\Request.xml, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\Response.xml, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Driver Updater\scanStatisticInfo, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Driver Updater\DR_manager.log, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\logs\Registry Cleaner\logRegScan.log, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Registry Cleaner\scan.ini, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\Registry Cleaner\Settings.ini, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\du_statistic, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\{admin identifier}\ro_statistic, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins\ToolbarPlugin64.dll, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\Uninstall Manager\3.9.0.24\plugins\UninstallManagerPlugin64.dll, Delete-on-Reboot, 3308, 336927, , , , PUP.Optional.PCReviver, C:\ProgramData\ReviverSoft\PC Reviver\PCReviver.ini, Quarantined, 3308, 336927, , , , PUP.Optional.PCReviver, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC Reviver.lnk, Removal Failed, 3308, 469266, , , , PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PC REVIVER.EXE, Delete-on-Reboot, 3308, 469266, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PLUGINS\REGISTRYOPTIMIZER.DLL, Delete-on-Reboot, 3308, 469266, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\FILEEXTENSIONMANAGER-VC141-MT.DLL, Delete-on-Reboot, 3308, 469266, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\PLUGINS\DRIVERUPDATER.DLL, Delete-on-Reboot, 3308, 469266, 1.0.26289, , ame, PUP.Optional.PCReviver, C:\PROGRAM FILES\REVIVERSOFT\PC REVIVER\WINDOWSCONTEXTMENUHANDLER-VC141-MT.DLL, Delete-on-Reboot, 3308, 469266, 1.0.26289, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is FileSendSuite?The Malwarebytes research team has determined that FileSendSuite is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by FileSendSuite?You may see this browser extension:these warnings during install:this new startpage:and this new setting:How did FileSendSuite get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove FileSendSuite?Our program Malwarebytes can detect and remove this potentially unwanted program.[Mindspark only]You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FileSendSuite? No, Malwarebytes' Anti-Malware removes FileSendSuite completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FileSendSuite hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://jdlnhgjcehghpjmemkjbkhgpeblojiaj/ntp1.html" CHR Extension: (FileSendSuite) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj [2020-07-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0 Adds the file manifest.json"="7/1/2020 9:34 AM, 2561 bytes, A Adds the file ntp1.html"="6/2/2020 7:21 PM, 1348 bytes, A Adds the file ntp2.html"="6/2/2020 7:21 PM, 1282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\ar Adds the file messages.json"="7/1/2020 9:34 AM, 260 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\de Adds the file messages.json"="7/1/2020 9:34 AM, 182 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\en Adds the file messages.json"="7/1/2020 9:34 AM, 247 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\es Adds the file messages.json"="7/1/2020 9:34 AM, 178 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\es_419 Adds the file messages.json"="7/1/2020 9:34 AM, 178 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\fr Adds the file messages.json"="7/1/2020 9:34 AM, 191 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\it Adds the file messages.json"="7/1/2020 9:34 AM, 173 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\ja Adds the file messages.json"="7/1/2020 9:34 AM, 210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\ko Adds the file messages.json"="7/1/2020 9:34 AM, 211 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\nl Adds the file messages.json"="7/1/2020 9:34 AM, 211 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\pt_BR Adds the file messages.json"="7/1/2020 9:34 AM, 180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_locales\pt_PT Adds the file messages.json"="7/1/2020 9:34 AM, 180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\_metadata Adds the file computed_hashes.json"="7/1/2020 9:34 AM, 8008 bytes, A Adds the file verified_contents.json"="6/2/2020 7:21 PM, 9283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\config Adds the file config.json"="6/2/2020 7:21 PM, 2205 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\icons Adds the file icon128.png"="7/1/2020 9:34 AM, 6360 bytes, A Adds the file icon16.png"="7/1/2020 9:34 AM, 700 bytes, A Adds the file icon19disabled.png"="6/2/2020 7:21 PM, 1659 bytes, A Adds the file icon19on.png"="7/1/2020 9:34 AM, 848 bytes, A Adds the file icon48.png"="7/1/2020 9:34 AM, 2399 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdlnhgjcehghpjmemkjbkhgpeblojiaj\13.931.18.8162_0\js Adds the file ajax.js"="6/2/2020 7:21 PM, 3263 bytes, A Adds the file B2BService.js"="6/2/2020 7:21 PM, 11729 bytes, A Adds the file babAPI.js"="6/2/2020 7:21 PM, 5950 bytes, A Adds the file babClickHandler.js"="6/2/2020 7:21 PM, 3485 bytes, A Adds the file babContentScript.js"="6/2/2020 7:21 PM, 10509 bytes, A Adds the file babContentScriptAPI.js"="6/2/2020 7:21 PM, 13191 bytes, A Adds the file babRemoteConfigProcessor.js"="6/2/2020 7:21 PM, 4311 bytes, A Adds the file babTypeFactory.js"="6/2/2020 7:21 PM, 1999 bytes, A Adds the file babTypeInjectionEmbededPage.js"="6/2/2020 7:21 PM, 3383 bytes, A Adds the file babTypeInjectionIframe.js"="6/2/2020 7:21 PM, 2114 bytes, A Adds the file babTypeInjectionIframeAPIProxy.js"="6/2/2020 7:21 PM, 3160 bytes, A Adds the file babTypeInjectionScript.js"="6/2/2020 7:21 PM, 4111 bytes, A Adds the file background.js"="6/2/2020 7:21 PM, 26477 bytes, A Adds the file browserUtils.js"="6/2/2020 7:21 PM, 1896 bytes, A Adds the file chrome.js"="6/2/2020 7:21 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/2/2020 7:21 PM, 23601 bytes, A Adds the file dateTimeUtils.js"="6/2/2020 7:21 PM, 1213 bytes, A Adds the file dlp.js"="6/2/2020 7:21 PM, 5852 bytes, A Adds the file dlpHelper.js"="6/2/2020 7:21 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/2/2020 7:21 PM, 4357 bytes, A Adds the file index.js"="6/2/2020 7:21 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/2/2020 7:21 PM, 2237 bytes, A Adds the file logger.js"="6/2/2020 7:21 PM, 531 bytes, A Adds the file loggingLevelUtils.js"="6/2/2020 7:21 PM, 1976 bytes, A Adds the file meta.js"="6/2/2020 7:21 PM, 3300 bytes, A Adds the file newTabPageRedirectHandler.js"="6/2/2020 7:21 PM, 2902 bytes, A Adds the file notificationService.js"="6/2/2020 7:21 PM, 15360 bytes, A Adds the file offerService.js"="6/2/2020 7:21 PM, 17241 bytes, A Adds the file pageUtils.js"="6/2/2020 7:21 PM, 2967 bytes, A Adds the file PartnerId.js"="6/2/2020 7:21 PM, 16402 bytes, A Adds the file polyfill.js"="6/2/2020 7:21 PM, 875 bytes, A Adds the file product.js"="6/2/2020 7:21 PM, 8248 bytes, A Adds the file pTagService.js"="6/2/2020 7:21 PM, 7125 bytes, A Adds the file remoteConfigLoader.js"="6/2/2020 7:21 PM, 6179 bytes, A Adds the file scheduler.js"="6/2/2020 7:21 PM, 4130 bytes, A Adds the file splashPageRedirectHandler.js"="6/2/2020 7:21 PM, 2944 bytes, A Adds the file storageUtils.js"="6/2/2020 7:21 PM, 1718 bytes, A Adds the file surveyService.js"="6/2/2020 7:21 PM, 5401 bytes, A Adds the file templateParser.js"="6/2/2020 7:21 PM, 3153 bytes, A Adds the file ul.js"="6/2/2020 7:21 PM, 5856 bytes, A Adds the file urlFragmentActions.js"="6/2/2020 7:21 PM, 2453 bytes, A Adds the file urlUtils.js"="6/2/2020 7:21 PM, 6382 bytes, A Adds the file util.js"="6/2/2020 7:21 PM, 5693 bytes, A Adds the file watchExtensionsHandler.js"="6/2/2020 7:21 PM, 10297 bytes, A Adds the file webtooltabAPI.js"="6/2/2020 7:21 PM, 9786 bytes, A Adds the file webTooltabAPIProxy.js"="6/2/2020 7:21 PM, 8782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj Adds the file 000003.log"="7/1/2020 9:34 AM, 4780 bytes, A Adds the file CURRENT"="7/1/2020 9:34 AM, 16 bytes, A Adds the file LOCK"="7/1/2020 9:34 AM, 0 bytes, A Adds the file LOG"="7/1/2020 9:37 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/1/2020 9:34 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jdlnhgjcehghpjmemkjbkhgpeblojiaj"="REG_SZ", "FF287A2B359DC873C300DFBCF0CA067C7CA5AC154F3223BEC69EC167983C05DF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/1/20 Scan Time: 10:30 AM Log File: 10ceb49a-bb75-11ea-bf8f-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26233 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232374 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jdlnhgjcehghpjmemkjbkhgpeblojiaj, Quarantined, 1817, 443121, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JDLNHGJCEHGHPJMEMKJBKHGPEBLOJIAJ, Quarantined, 1817, 443121, 1.0.26233, , ame, File: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj\000003.log, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj\CURRENT, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj\LOCK, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj\LOG, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jdlnhgjcehghpjmemkjbkhgpeblojiaj\MANIFEST-000001, Quarantined, 1817, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JDLNHGJCEHGHPJMEMKJBKHGPEBLOJIAJ\13.931.18.8162_0\MANIFEST.JSON, Quarantined, 1817, 443121, 1.0.26233, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JDLNHGJCEHGHPJMEMKJBKHGPEBLOJIAJ\13.931.18.8162_0\CONFIG\CONFIG.JSON, Quarantined, 1817, 456842, 1.0.26233, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is MySearch Search? The Malwarebytes research team has determined that MySearch Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one redirects your search queries throughtheir own domain. How do I know if my computer is affected by MySearch Search? You may see this entry in your list of installed Chrome extensions: and you may have noticed these warnings during install: How did MySearch Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MySearch Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MySearch Search? No, Malwarebytes removes MySearch Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MySearch Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (MySearch Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\doomfigiikcpinpmdgkmlahjickpggng [2020-06-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\doomfigiikcpinpmdgkmlahjickpggng\6.1_0 Adds the file manifest.json"="6/30/2020 9:04 AM, 1066 bytes, A Adds the file sr.js"="5/12/2020 6:05 AM, 7306 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\doomfigiikcpinpmdgkmlahjickpggng\6.1_0\_metadata Adds the file computed_hashes.json"="6/30/2020 9:04 AM, 285 bytes, A Adds the file verified_contents.json"="5/12/2020 6:03 AM, 1635 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\doomfigiikcpinpmdgkmlahjickpggng\6.1_0\icons Adds the file icon128.png"="6/30/2020 9:04 AM, 13013 bytes, A Adds the file icon48.png"="6/30/2020 9:04 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng Adds the file 000003.log"="6/30/2020 9:09 AM, 454 bytes, A Adds the file CURRENT"="6/30/2020 9:04 AM, 16 bytes, A Adds the file LOCK"="6/30/2020 9:04 AM, 0 bytes, A Adds the file LOG"="6/30/2020 9:09 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/30/2020 9:04 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "doomfigiikcpinpmdgkmlahjickpggng"="REG_SZ", "8D3BA394FAD14D7C0904942F03CEB0328915F9B302CA9EEFCCF56CE9008BEEF4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/30/20 Scan Time: 11:39 AM Log File: 8bf476a2-bab5-11ea-bfa5-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26189 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232031 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|doomfigiikcpinpmdgkmlahjickpggng, Quarantined, 15200, 836150, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DOOMFIGIIKCPINPMDGKMLAHJICKPGGNG, Quarantined, 15200, 836150, 1.0.26189, , ame, File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng\000003.log, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng\CURRENT, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng\LOCK, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng\LOG, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\doomfigiikcpinpmdgkmlahjickpggng\MANIFEST-000001, Quarantined, 15200, 836150, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DOOMFIGIIKCPINPMDGKMLAHJICKPGGNG\6.1_0\MANIFEST.JSON, Quarantined, 15200, 836150, 1.0.26189, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is SportStreamSearch? The Malwarebytes research team has determined that SportStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SportStreamSearch? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SportStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SportStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SportStreamSearch? No, Malwarebytes removes SportStreamSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SportStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.sportstream-search.com/?q={searchTerms}&publisher=sportstreamsearch&barcodeid=573450000000000 CHR DefaultSearchKeyword: Default -> SportStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.sportstream-search.com/suggest/get?q={searchTerms} CHR Extension: (SportStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec [2020-06-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0 Adds the file manifest.json"="6/29/2020 9:09 AM, 2150 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/29/2020 9:09 AM, 6255 bytes, A Adds the file verified_contents.json"="5/26/2020 11:26 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\images Adds the file logo-white-text.png"="5/26/2020 11:26 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\images\icons Adds the file 128x128.png"="6/29/2020 9:09 AM, 12561 bytes, A Adds the file 16x16.png"="6/29/2020 9:09 AM, 787 bytes, A Adds the file 64x64.png"="6/29/2020 9:09 AM, 5203 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\scripts Adds the file background.js"="5/26/2020 11:26 AM, 514659 bytes, A Adds the file sitecontent.js"="5/26/2020 11:26 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec Adds the file 000003.log"="6/29/2020 9:14 AM, 810 bytes, A Adds the file CURRENT"="6/29/2020 9:09 AM, 16 bytes, A Adds the file LOCK"="6/29/2020 9:09 AM, 0 bytes, A Adds the file LOG"="6/29/2020 9:14 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/29/2020 9:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dbabcdmajmpfkohmeemhchocmnfakeec Adds the file SportStreamSearch.ico"="6/29/2020 9:09 AM, 207021 bytes, A Adds the file SportStreamSearch.ico.md5"="6/29/2020 9:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dbabcdmajmpfkohmeemhchocmnfakeec"="REG_SZ", "CFA503536A97EB96F62C8989F6354811CE8CEB4926A5434D566CAC49C6027F1B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/29/20 Scan Time: 9:23 AM Log File: 6063713c-b9d9-11ea-b35c-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26141 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232059 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dbabcdmajmpfkohmeemhchocmnfakeec, Quarantined, 15189, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DBABCDMAJMPFKOHMEEMHCHOCMNFAKEEC, Quarantined, 15189, 799722, 1.0.26141, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\000003.log, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\CURRENT, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\LOCK, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\LOG, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\MANIFEST-000001, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DBABCDMAJMPFKOHMEEMHCHOCMNFAKEEC\1.1.0_0\MANIFEST.JSON, Quarantined, 15189, 799722, 1.0.26141, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Kalox APP? The Malwarebytes research team has determined that Kalox APP is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Kalox APP? You may see this browser extension: these warnings during install: You may see this nameless and invisible icon in your browsers menu-bar: this new page when you open a new tab: Note the extra o in the address How did Kalox APP get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Kalox APP? Our program Malwarebytes can detect and remove this potentially unwanted program. [Mindspark only]You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Kalox APP? No, Malwarebytes' Anti-Malware removes Kalox APP completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Kalox APP hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Kalox APP) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf [2020-06-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf\2.2_0 Adds the file background.js"="6/24/2020 10:40 AM, 1261 bytes, A Adds the file manifest.json"="6/26/2020 8:54 AM, 1313 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf\2.2_0\_metadata Adds the file computed_hashes.json"="6/26/2020 8:54 AM, 1287 bytes, A Adds the file verified_contents.json"="6/24/2020 10:56 AM, 2361 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf\2.2_0\assets\icons\app_icons Adds the file icon128.png"="6/26/2020 8:54 AM, 12346 bytes, A Adds the file icon16.png"="6/26/2020 8:54 AM, 520 bytes, A Adds the file icon48.png"="6/26/2020 8:54 AM, 3091 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf\2.2_0\assets\icons\ba_icons Adds the file icon128.png"="6/26/2020 8:54 AM, 1228 bytes, A Adds the file icon16.png"="6/26/2020 8:54 AM, 167 bytes, A Adds the file icon48.png"="6/26/2020 8:54 AM, 483 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgmoidaocldligppdkaimfdenjfhahlf\2.2_0\lib Adds the file jquery-3.5.1.min.js"="6/24/2020 10:56 AM, 92195 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf Adds the file 000003.log"="6/26/2020 8:54 AM, 51 bytes, A Adds the file CURRENT"="6/26/2020 8:54 AM, 16 bytes, A Adds the file LOCK"="6/26/2020 8:54 AM, 0 bytes, A Adds the file LOG"="6/26/2020 9:00 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/26/2020 8:54 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pgmoidaocldligppdkaimfdenjfhahlf"="REG_SZ", "491B0E3251552A64571455289CABCD63AF1970841996537C454D68BC4BA23544" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/26/20 Scan Time: 9:06 AM Log File: 85f65c76-b77b-11ea-ad40-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26037 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232137 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pgmoidaocldligppdkaimfdenjfhahlf, Quarantined, 15195, 832194, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PGMOIDAOCLDLIGPPDKAIMFDENJFHAHLF, Quarantined, 15195, 832194, 1.0.26037, , ame, File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf\000003.log, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf\CURRENT, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf\LOCK, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf\LOG, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pgmoidaocldligppdkaimfdenjfhahlf\MANIFEST-000001, Quarantined, 15195, 832194, , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PGMOIDAOCLDLIGPPDKAIMFDENJFHAHLF\2.2_0\MANIFEST.JSON, Quarantined, 15195, 832194, 1.0.26037, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is File Conversion Now? The Malwarebytes research team has determined that File Conversion Now is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by File Conversion Now? You may see this browser extension: this warning during install: You may see this icon in your browsers menu-bar: this new startpage: and these new settings: How did File Conversion Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove File Conversion Now? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of File Conversion Now? No, Malwarebytes' Anti-Malware removes File Conversion Now completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the File Conversion Now hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://hp.hfileconversionnow.com; hxxps://pdfconverterguru.com CHR NewTab: Default -> Active:"chrome-extension://ocemooeilogfefcknbhnjlofcfnhohcb/newtabhtml/newtabpage.html" CHR Extension: (File Conversion Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb [2020-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0 Adds the file central.js"="4/14/2020 1:50 PM, 2344 bytes, A Adds the file icon.png"="6/25/2020 8:50 AM, 3456 bytes, A Adds the file manifest.json"="6/25/2020 8:50 AM, 1333 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_locales\en Adds the file messages.json"="6/25/2020 8:50 AM, 210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_metadata Adds the file computed_hashes.json"="6/25/2020 8:50 AM, 1350 bytes, A Adds the file verified_contents.json"="4/14/2020 1:50 PM, 2912 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\html\bAction Adds the file about.html"="4/14/2020 1:50 PM, 3742 bytes, A Adds the file newtabpage.html"="4/14/2020 1:50 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\js Adds the file browseraction.js"="4/14/2020 1:50 PM, 1004 bytes, A Adds the file config.js"="4/14/2020 1:50 PM, 1018 bytes, A Adds the file dailyFeature.js"="4/14/2020 1:50 PM, 3487 bytes, A Adds the file log.js"="4/14/2020 1:50 PM, 896 bytes, A Adds the file newTab.js"="4/14/2020 1:50 PM, 1523 bytes, A Adds the file search.js"="4/14/2020 1:50 PM, 1027 bytes, A Adds the file store.js"="4/14/2020 1:50 PM, 235 bytes, A Adds the file utility.js"="4/14/2020 1:50 PM, 2546 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\newtabhtml Adds the file newtabpage.html"="4/14/2020 1:50 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb Adds the file 000003.log"="6/25/2020 8:50 AM, 488 bytes, A Adds the file CURRENT"="6/25/2020 8:50 AM, 16 bytes, A Adds the file LOCK"="6/25/2020 8:50 AM, 0 bytes, A Adds the file LOG"="6/25/2020 9:07 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/25/2020 8:50 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocemooeilogfefcknbhnjlofcfnhohcb"="REG_SZ", "F0884C4E76A1BBDCF08F189A10AD3EE0B891E4C36E135C5510A80D0CC7D6D3A4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/20 Scan Time: 9:18 AM Log File: 1ea2335a-b6b4-11ea-9d88-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25999 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232200 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 10 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\000003.log, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\CURRENT, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOCK, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOG, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\MANIFEST-000001, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCEMOOEILOGFEFCKNBHNJLOFCFNHOHCB\2.0_0\JS\DAILYFEATURE.JS, Quarantined, 200, 752296, 1.0.25999, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 834481, 1.0.25999, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is UpdateSearch? The Malwarebytes research team has determined that UpdateSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by UpdateSearch? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did UpdateSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove UpdateSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of UpdateSearch? No, Malwarebytes removes UpdateSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Malwarebytes Browser Guard would have protected you against the UpdateSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.update-search.com/?q={searchTerms}&publisher=updatesearch&barcodeid=572640000000000 CHR DefaultSearchKeyword: Default -> UpdateSearch CHR DefaultSuggestURL: Default -> hxxps://api.update-search.com/suggest/get?q={searchTerms} CHR Extension: (UpdateSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd [2020-06-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0 Adds the file manifest.json"="6/24/2020 8:52 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/24/2020 8:52 AM, 6255 bytes, A Adds the file verified_contents.json"="4/30/2020 8:38 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\images Adds the file logo-white-text.png"="4/30/2020 8:38 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\images\icons Adds the file 128x128.png"="6/24/2020 8:52 AM, 6275 bytes, A Adds the file 16x16.png"="6/24/2020 8:52 AM, 598 bytes, A Adds the file 64x64.png"="6/24/2020 8:52 AM, 2557 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\scripts Adds the file background.js"="4/30/2020 8:38 AM, 514579 bytes, A Adds the file sitecontent.js"="4/30/2020 8:38 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd Adds the file 000003.log"="6/24/2020 8:56 AM, 768 bytes, A Adds the file CURRENT"="6/24/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="6/24/2020 8:52 AM, 0 bytes, A Adds the file LOG"="6/24/2020 8:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/24/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ipbebdplhinkhgodhhmbabjoemclmhjd Adds the file UpdateSearch.ico"="6/24/2020 8:52 AM, 186152 bytes, A Adds the file UpdateSearch.ico.md5"="6/24/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipbebdplhinkhgodhhmbabjoemclmhjd"="REG_SZ", "70888CD0A83F56D1109DC3E61C67A4F37ACD2ADE4C0C39E251C96CBC0A4DCC0F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/24/20 Scan Time: 9:05 AM Log File: 1657944a-b5e9-11ea-9243-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25943 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232209 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipbebdplhinkhgodhhmbabjoemclmhjd, Quarantined, 15192, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPBEBDPLHINKHGODHHMBABJOEMCLMHJD, Quarantined, 15192, 799722, 1.0.25943, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\000003.log, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\CURRENT, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\LOCK, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\LOG, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\MANIFEST-000001, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPBEBDPLHINKHGODHHMBABJOEMCLMHJD\1.1.0_0\MANIFEST.JSON, Quarantined, 15192, 799722, 1.0.25943, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is DownloadManagerNow?The Malwarebytes research team has determined that DownloadManagerNow is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by DownloadManagerNow?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did DownloadManagerNow get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove DownloadManagerNow?Our program Malwarebytes can detect and remove this potentially unwanted program.[Mindspark only]You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of DownloadManagerNow? No, Malwarebytes' Anti-Malware removes DownloadManagerNow completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes, as well as Malwarebytes Browser Guard, would have protected you against the DownloadManagerNow hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://ijjbaliojphgfiakfehndobhialecmpl/ntp1.html" CHR Extension: (DownloadManagerNow) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl [2020-06-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0 Adds the file manifest.json"="6/23/2020 10:42 AM, 2576 bytes, A Adds the file ntp1.html"="6/2/2020 7:06 PM, 1348 bytes, A Adds the file ntp2.html"="6/2/2020 7:06 PM, 1282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0\_metadata Adds the file computed_hashes.json"="6/23/2020 10:42 AM, 8008 bytes, A Adds the file verified_contents.json"="6/2/2020 7:06 PM, 9283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0\config Adds the file config.json"="6/2/2020 7:06 PM, 2265 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0\icons Adds the file icon128.png"="6/23/2020 10:42 AM, 10183 bytes, A Adds the file icon16.png"="6/23/2020 10:42 AM, 546 bytes, A Adds the file icon19disabled.png"="6/2/2020 7:06 PM, 1460 bytes, A Adds the file icon19on.png"="6/23/2020 10:42 AM, 692 bytes, A Adds the file icon48.png"="6/23/2020 10:42 AM, 2418 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl\13.931.18.7871_0\js Adds the file ajax.js"="6/2/2020 7:06 PM, 3263 bytes, A Adds the file B2BService.js"="6/2/2020 7:06 PM, 11729 bytes, A Adds the file babAPI.js"="6/2/2020 7:06 PM, 5950 bytes, A Adds the file babClickHandler.js"="6/2/2020 7:06 PM, 3485 bytes, A Adds the file babContentScript.js"="6/2/2020 7:06 PM, 10509 bytes, A Adds the file babContentScriptAPI.js"="6/2/2020 7:06 PM, 13191 bytes, A Adds the file babRemoteConfigProcessor.js"="6/2/2020 7:06 PM, 4311 bytes, A Adds the file babTypeFactory.js"="6/2/2020 7:06 PM, 1999 bytes, A Adds the file babTypeInjectionEmbededPage.js"="6/2/2020 7:06 PM, 3383 bytes, A Adds the file babTypeInjectionIframe.js"="6/2/2020 7:06 PM, 2114 bytes, A Adds the file babTypeInjectionIframeAPIProxy.js"="6/2/2020 7:06 PM, 3160 bytes, A Adds the file babTypeInjectionScript.js"="6/2/2020 7:06 PM, 4111 bytes, A Adds the file background.js"="6/2/2020 7:06 PM, 26477 bytes, A Adds the file browserUtils.js"="6/2/2020 7:06 PM, 1896 bytes, A Adds the file chrome.js"="6/2/2020 7:06 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/2/2020 7:06 PM, 23601 bytes, A Adds the file dateTimeUtils.js"="6/2/2020 7:06 PM, 1213 bytes, A Adds the file dlp.js"="6/2/2020 7:06 PM, 5852 bytes, A Adds the file dlpHelper.js"="6/2/2020 7:06 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/2/2020 7:06 PM, 4357 bytes, A Adds the file index.js"="6/2/2020 7:06 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/2/2020 7:06 PM, 2237 bytes, A Adds the file logger.js"="6/2/2020 7:06 PM, 531 bytes, A Adds the file loggingLevelUtils.js"="6/2/2020 7:06 PM, 1976 bytes, A Adds the file meta.js"="6/2/2020 7:06 PM, 3300 bytes, A Adds the file newTabPageRedirectHandler.js"="6/2/2020 7:06 PM, 2902 bytes, A Adds the file notificationService.js"="6/2/2020 7:06 PM, 15360 bytes, A Adds the file offerService.js"="6/2/2020 7:06 PM, 17241 bytes, A Adds the file pageUtils.js"="6/2/2020 7:06 PM, 2967 bytes, A Adds the file PartnerId.js"="6/2/2020 7:06 PM, 16402 bytes, A Adds the file polyfill.js"="6/2/2020 7:06 PM, 875 bytes, A Adds the file product.js"="6/2/2020 7:06 PM, 8248 bytes, A Adds the file pTagService.js"="6/2/2020 7:06 PM, 7125 bytes, A Adds the file remoteConfigLoader.js"="6/2/2020 7:06 PM, 6179 bytes, A Adds the file scheduler.js"="6/2/2020 7:06 PM, 4130 bytes, A Adds the file splashPageRedirectHandler.js"="6/2/2020 7:06 PM, 2944 bytes, A Adds the file storageUtils.js"="6/2/2020 7:06 PM, 1718 bytes, A Adds the file surveyService.js"="6/2/2020 7:06 PM, 5401 bytes, A Adds the file templateParser.js"="6/2/2020 7:06 PM, 3153 bytes, A Adds the file ul.js"="6/2/2020 7:06 PM, 5856 bytes, A Adds the file urlFragmentActions.js"="6/2/2020 7:06 PM, 2453 bytes, A Adds the file urlUtils.js"="6/2/2020 7:06 PM, 6382 bytes, A Adds the file util.js"="6/2/2020 7:06 PM, 5693 bytes, A Adds the file watchExtensionsHandler.js"="6/2/2020 7:06 PM, 10297 bytes, A Adds the file webtooltabAPI.js"="6/2/2020 7:06 PM, 9786 bytes, A Adds the file webTooltabAPIProxy.js"="6/2/2020 7:06 PM, 8782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl Adds the file 000003.log"="6/23/2020 10:42 AM, 4827 bytes, A Adds the file CURRENT"="6/23/2020 10:42 AM, 16 bytes, A Adds the file LOCK"="6/23/2020 10:42 AM, 0 bytes, A Adds the file LOG"="6/23/2020 10:46 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/23/2020 10:42 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ijjbaliojphgfiakfehndobhialecmpl"="REG_SZ", "E2D436A20B6C0AF690CECB6F4AAAA7700DFDF53C67A910EDD865D0592A0AE4ED" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/23/20 Scan Time: 10:53 AM Log File: 0546f8f4-b52f-11ea-8270-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25901 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231529 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 1 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ijjbaliojphgfiakfehndobhialecmpl, Quarantined, 1817, 456842, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\ijjbaliojphgfiakfehndobhialecmpl, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl, Quarantined, 1817, 456842, , , , File: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\000003.log, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\CURRENT, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\LOCK, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\LOG, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\LOG.old, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijjbaliojphgfiakfehndobhialecmpl\MANIFEST-000001, Quarantined, 1817, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IJJBALIOJPHGFIAKFEHNDOBHIALECMPL\13.931.18.7871_0\CONFIG\CONFIG.JSON, Quarantined, 1817, 456842, 1.0.25901, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IJJBALIOJPHGFIAKFEHNDOBHIALECMPL\13.931.18.7871_0\MANIFEST.JSON, Quarantined, 1817, 443121, 1.0.25901, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is PDFSearches? The Malwarebytes research team has determined that PDFSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by PDFSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did PDFSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearches? No, Malwarebytes removes PDFSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the PDFSearches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdf-searches.com/?q={searchTerms}&publisher=pdfsearches&barcodeid=573210000000000 CHR DefaultSearchKeyword: Default -> PDFSearches CHR DefaultSuggestURL: Default -> hxxps://api.pdf-searches.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga [2020-06-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0 Adds the file manifest.json"="6/22/2020 8:56 AM, 2079 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/22/2020 8:56 AM, 6255 bytes, A Adds the file verified_contents.json"="6/2/2020 12:31 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\images Adds the file logo-white-text.png"="6/2/2020 12:31 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\images\icons Adds the file 128x128.png"="6/22/2020 8:56 AM, 5636 bytes, A Adds the file 16x16.png"="6/22/2020 8:56 AM, 586 bytes, A Adds the file 64x64.png"="6/22/2020 8:56 AM, 2679 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\scripts Adds the file background.js"="6/2/2020 12:31 PM, 514563 bytes, A Adds the file sitecontent.js"="6/2/2020 12:31 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga Adds the file 000003.log"="6/22/2020 9:01 AM, 811 bytes, A Adds the file CURRENT"="6/22/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="6/22/2020 8:56 AM, 0 bytes, A Adds the file LOG"="6/22/2020 9:01 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/22/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pcobomgbaidijbidjaolnbnpdkjoijga Adds the file PDFSearches.ico"="6/22/2020 8:56 AM, 183585 bytes, A Adds the file PDFSearches.ico.md5"="6/22/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pcobomgbaidijbidjaolnbnpdkjoijga"="REG_SZ", "D9DD58C67FD675514C55010336AE17D400628D7FCD4DAC5C9A30B4974C3BA554" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/22/20 Scan Time: 9:14 AM Log File: 0752051c-b458-11ea-ace4-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25853 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231500 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pcobomgbaidijbidjaolnbnpdkjoijga, Quarantined, 15193, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PCOBOMGBAIDIJBIDJAOLNBNPDKJOIJGA, Quarantined, 15193, 799722, 1.0.25853, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\000003.log, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\CURRENT, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\LOCK, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\LOG, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\MANIFEST-000001, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PCOBOMGBAIDIJBIDJAOLNBNPDKJOIJGA\1.1.0_0\MANIFEST.JSON, Quarantined, 15193, 799722, 1.0.25853, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is SearchConverterz? The Malwarebytes research team has determined that SearchConverterz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchConverterz? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchConverterz get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterz? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterz? No, Malwarebytes removes SearchConverterz completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterz hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterz.com/?q={searchTerms}&publisher=searchconverterz&barcodeid=574940000000000 CHR DefaultSearchKeyword: Default -> SearchConverterz CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterz.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo [2020-06-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0 Adds the file manifest.json"="6/18/2020 8:52 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/18/2020 8:52 AM, 6255 bytes, A Adds the file verified_contents.json"="6/9/2020 9:05 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images Adds the file logo-white-text.png"="6/9/2020 9:05 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images\icons Adds the file 128x128.png"="6/18/2020 8:52 AM, 9377 bytes, A Adds the file 16x16.png"="6/18/2020 8:52 AM, 593 bytes, A Adds the file 64x64.png"="6/18/2020 8:52 AM, 4016 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\scripts Adds the file background.js"="6/9/2020 9:05 AM, 514642 bytes, A Adds the file sitecontent.js"="6/9/2020 9:05 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file 000003.log"="6/18/2020 8:54 AM, 768 bytes, A Adds the file CURRENT"="6/18/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="6/18/2020 8:52 AM, 0 bytes, A Adds the file LOG"="6/18/2020 8:55 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/18/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file SearchConverterz.ico"="6/18/2020 8:52 AM, 194854 bytes, A Adds the file SearchConverterz.ico.md5"="6/18/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bcffpojcmpdmhnaeolghbpcebkaccbmo"="REG_SZ", "366D152B09925B61272A21CDD0F80F94D56309BDB27FBF014556C136D97779C1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/18/20 Scan Time: 9:00 AM Log File: 71bea88a-b131-11ea-8e15-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25676 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231803 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO, Quarantined, 15202, 799722, 1.0.25676, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\000003.log, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\CURRENT, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOCK, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOG, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\MANIFEST-000001, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO\1.1.0_0\MANIFEST.JSON, Quarantined, 15202, 799722, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Search Power? The Malwarebytes research team has determined that Search Power is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Search Power? You may see this entry in your list of installed Chrome extensions: this empty and namelesss icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did Search Power get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Search Power? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Power? No, Malwarebytes removes Search Power completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search Power hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchpowerapp.com/results.php?p=9134&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> spa CHR DefaultSuggestURL: Default -> hxxps://searchpowerapp.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olbmkjjbhgnpkkgihoofenekfiagbick [2020-06-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olbmkjjbhgnpkkgihoofenekfiagbick\9.9.6_0 Adds the file background.js"="6/16/2020 1:57 PM, 14412 bytes, A Adds the file manifest.json"="6/17/2020 8:58 AM, 1629 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olbmkjjbhgnpkkgihoofenekfiagbick\9.9.6_0\_metadata Adds the file computed_hashes.json"="6/17/2020 8:58 AM, 388 bytes, A Adds the file verified_contents.json"="6/16/2020 1:56 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olbmkjjbhgnpkkgihoofenekfiagbick\9.9.6_0\icons Adds the file icon128.png"="6/17/2020 8:58 AM, 2188 bytes, A Adds the file icon48.png"="6/17/2020 8:58 AM, 88 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick Adds the file 000003.log"="6/17/2020 8:58 AM, 0 bytes, A Adds the file CURRENT"="6/17/2020 8:58 AM, 16 bytes, A Adds the file LOCK"="6/17/2020 8:58 AM, 0 bytes, A Adds the file LOG"="6/17/2020 8:58 AM, 0 bytes, A Adds the file MANIFEST-000001"="6/17/2020 8:58 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_olbmkjjbhgnpkkgihoofenekfiagbick Adds the file Search Power.ico"="6/17/2020 8:58 AM, 162813 bytes, A Adds the file Search Power.ico.md5"="6/17/2020 8:58 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "olbmkjjbhgnpkkgihoofenekfiagbick"="REG_SZ", "BAB8417DE55929F87A0A6F548617687AE399F99496F0840799663028D0B32BB4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/17/20 Scan Time: 9:12 AM Log File: d6b96ad6-b069-11ea-a79a-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25628 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231817 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 2 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchPowerApp.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|olbmkjjbhgnpkkgihoofenekfiagbick, Quarantined, 15145, 770853, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLBMKJJBHGNPKKGIHOOFENEKFIAGBICK, Quarantined, 15145, 770853, 1.0.25628, , ame, File: 15 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick\000003.log, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick\CURRENT, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick\LOCK, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick\LOG, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olbmkjjbhgnpkkgihoofenekfiagbick\MANIFEST-000001, Quarantined, 15145, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLBMKJJBHGNPKKGIHOOFENEKFIAGBICK\9.9.6_0\BACKGROUND.JS, Quarantined, 15145, 770853, 1.0.25628, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 407, 460701, 1.0.25628, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 233, 763703, 1.0.25628, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 233, 763703, 1.0.25628, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 233, 763703, 1.0.25628, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 407, 460701, 1.0.25628, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 233, 763703, 1.0.25628, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 407, 460701, 1.0.25628, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Perfect Optimizer? The Malwarebytes research team has determined that Perfect Optimizer is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Perfect Optimizer? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these warnings during install: and this type of screens during "operations": You may see this entry in your list of installed programs: How did Perfect Optimizer get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was installed by a bundler. How do I remove Perfect Optimizer? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Perfect Optimizer? No, Malwarebytes removes Perfect Optimizer completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Perfect Optimizer installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (WeiSiTianYu Software Develop Service Center -> Miracle Technologies) C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe Task: C:\Windows\Tasks\PerfectOptimizer_Home.Job => C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe C:\Program Files (x86)\Perfect Optimizer C:\Users\{username}\Desktop\Perfect Optimizer.lnk C:\Windows\Tasks\PerfectOptimizer_Home.Job C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perfect Optimizer (Weskysoft Inc. ) C:\Program Files\perfect-optimizer-5.2.6.63.exe Alterations made by the installer: File system details --------------------------------------------- Adds the folder C:\Program Files (x86)\Perfect Optimizer Adds the file aamd532.dll"="1/25/2011 10:56 AM, 10752 bytes, A Adds the file ActiveX.dat"="1/25/2011 10:56 AM, 69294 bytes, A Adds the file Apps.dat"="1/25/2011 10:56 AM, 15448 bytes, A Adds the file Components.dat"="1/25/2011 10:56 AM, 1279 bytes, A Adds the file Config.db"="6/16/2020 9:11 AM, 58368 bytes, A Adds the file FreeUse.dll"="1/25/2011 10:56 AM, 246272 bytes, A Adds the file InstallDll.dll"="1/25/2011 10:56 AM, 32768 bytes, A Adds the file License.dll"="1/25/2011 10:56 AM, 99328 bytes, A Adds the file MiracleLib.dll"="1/25/2011 10:56 AM, 311296 bytes, A Adds the file PerfectOptimizer.exe"="1/25/2011 10:57 AM, 6376120 bytes, A Adds the file PerfectOptimizer.ini"="6/16/2020 9:12 AM, 712 bytes, A Adds the file SEClean.DLL"="1/25/2011 10:56 AM, 139264 bytes, A Adds the file SERes.DLL"="1/25/2011 10:56 AM, 4473344 bytes, A Adds the file sqlite3.dll"="1/25/2011 10:56 AM, 504293 bytes, A Adds the file unins000.dat"="6/16/2020 9:10 AM, 7316 bytes, A Adds the file unins000.exe"="6/16/2020 9:09 AM, 734490 bytes, A Adds the file Update.exe"="1/25/2011 10:56 AM, 1042944 bytes, A Adds the file website.url"="1/25/2011 10:56 AM, 164 bytes, A Adds the file WinUpdate.exe"="1/25/2011 10:56 AM, 1330688 bytes, A Adds the folder C:\Program Files (x86)\Perfect Optimizer\Backup\Application Adds the folder C:\Program Files (x86)\Perfect Optimizer\Backup\Registry\FirstBackup Adds the folder C:\Program Files (x86)\Perfect Optimizer\Backup\Registry\FullBackup Adds the folder C:\Program Files (x86)\Perfect Optimizer\Backup\Service Adds the folder C:\Program Files (x86)\Perfect Optimizer\config Adds the file about.bmp"="1/25/2011 10:56 AM, 154544 bytes, A Adds the file head.bmp"="1/25/2011 10:56 AM, 149554 bytes, A Adds the file Lng2Const.xml"="1/25/2011 10:56 AM, 170704 bytes, A Adds the file logo.ico"="1/25/2011 10:56 AM, 34494 bytes, A Adds the file Menu.xml"="1/25/2011 10:56 AM, 7179 bytes, A Adds the file PerfectOptimzer.chm"="1/25/2011 10:56 AM, 0 bytes, A Adds the file register.jpg"="1/25/2011 10:56 AM, 37033 bytes, A Adds the file SmallLogo.bmp"="1/25/2011 10:56 AM, 3128 bytes, A Adds the file splash.jpg"="1/25/2011 10:56 AM, 103629 bytes, A Adds the file website.url"="1/25/2011 10:56 AM, 164 bytes, A Adds the folder C:\Program Files (x86)\Perfect Optimizer\Data\Service Adds the file campus_model.bat"="1/25/2011 10:56 AM, 2217 bytes, A Adds the file default_model.bat"="1/25/2011 10:56 AM, 2192 bytes, A Adds the file home_model.bat"="1/25/2011 10:56 AM, 2202 bytes, A Adds the file interner_model.bat"="1/25/2011 10:56 AM, 2255 bytes, A Adds the file notebook_model.bat"="1/25/2011 10:56 AM, 2215 bytes, A Adds the file office_model.bat"="1/25/2011 10:56 AM, 2252 bytes, A Adds the folder C:\Program Files (x86)\Perfect Optimizer\Temp Adds the folder C:\Program Files (x86)\Perfect Optimizer\Update Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perfect Optimizer Adds the file Perfect Optimizer.lnk"="6/16/2020 9:10 AM, 2058 bytes, A Adds the file Uninstall.lnk"="6/16/2020 9:10 AM, 2018 bytes, A Adds the file Website.lnk"="6/16/2020 9:10 AM, 1099 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Perfect Optimizer.lnk"="6/16/2020 9:10 AM, 1110 bytes, A In the existing folder C:\Windows\Tasks Adds the file PerfectOptimizer_Home.Job"="6/16/2020 9:10 AM, 382 bytes, A Registry details ------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pox] "(Default)"="REG_SZ", "pofile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pofile] "(Default)"="REG_SZ", "Perfect Optimizer License" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pofile\DefaultIcon] "(Default)"="REG_SZ", "C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pofile\Shell\Open\Command] "(Default)"="REG_SZ", "C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A14A8608-CF1C-4010-A348-7EA220C70305}_is1] "DisplayName"="REG_SZ", "Perfect Optimizer 5.2" "HelpLink"="REG_SZ", "http://www.perfectoptimizer5.com" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Perfect Optimizer" "Inno Setup: Deselected Tasks"="REG_SZ", "quicklaunchicon" "Inno Setup: Icon Group"="REG_SZ", "Perfect Optimizer" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.3.4 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200616" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Perfect Optimizer\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Weskysoft Inc." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Perfect Optimizer\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Perfect Optimizer\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.perfectoptimizer5.com" "URLUpdateInfo"="REG_SZ", "http://www.perfectoptimizer5.com" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\Perfect Optimizer\5.2\EvidenceCleaner] "Errors"="REG_SZ", "12" "Fixes"="REG_SZ", "12" "LastCleanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastCleanTime"="REG_SZ", "2020-06-16 9:11:53 AM" "LastScanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastScanTime"="REG_SZ", "2020-06-16 9:11:24 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\Perfect Optimizer\5.2\JunkFileCleaner] "FullScan"="REG_SZ", "1" "LastCleanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastCleanTime"="REG_SZ", "2020-06-16 9:11:53 AM" "LastScanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastScanTime"="REG_SZ", "2020-06-16 9:11:24 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\Perfect Optimizer\5.2\RegistryCleaner] "Errors"="REG_SZ", "447" "Fixes"="REG_SZ", "0" "FullScan"="REG_SZ", "1" "LastCleanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastCleanTime"="REG_SZ", "2020-06-16 9:11:53 AM" "LastScanDate"="REG_SZ", "Tuesday June 16, 2020 - 09:11 AM" "LastScanTime"="REG_SZ", "2020-06-16 9:11:24 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\PerfectOptimizer] "ProductID"="REG_SZ", "WS001" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\PerfectOptimizer\5.2.6] "ImagePath"="REG_SZ", "C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe" "Registered"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Weskysoft\PerfectOptimizer\6.0] "Registered"="REG_SZ", "0" [HKEY_CURRENT_USER\Software\undefined] "perfect-optimizer-5.2.6.63.exe"="REG_SZ", "1592291383508,http://pf.benjaminstrahs.com/s/1592291208/en/8/1/81220-665092-perfect-optimizer.exe" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/16/20 Scan Time: 9:28 AM Log File: ec98d52a-afa2-11ea-a362-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25564 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231814 Threats Detected: 66 Threats Quarantined: 66 Time Elapsed: 2 min, 26 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe, Quarantined, 3269, 171126, , , , Module: 5 PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\InstallDll.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\MiracleLib.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\SEClean.DLL, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\sqlite3.dll, Quarantined, 3269, 171126, , , , Registry Key: 5 PUP.Optional.PerfectOptimizer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{A14A8608-CF1C-4010-A348-7EA220C70305}_is1, Quarantined, 3269, 171126, , , , Rogue.FixTool, HKLM\SOFTWARE\CLASSES\.pox, Quarantined, 4470, 208014, 1.0.25564, , ame, Rogue.FixTool, HKLM\SOFTWARE\CLASSES\pofile, Quarantined, 4470, 208449, 1.0.25564, , ame, PUP.Optional.PerfectOptimizer, HKLM\SOFTWARE\WOW6432NODE\WESKYSOFT\Perfect Optimizer, Quarantined, 3269, 646011, 1.0.25564, , ame, PUP.Optional.PerfectOptimizer, HKLM\SOFTWARE\WOW6432NODE\WESKYSOFT\PerfectOptimizer, Quarantined, 3269, 646011, 1.0.25564, , ame, Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup\Registry\FirstBackup, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup\Registry\FullBackup, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup\Application, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup\Registry, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup\Service, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Backup, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Update, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Temp, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\PROGRAM FILES (X86)\PERFECT OPTIMIZER, Quarantined, 3269, 171126, 1.0.25564, , ame, PUP.Optional.PerfectOptimizer, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PERFECT OPTIMIZER, Quarantined, 3269, 171806, 1.0.25564, , ame, File: 42 PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\about.bmp, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\head.bmp, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\Lng2Const.xml, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\logo.ico, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\Menu.xml, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\PerfectOptimzer.chm, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\register.jpg, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\SmallLogo.bmp, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\splash.jpg, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\config\website.url, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\campus_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\default_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\home_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\interner_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\notebook_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Data\Service\office_model.bat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\aamd532.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\ActiveX.dat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Apps.dat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Components.dat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Config.db, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\FreeUse.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\InstallDll.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\License.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\MiracleLib.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.exe, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\PerfectOptimizer.ini, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\SEClean.DLL, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\SERes.DLL, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\sqlite3.dll, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\unins000.dat, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\unins000.exe, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\Update.exe, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\website.url, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Program Files (x86)\Perfect Optimizer\WinUpdate.exe, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\USERS\{username}\Desktop\Perfect Optimizer.lnk, Quarantined, 3269, 171126, , , , PUP.Optional.PerfectOptimizer, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perfect Optimizer\Perfect Optimizer.lnk, Quarantined, 3269, 171806, , , , PUP.Optional.PerfectOptimizer, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perfect Optimizer\Uninstall.lnk, Quarantined, 3269, 171806, , , , PUP.Optional.PerfectOptimizer, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perfect Optimizer\Website.lnk, Quarantined, 3269, 171806, , , , PUP.Optional.PerfectOptimizer, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{D9C1C7A5-2BBD-4082-8686-7C56416E2F95}-9688579CF3BF6B5D5B97C41786AEF46C44713EE0C0BFDFF924DC679E5086A7C4, Quarantined, 3269, 646008, 1.0.25564, , ame, PUP.Optional.PerfectOptimizer, C:\PROGRAM FILES\PERFECT-OPTIMIZER-5.2.6.63.EXE, Quarantined, 3269, 294560, 1.0.25564, , ame, PUP.Optional.PerfectOptimizer, C:\USERS\{username}\DESKTOP\DLLSUITE.EXE, Quarantined, 3269, 831629, 1.0.25564, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Vista Search? The Malwarebytes research team has determined that Vista Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Vista Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Vista Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Vista Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Vista Search? No, Malwarebytes removes Vista Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Vista Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.vista-search.com CHR DefaultSearchURL: Default -> hxxps://feed.vista-search.com/?q={searchTerms}&publisher=vistasearch&barcodeid=568590000000000 CHR DefaultSearchKeyword: Default -> VistaSearch CHR DefaultSuggestURL: Default -> hxxps://api.vista-search.com/suggest/get?q={searchTerms} CHR Extension: (VistaSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn [2020-06-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0 Adds the file manifest.json"="6/15/2020 10:26 AM, 2070 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/15/2020 10:26 AM, 11681 bytes, A Adds the file verified_contents.json"="2/25/2020 3:12 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\images\icons Adds the file 128x128.png"="6/15/2020 10:26 AM, 7368 bytes, A Adds the file 16x16.png"="6/15/2020 10:26 AM, 626 bytes, A Adds the file 64x64.png"="6/15/2020 10:26 AM, 3223 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:12 PM, 998819 bytes, A Adds the file sitecontent.js"="2/25/2020 3:12 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn Adds the file 000003.log"="6/15/2020 10:30 AM, 806 bytes, A Adds the file CURRENT"="6/15/2020 10:26 AM, 16 bytes, A Adds the file LOCK"="6/15/2020 10:26 AM, 0 bytes, A Adds the file LOG"="6/15/2020 10:31 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/15/2020 10:26 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gaggjnlkeofmlmbhdbblcblillgnonfn Adds the file Vista Search.ico"="6/15/2020 10:27 AM, 195930 bytes, A Adds the file Vista Search.ico.md5"="6/15/2020 10:27 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gaggjnlkeofmlmbhdbblcblillgnonfn"="REG_SZ", "C769C89FC23760C2A1A7821AE220875425D662AFD9F5D42110E66A3F7E6C92F8" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/15/20 Scan Time: 10:36 AM Log File: 4b53b65e-aee3-11ea-bd53-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25510 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231974 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 3 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.VistaSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gaggjnlkeofmlmbhdbblcblillgnonfn, Quarantined, 15225, 790795, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GAGGJNLKEOFMLMBHDBBLCBLILLGNONFN, Quarantined, 15225, 790795, 1.0.25510, , ame, File: 11 PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\000003.log, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\CURRENT, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\LOCK, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\LOG, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\MANIFEST-000001, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GAGGJNLKEOFMLMBHDBBLCBLILLGNONFN\1.1.0_0\MANIFEST.JSON, Quarantined, 15225, 790795, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 789484, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789484, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789484, 1.0.25510, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is SearchZone? The Malwarebytes research team has determined that SearchZone is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchZone? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchZone get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchZone? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchZone? No, Malwarebytes removes SearchZone completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchZone hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-zone.com/?q={searchTerms}&publisher=searchzone&barcodeid=571400000000000 CHR DefaultSearchKeyword: Default -> SearchZone CHR DefaultSuggestURL: Default -> hxxps://api.search-zone.com/suggest/get?q={searchTerms} CHR Extension: (SearchZone) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca [2020-06-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0 Adds the file manifest.json"="6/11/2020 8:55 AM, 2066 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/11/2020 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 10:59 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 10:59 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images\icons Adds the file 128x128.png"="6/11/2020 8:55 AM, 9964 bytes, A Adds the file 16x16.png"="6/11/2020 8:55 AM, 638 bytes, A Adds the file 64x64.png"="6/11/2020 8:55 AM, 3951 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\scripts Adds the file background.js"="3/30/2020 10:59 AM, 514547 bytes, A Adds the file sitecontent.js"="3/30/2020 10:59 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca Adds the file 000003.log"="6/11/2020 8:58 AM, 507 bytes, A Adds the file CURRENT"="6/11/2020 8:55 AM, 16 bytes, A Adds the file LOCK"="6/11/2020 8:55 AM, 0 bytes, A Adds the file LOG"="6/11/2020 8:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/11/2020 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pffnooppclkbdcgfimcnlejkomocahca Adds the file SearchZone.ico"="6/11/2020 8:55 AM, 194220 bytes, A Adds the file SearchZone.ico.md5"="6/11/2020 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pffnooppclkbdcgfimcnlejkomocahca"="REG_SZ", "BC732C83AA4E5896DA1D1719B9C521E69C1839D4E0674486609F0E6F99DEEF1B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/11/20 Scan Time: 9:12 AM Log File: f2e8fb74-abb2-11ea-aee9-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25354 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232127 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 2 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA, Quarantined, 15185, 799722, 1.0.25354, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\000003.log, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\CURRENT, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOCK, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG.old, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\MANIFEST-000001, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA\1.1.0_0\MANIFEST.JSON, Quarantined, 15185, 799722, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.