Jump to content

Metallica

Staff
  • Posts

    2,876
  • Joined

  • Last visited

Reputation

24 Excellent

5 Followers

About Metallica

  • Birthday 05/19/1963

Contact Methods

  • Website URL
    https://www.malwarebytes.com

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

199,761 profile views
  1. Too much praise, but thank you.
  2. Hi, Both the detection profiles have been set to hidden. It may take a few minutes before they become unavailable, and you may have to clear your cache if you keep seeing them. Take care
  3. The script is hosted on a site that is known to be involved in Tech Support Scams. So at the moment you can expect fake warnings about your computer security, but the hijackers can change the script at any moment.
  4. What is Key Tag? The Malwarebytes research team has determined that Key Tag is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search provider. How do I know if my computer is affected by Key Tag? You may see this entry in your list of installed Chrome extensions: and this setting: You may have noticed these warnings during install: How did Key Tag get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Key Tag? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Key Tag? No, Malwarebytes removes Key Tag completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Key Tag hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.keysearchs.com/search.php?src=ktgg&type=ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> key CHR DefaultSuggestURL: Default -> hxxps://www.keysearchs.com/suggest.php?q={searchTerms} CHR Extension: (Key Tag) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb [2022-02-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0 Adds the file bg.js"="12/15/2021 11:07 PM, 1183 bytes, A Adds the file manifest.json"="2/11/2022 1:02 PM, 1441 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0\_metadata Adds the file computed_hashes.json"="2/11/2022 1:02 PM, 128 bytes, A Adds the file verified_contents.json"="1/19/2022 10:14 PM, 1640 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0\icons Adds the file image128.png"="2/11/2022 1:02 PM, 3469 bytes, A Adds the file image16.png"="2/11/2022 1:02 PM, 412 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eoddhgjaoadhpdlfaepfnbalbhbkicpb"="REG_SZ", "EF49889A4BFF3398968D680355469D4E81AC2A4983DC42E680C88E777C1EDB4D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/22 Scan Time: 9:23 AM Log File: 82493662-8e38-11ec-b9bb-080027235d76.json -Software Information- Version: 4.5.4.168 Components Version: 1.0.1599 Update Package Version: 1.0.51145 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 239409 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eoddhgjaoadhpdlfaepfnbalbhbkicpb, Quarantined, 15734, 1018877, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EODDHGJAOADHPDLFAEPFNBALBHBKICPB, Quarantined, 15734, 1018877, 1.0.51145, , ame, , , File: 3 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15734, 1018877, , , , , 3C22B844FC36E83CF36B1C2881FFC294, F6F0FE2E7BD98A83709A893BE476C634863C47F9A6BD638C190CFA156830F268 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15734, 1018877, , , , , DFC8FEBDE62600979DBD07571ACDD08A, 610680AFDA4DAF317A1066F704427FF4DEE88F215D073A5D846FCC604D5219EC Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EODDHGJAOADHPDLFAEPFNBALBHBKICPB\1.3.1_0\BG.JS, Quarantined, 15734, 1018877, 1.0.51145, , ame, , 694DC1146BF786367CBAB261D684BF35, A57D0D213B1B4A960E06C98379E6558BD006B151D37EDB1C280FEF18867FA7B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Security Suite? The Malwarebytes research team has determined that Security Suite is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one redirects your searches to a different search provider. How do I know if my computer is affected by Security Suite? You may see this entry in your list of installed Chrome extensions: and this new menu bar drop-down: You may have noticed these warnings during install: How did Security Suite get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Security Suite? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Security Suite? No, Malwarebytes removes Security Suite completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Security Suite hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Security Suite) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci [2022-01-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0 Adds the file background.bundle.js"="12/23/2021 2:10 AM, 48459 bytes, A Adds the file browserAction.bundle.js"="12/23/2021 2:10 AM, 15321 bytes, A Adds the file browserAction.html"="12/23/2021 2:10 AM, 11629 bytes, A Adds the file content.bundle.js"="12/23/2021 2:10 AM, 6109 bytes, A Adds the file manifest.json"="1/21/2022 10:45 AM, 1627 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\de Adds the file messages.json"="1/21/2022 10:45 AM, 2289 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\en Adds the file messages.json"="1/21/2022 10:45 AM, 2148 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\es Adds the file messages.json"="1/21/2022 10:45 AM, 2295 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\fr Adds the file messages.json"="1/21/2022 10:45 AM, 2307 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\it Adds the file messages.json"="1/21/2022 10:45 AM, 2321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\nl Adds the file messages.json"="1/21/2022 10:45 AM, 2351 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_locales\pt_PT Adds the file messages.json"="1/21/2022 10:45 AM, 2276 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\_metadata Adds the file computed_hashes.json"="1/21/2022 10:45 AM, 2262 bytes, A Adds the file verified_contents.json"="12/23/2021 2:10 AM, 4188 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\icons\default Adds the file Logo_128x128.png"="1/21/2022 10:45 AM, 3208 bytes, A Adds the file Logo_16x16.png"="1/21/2022 10:45 AM, 512 bytes, A Adds the file Logo_300x300.png"="12/23/2021 2:10 AM, 7468 bytes, A Adds the file Logo_32x32.png"="1/21/2022 10:45 AM, 921 bytes, A Adds the file Logo_48x48.png"="1/21/2022 10:45 AM, 1359 bytes, A Adds the file Logo_48x48_disabled.png"="12/23/2021 2:10 AM, 1344 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnplmdfcbmjbmifhkchinnhbbpognci\1.0.0_0\icons\ratings Adds the file A.png"="12/23/2021 2:10 AM, 1434 bytes, A Adds the file B.png"="12/23/2021 2:10 AM, 1490 bytes, A Adds the file C.png"="12/23/2021 2:10 AM, 1422 bytes, A Adds the file D.png"="12/23/2021 2:10 AM, 1410 bytes, A Adds the file E.png"="12/23/2021 2:10 AM, 1409 bytes, A Adds the file F.png"="12/23/2021 2:10 AM, 1379 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci Adds the file 000003.log"="1/21/2022 10:45 AM, 7868 bytes, A Adds the file CURRENT"="1/21/2022 10:45 AM, 16 bytes, A Adds the file LOCK"="1/21/2022 10:45 AM, 0 bytes, A Adds the file LOG"="1/21/2022 10:45 AM, 371 bytes, A Adds the file MANIFEST-000001"="1/21/2022 10:45 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fgnplmdfcbmjbmifhkchinnhbbpognci"="REG_SZ", "10DAAE9BA4D7944CEB3CBF4D1F93E05C5426378A6C159309D815CACA411B8BA2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/21/22 Scan Time: 10:58 AM Log File: b7951fda-7aa0-11ec-8736-080027235d76.json -Software Information- Version: 4.5.2.157 Components Version: 1.0.1562 Update Package Version: 1.0.50089 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 240473 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 1 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SecuritySuite, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fgnplmdfcbmjbmifhkchinnhbbpognci, Quarantined, 2231, 1018014, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SecuritySuite, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci, Quarantined, 2231, 1018014, , , , , , Adware.SecuritySuite, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\fgnplmdfcbmjbmifhkchinnhbbpognci, Quarantined, 2231, 1018014, 1.0.50089, , ame, , , File: 7 Adware.SecuritySuite, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 2231, 1018014, , , , , 84ECF2E6ADEB29C1639560F08559C008, 57E5149FE54A9F2AEB37B323331F526E4F90836EC1DD00A8D5DBD6DFB262E4BA Adware.SecuritySuite, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 2231, 1018014, , , , , 9FB64464C3102C7372A35D8EE34A8212, 196C699D241128600CAD2DF4A4D12141BF72D85278133705D983BB1A3E6D233C Adware.SecuritySuite, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci\000003.log, Quarantined, 2231, 1018014, , , , , F4376DD4A6BD43CD8222B4140457F716, 9811CA4E6A84B064023DF2AED386E450ED1EBF108E11979326E5911B8435DB3C Adware.SecuritySuite, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci\CURRENT, Quarantined, 2231, 1018014, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SecuritySuite, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci\LOCK, Quarantined, 2231, 1018014, , , , , , Adware.SecuritySuite, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci\LOG, Quarantined, 2231, 1018014, , , , , 86DFE0E50C7E1A4EA121665359CC07F6, 6C3E004CA518D36BD3EFF11E141337B02500E55C2FF55E9090F764C5451EF0A1 Adware.SecuritySuite, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fgnplmdfcbmjbmifhkchinnhbbpognci\MANIFEST-000001, Quarantined, 2231, 1018014, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Click Togo? The Malwarebytes research team has determined that Click Togo is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by Click Togo? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Click Togo get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Click Togo? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Click Togo? No, Malwarebytes removes Click Togo completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Click Togo hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.togosearching.com/webs?src=clktgg&type=ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> Togo CHR DefaultSuggestURL: Default -> hxxps://www.togosearching.com/suggest?q={searchTerms} CHR Extension: (Click Togo) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\calcdbkiedkohechhbpbjnhibiaacooh [2022-01-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\calcdbkiedkohechhbpbjnhibiaacooh\1.3.22_0 Adds the file bg.js"="12/10/2021 3:23 PM, 2365 bytes, A Adds the file manifest.json"="1/3/2022 11:40 AM, 1803 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\calcdbkiedkohechhbpbjnhibiaacooh\1.3.22_0\_metadata Adds the file computed_hashes.json"="1/3/2022 11:40 AM, 128 bytes, A Adds the file verified_contents.json"="12/23/2021 10:58 PM, 1641 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\calcdbkiedkohechhbpbjnhibiaacooh\1.3.22_0\icons Adds the file image128.png"="1/3/2022 11:40 AM, 3061 bytes, A Adds the file image16.png"="1/3/2022 11:40 AM, 339 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "calcdbkiedkohechhbpbjnhibiaacooh"="REG_SZ", "0774A708AB7CB36021100C6D2FC45D78A578C2C5CA3033E26A4DE07C176107EC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/6/22 Scan Time: 10:38 AM Log File: 73f565c8-6ed4-11ec-a052-080027235d76.json -Software Information- Version: 4.5.0.152 Components Version: 1.0.1538 Update Package Version: 1.0.49488 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 241273 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 1 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchHijacker, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|calcdbkiedkohechhbpbjnhibiaacooh, Quarantined, 361, 1013276, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Adware.SearchHijacker, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\calcdbkiedkohechhbpbjnhibiaacooh, Quarantined, 361, 1013276, 1.0.49488, , ame, , , File: 2 Adware.SearchHijacker, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 361, 1013276, , , , , 52EBCC26D2CC01E6A8AB03FF661D9011, 9430F76861AF749264E9B74E230D5CD3C2826898E431E584B7F89ABA9D9431F0 Adware.SearchHijacker, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 361, 1013276, , , , , C707C417C8725EBE1A3C5FF3D71C8E2E, 257183645ACAB7DD895C131548743FAAC485245810FF634CB23E5543E267FAF4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Best-Converter?The Malwarebytes research team has determined that Best-Converter is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one changes your default search provider.How do I know if my computer is affected by Best-Converter?You may see this entry in your list of installed Chrome extensions:and this changed setting:You may have noticed these warnings during install:How did Best-Converter get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Best-Converter?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Best-Converter? No, Malwarebytes removes Best-Converter completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Best-Converter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.best-converter.com/?q={searchTerms}&publisher=best-converter&barcodeid=594720000000000 CHR DefaultSearchKeyword: Default -> Best-Converter CHR DefaultSuggestURL: Default -> hxxps://api.best-converter.com/suggest/get?q={searchTerms} CHR Extension: (Best-Converter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\falafkefhfgmcdaclmghpdimoohebecg [2021-12-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\falafkefhfgmcdaclmghpdimoohebecg\1.0.2_0 Adds the file background.js"="8/16/2021 3:33 PM, 9828 bytes, A Adds the file content-script.js"="7/14/2021 10:54 AM, 77 bytes, A Adds the file manifest.json"="12/15/2021 11:33 AM, 1845 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\falafkefhfgmcdaclmghpdimoohebecg\1.0.2_0\_metadata Adds the file computed_hashes.json"="12/15/2021 11:33 AM, 341 bytes, A Adds the file verified_contents.json"="8/18/2021 12:00 PM, 1904 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\falafkefhfgmcdaclmghpdimoohebecg\1.0.2_0\images\icons Adds the file 128x128.png"="12/15/2021 11:33 AM, 4101 bytes, A Adds the file 16x16.png"="12/15/2021 11:33 AM, 469 bytes, A Adds the file 64x64.png"="12/15/2021 11:33 AM, 1911 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg Adds the file 000003.log"="12/15/2021 11:33 AM, 525 bytes, A Adds the file CURRENT"="12/15/2021 11:33 AM, 16 bytes, A Adds the file LOCK"="12/15/2021 11:33 AM, 0 bytes, A Adds the file LOG"="12/15/2021 11:33 AM, 369 bytes, A Adds the file MANIFEST-000001"="12/15/2021 11:33 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "falafkefhfgmcdaclmghpdimoohebecg"="REG_SZ", "5C0D917B02DE8B40270310582C77660435F97A68F9773BA77F940F093EFD778B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/15/21 Scan Time: 11:43 AM Log File: d034d708-5d93-11ec-884a-080027235d76.json -Software Information- Version: 4.5.0.152 Components Version: 1.0.1538 Update Package Version: 1.0.48630 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 242106 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 1 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|falafkefhfgmcdaclmghpdimoohebecg, Quarantined, 15729, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg, Quarantined, 15729, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FALAFKEFHFGMCDACLMGHPDIMOOHEBECG, Quarantined, 15729, 799722, 1.0.48630, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15729, 799722, , , , , 0CDE36A0A89B6E0F260A966A2E04AD75, BDB961CCDF5AD5043BC30CBF132B228EDF4E36DB56D2A24EDC0FC4C35BF34A2B Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15729, 799722, , , , , 6F660D8D0FF90B732C2B248FECD18F4B, 9F1E555A510F9286B61CEA604FF88EC9B649F66B8135D8F2234310D3C6579A32 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg\000003.log, Quarantined, 15729, 799722, , , , , 2C992068EAF8E515460CDD77D286FE2A, E7902417FED1BE7EC789023E38AE3F5431E0485A4504457F0D9267B105345574 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg\CURRENT, Quarantined, 15729, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg\LOCK, Quarantined, 15729, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg\LOG, Quarantined, 15729, 799722, , , , , 65BF91BF394206DBCF311EE0BA161D1F, D3F83593E0EED9491BE7A517A9A6F0431CD5A7FF74947EBEA2D4E227557D9763 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\falafkefhfgmcdaclmghpdimoohebecg\MANIFEST-000001, Quarantined, 15729, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FALAFKEFHFGMCDACLMGHPDIMOOHEBECG\1.0.2_0\MANIFEST.JSON, Quarantined, 15729, 799722, 1.0.48630, , ame, , 09B19B9BF2C70560FAF1A1B34F9A42AC, 792BC79934A649F687DB7D523C6AB8D232BE9FD88796E6AA5DB01B822F6A0D76 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Domain Trust Checker? The Malwarebytes research team has determined that Domain Trust Checker is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Domain Trust Checker? You may see this entry in your list of installed Chrome extensions: and these warnings during install: How did Domain Trust Checker get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was promoted using fake alert sites. After a few redirects we ended up in the webstore. and is being promoted on their website: How do I remove Domain Trust Checker? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Domain Trust Checker? No, Malwarebytes removes Domain Trust Checker completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Domain Trust Checker hijacker. It would have blocked the domains redirecting you to the webstore: Technical details for experts Possible signs in FRST logs: CHR Extension: (Domain Trust Checker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\acpeimiplhoapnlpldgapfbhgfnblgdp [2021-11-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\acpeimiplhoapnlpldgapfbhgfnblgdp\1.0_0 Adds the file krakFianim.js"="9/24/2021 3:41 AM, 9254 bytes, A Adds the file manifest.json"="11/29/2021 12:58 PM, 994 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\acpeimiplhoapnlpldgapfbhgfnblgdp\1.0_0\_metadata Adds the file computed_hashes.json"="11/29/2021 12:58 PM, 230 bytes, A Adds the file verified_contents.json"="9/24/2021 3:21 AM, 1885 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\acpeimiplhoapnlpldgapfbhgfnblgdp\1.0_0\gotHas Adds the file image128.png"="11/29/2021 12:58 PM, 6713 bytes, A Adds the file image16.png"="11/29/2021 12:58 PM, 723 bytes, A Adds the file image32.png"="11/29/2021 12:58 PM, 1687 bytes, A Adds the file image64.png"="11/29/2021 12:58 PM, 3587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp Adds the file 000003.log"="11/29/2021 1:00 PM, 385 bytes, A Adds the file CURRENT"="11/29/2021 12:58 PM, 16 bytes, A Adds the file LOCK"="11/29/2021 12:58 PM, 0 bytes, A Adds the file LOG"="11/29/2021 12:58 PM, 371 bytes, A Adds the file MANIFEST-000001"="11/29/2021 12:58 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "acpeimiplhoapnlpldgapfbhgfnblgdp"="REG_SZ", "D6082339746C7BF48534C47330FAB3067C47F68BDAABEA8129B9FCCF70508E15" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/29/21 Scan Time: 1:08 PM Log File: 01eac764-510d-11ec-8c73-080027235d76.json -Software Information- Version: 4.4.11.149 Components Version: 1.0.1513 Update Package Version: 1.0.47866 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 242865 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 1 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|acpeimiplhoapnlpldgapfbhgfnblgdp, Quarantined, 289, 1001449, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp, Quarantined, 289, 1001449, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\acpeimiplhoapnlpldgapfbhgfnblgdp, Quarantined, 289, 1001449, 1.0.47866, , ame, , , File: 7 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 289, 1001449, , , , , EBF61DB459A8C3448E3EE40D792C4968, EF7943B7E7D1FEDBABA2DD4079920C12AA0D86350F87E58626E91DBB13DEDB20 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 289, 1001449, , , , , 7422C33110DC853FDEFC2C9713541ED4, C4B0BAD9517DD4D8BB8F67D15B122341D719FD1D33579EC49CC4EB5D71189B02 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp\000003.log, Quarantined, 289, 1001449, , , , , EC3EAF184A10597C994518D791E5164C, C068D90251E31A17385073D885B371684E1479423EC285AADC0F6D0781EB8457 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp\CURRENT, Quarantined, 289, 1001449, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp\LOCK, Quarantined, 289, 1001449, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp\LOG, Quarantined, 289, 1001449, , , , , 05470A1CFED9B73F3D0DE9C52F95D612, ADAFB2592060835F1A96CE4839A8533F293C6E8934A430A71D3D5013CC1EB63F PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acpeimiplhoapnlpldgapfbhgfnblgdp\MANIFEST-000001, Quarantined, 289, 1001449, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Ad Avenger? The Malwarebytes research team has determined that Ad Avenger is a browser hijacker and forced Chrome extension. How do I know if my computer is affected by Ad Avenger? You may see these warnings during install: And this entry in your list of installed extensions: How did Ad Avenger get on my computer? Forced extensions use typical methods for distributing themselves. This particular one was promoted by a site mimicking a BSOD: and the extension was available in the webstore. How do I remove Ad Avenger? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Ad Avenger? No, Malwarebytes removes Ad Avenger completely. How would the full version of Malwarebytes help protect me? We protect our customers from these extensions by blocking the domains that spread them: Technical details for experts Possible signs in FRST logs: CHR Extension: (Ad Avenger) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp [2021-11-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0 Adds the file 52e286516679b6c2d008.svg"="9/21/2021 1:45 AM, 4463 bytes, A Adds the file 9dfe622de6dc7a5cdc2e.svg"="9/21/2021 1:45 AM, 2941 bytes, A Adds the file background.bundle.js"="9/24/2021 3:39 AM, 25398 bytes, A Adds the file db58c24b4bfbd18676af.svg"="9/21/2021 1:45 AM, 502 bytes, A Adds the file e3c2c7bee71bc670f6a5.svg"="9/21/2021 1:45 AM, 2804 bytes, A Adds the file e9879ccc8df45d3edffe.svg"="9/21/2021 1:45 AM, 502 bytes, A Adds the file f4e52e839adc286566c4.svg"="9/21/2021 1:45 AM, 7834 bytes, A Adds the file firstAdBlockedPopup.bundle.js"="9/22/2021 6:11 AM, 29717 bytes, A Adds the file manifest.json"="11/23/2021 10:43 AM, 1604 bytes, A Adds the file popup.bundle.js"="9/24/2021 3:39 AM, 3282 bytes, A Adds the file popup.css"="9/22/2021 6:11 AM, 2186 bytes, A Adds the file popup.html"="9/22/2021 6:11 AM, 3282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\de Adds the file messages.json"="11/23/2021 10:43 AM, 1748 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\en Adds the file messages.json"="11/23/2021 10:43 AM, 1632 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\es Adds the file messages.json"="11/23/2021 10:43 AM, 1782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\fr Adds the file messages.json"="11/23/2021 10:43 AM, 1866 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\it Adds the file messages.json"="11/23/2021 10:43 AM, 1753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\nl Adds the file messages.json"="11/23/2021 10:43 AM, 1738 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\pt_PT Adds the file messages.json"="11/23/2021 10:43 AM, 1799 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_metadata Adds the file computed_hashes.json"="11/23/2021 10:43 AM, 39269 bytes, A Adds the file verified_contents.json"="9/21/2021 1:45 AM, 6553 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard Adds the file adguard-api.js"="9/21/2021 3:00 AM, 1432010 bytes, A Adds the file adguard-assistant.js"="9/21/2021 1:45 AM, 9951 bytes, A Adds the file adguard-content.js"="9/21/2021 1:45 AM, 235507 bytes, A Adds the file filters.json"="9/21/2021 1:45 AM, 52213 bytes, A Adds the file filters_i18n.json"="9/21/2021 1:45 AM, 786872 bytes, A Adds the file redirects.yml"="9/21/2021 1:45 AM, 69056 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard\assistant Adds the file assistant.js"="9/22/2021 6:11 AM, 476881 bytes, A Adds the file assistant.js.LICENSE.txt"="9/22/2021 6:11 AM, 66 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\disabled Adds the file 128x128.png"="9/21/2021 1:45 AM, 2082 bytes, A Adds the file 16x16.png"="9/21/2021 1:45 AM, 386 bytes, A Adds the file 24x24.png"="9/21/2021 1:45 AM, 1320 bytes, A Adds the file 32x32.png"="9/21/2021 1:45 AM, 617 bytes, A Adds the file 48x48.png"="9/21/2021 1:45 AM, 910 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\enabled Adds the file 128x128.png"="11/23/2021 10:43 AM, 2279 bytes, A Adds the file 16x16.png"="11/23/2021 10:43 AM, 394 bytes, A Adds the file 24x24.png"="11/23/2021 10:43 AM, 978 bytes, A Adds the file 300x300.png"="9/21/2021 1:45 AM, 5342 bytes, A Adds the file 32x32.png"="11/23/2021 10:43 AM, 657 bytes, A Adds the file 48x48.png"="11/23/2021 10:43 AM, 967 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\paused Adds the file 128x128.png"="9/21/2021 1:45 AM, 2106 bytes, A Adds the file 16x16.png"="9/21/2021 1:45 AM, 411 bytes, A Adds the file 24x24.png"="9/21/2021 1:45 AM, 1514 bytes, A Adds the file 32x32.png"="9/21/2021 1:45 AM, 630 bytes, A Adds the file 48x48.png"="9/21/2021 1:45 AM, 915 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp Adds the file 000004.log"="11/23/2021 10:43 AM, 47 bytes, A Adds the file 000005.ldb"="11/23/2021 10:43 AM, 3187284 bytes, A Adds the file CURRENT"="11/23/2021 10:43 AM, 16 bytes, A Adds the file LOCK"="11/23/2021 10:43 AM, 0 bytes, A Adds the file LOG"="11/23/2021 10:43 AM, 528 bytes, A Adds the file MANIFEST-000001"="11/23/2021 10:43 AM, 106 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "aabcnnmihfbpfblmeflmggaccdjlpfpp"="REG_SZ", "9BE250A1FB13FF810B53080319E2E28A2F7753C1BA7B85E32602EC3C6CD4D30B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/23/21 Scan Time: 10:51 AM Log File: fcf03380-4c42-11ec-a06d-080027235d76.json -Software Information- Version: 4.4.11.149 Components Version: 1.0.1513 Update Package Version: 1.0.47539 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 243147 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 0 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, 1.0.47539, , ame, , , File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 290, 999753, , , , , F88F08FFCF4016B6F561F7BE6D69917D, 08F79CF373A3A0973CC3254B059DC7F442B4938B7EA054D320CA51D9974436F8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 290, 999753, , , , , 5D97162A5404EFBFC1CB01305EDF7181, 51FB74C1F45AAFF2316DEFC3675851E30B2B7506C7CB30C0BC63D74DCE0564A3 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000004.log, Quarantined, 290, 999753, , , , , 4282EA14DF01A55AB2687A81A9633D89, FED16FB5E294C1022BE4212041BA4CF5FCEEC73978B736EDD4ED4A4C312A0B66 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000005.ldb, Quarantined, 290, 999753, , , , , 7F157FA006DDE4EB5AD43046E0C1753D, A0017BF6FC0B37A824E5AE19C379C60F50AB2D69DA09AF56B3994FD78BF263ED PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\CURRENT, Quarantined, 290, 999753, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOCK, Quarantined, 290, 999753, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOG, Quarantined, 290, 999753, , , , , D9241EA5893EBD1A0E7AA5D565570510, 4CA77E3B669897F7F41A89AAEA908E585000682B125E1733B1F7DBD6C4D4D6A5 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\MANIFEST-000001, Quarantined, 290, 999753, , , , , A44370B5654C26C5F182A43733452105, 3406A540A4195A9FAE333C4946B98D81F1B1792E97392A33400974592F490408 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Browser Guard?The Malwarebytes research team has determined that Browser Guard is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This one uses the name of a legitimate extension to attrackt more users.How do I know if my computer is affected by Browser Guard?You may see this entry in your list of installed extensions:and these warnings during install:How did Browser Guard get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Browser Guard?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Browser Guard? No, Malwarebytes removes Browser Guard completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes as well as the real Browser would have protected you against the Browser Guard hijacker. It would have blocked their domain, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Browser Guard) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn [2021-11-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0 Adds the file background.js"="9/20/2021 1:55 PM, 5226 bytes, A Adds the file content.js"="9/20/2021 1:06 PM, 2002 bytes, A Adds the file domain_list.js"="8/23/2021 1:11 PM, 560260 bytes, A Adds the file icon.png"="11/22/2021 2:18 PM, 3045 bytes, A Adds the file manifest.json"="11/22/2021 2:18 PM, 7818 bytes, A Adds the file protector.js"="9/20/2021 1:04 PM, 297 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\de Adds the file messages.json"="11/22/2021 2:18 PM, 536 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\en Adds the file messages.json"="11/22/2021 2:18 PM, 529 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\es Adds the file messages.json"="11/22/2021 2:18 PM, 552 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\fr Adds the file messages.json"="11/22/2021 2:18 PM, 555 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\it Adds the file messages.json"="11/22/2021 2:18 PM, 526 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_locales\pt_BR Adds the file messages.json"="11/22/2021 2:18 PM, 543 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_metadata Adds the file computed_hashes.json"="11/22/2021 2:18 PM, 95677 bytes, A Adds the file verified_contents.json"="9/20/2021 1:22 PM, 3893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\_metadata\generated_indexed_rulesets Adds the file _ruleset1"="11/22/2021 2:18 PM, 357699 bytes, A Adds the file _ruleset2"="11/22/2021 2:18 PM, 360019 bytes, A Adds the file _ruleset3"="11/22/2021 2:18 PM, 359163 bytes, A Adds the file _ruleset4"="11/22/2021 2:18 PM, 357011 bytes, A Adds the file _ruleset5"="11/22/2021 2:18 PM, 358931 bytes, A Adds the file _ruleset6"="11/22/2021 2:18 PM, 360043 bytes, A Adds the file _ruleset7"="11/22/2021 2:18 PM, 359339 bytes, A Adds the file _ruleset8"="11/22/2021 2:18 PM, 272395 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\rules Adds the file rules_1.json"="8/23/2021 1:11 PM, 985439 bytes, A Adds the file rules_2.json"="8/23/2021 1:11 PM, 988187 bytes, A Adds the file rules_3.json"="8/23/2021 1:11 PM, 987562 bytes, A Adds the file rules_4.json"="8/23/2021 1:11 PM, 987225 bytes, A Adds the file rules_5.json"="8/23/2021 1:11 PM, 990138 bytes, A Adds the file rules_6.json"="8/23/2021 1:11 PM, 991247 bytes, A Adds the file rules_7.json"="8/23/2021 1:11 PM, 990344 bytes, A Adds the file rules_8.json"="8/23/2021 1:11 PM, 721757 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eijenmglnpmjhinahemfkokpomhbpjjn\1.0.10_0\web Adds the file background.svg"="8/23/2021 1:11 PM, 1666 bytes, A Adds the file block.html"="8/23/2021 1:11 PM, 1510 bytes, A Adds the file script.js"="8/23/2021 1:11 PM, 806 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn Adds the file 000003.log"="11/22/2021 2:20 PM, 122 bytes, A Adds the file CURRENT"="11/22/2021 2:18 PM, 16 bytes, A Adds the file LOCK"="11/22/2021 2:18 PM, 0 bytes, A Adds the file LOG"="11/22/2021 2:18 PM, 371 bytes, A Adds the file MANIFEST-000001"="11/22/2021 2:18 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eijenmglnpmjhinahemfkokpomhbpjjn"="REG_SZ", "BD32B9AC1E4CF87ACEE56CA822046B94522D61CF21DF00773D7D582C53648CA7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/22/21 Scan Time: 2:27 PM Log File: f2c10246-4b97-11ec-a4c6-080027235d76.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.47505 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 243090 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Cardinaldata, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eijenmglnpmjhinahemfkokpomhbpjjn, Quarantined, 15730, 635567, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Cardinaldata, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn, Quarantined, 15730, 635567, , , , , , PUP.Optional.Cardinaldata, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EIJENMGLNPMJHINAHEMFKOKPOMHBPJJN, Quarantined, 15730, 635567, 1.0.47505, , ame, , , File: 8 PUP.Optional.Cardinaldata, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15730, 635567, , , , , 81F50C28EC7EE70E65BDFE1D3353829E, 5A1D28154A96A774AE053E9A83692AAEFDD75F6AFA42242A066F28AE4D5D8293 PUP.Optional.Cardinaldata, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15730, 635567, , , , , AC42984995712BF29C561F5F9DE90418, 13B857F0720A158546786F78A3417D053AB05A33FAB1284A5C51FD430BE46EFA PUP.Optional.Cardinaldata, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn\000003.log, Quarantined, 15730, 635567, , , , , 2F23D9B1A95BC7E77A09E4474AD0634E, 05984D9F1F10326B725733D6A71B39CB0EDFF73FF43F60F3ED6B1D89457E9892 PUP.Optional.Cardinaldata, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn\CURRENT, Quarantined, 15730, 635567, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.Cardinaldata, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn\LOCK, Quarantined, 15730, 635567, , , , , , PUP.Optional.Cardinaldata, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn\LOG, Quarantined, 15730, 635567, , , , , 84707930E55536E2751D9B0847FD9C67, 5FC9BB3B6D1D43FD78A73A93769A72483140170A16137B05AA6B7DA905601147 PUP.Optional.Cardinaldata, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eijenmglnpmjhinahemfkokpomhbpjjn\MANIFEST-000001, Quarantined, 15730, 635567, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.Cardinaldata, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EIJENMGLNPMJHINAHEMFKOKPOMHBPJJN\1.0.10_0\DOMAIN_LIST.JS, Quarantined, 15730, 635567, 1.0.47505, , ame, , BBE86324A14A1D61A59B803A5A72CE65, E7FDC839D4043AD9562312A9C358C506E6B748D7221C8FF0A5DCA35BF4CCE0E0 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is GoCouponSearch? The Malwarebytes research team has determined that GoCouponSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and also uses browser push notifications. How do I know if my computer is affected by GoCouponSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did GoCouponSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GoCouponSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GoCouponSearch? No, Malwarebytes removes GoCouponSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GoCouponSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.gocouponsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.gocouponsearch.com/?q={searchTerms}&publisher=gocouponsearch&barcodeid=598040000000000 CHR DefaultSearchKeyword: Default -> GoCouponSearch CHR DefaultSuggestURL: Default -> hxxps://api.gocouponsearch.com/suggest/get?q={searchTerms} CHR Extension: (GoCouponSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek [2021-11-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0 Adds the file background.js"="11/2/2021 10:13 AM, 9855 bytes, A Adds the file content-script.js"="7/19/2021 2:11 PM, 77 bytes, A Adds the file manifest.json"="11/10/2021 3:33 PM, 1844 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\_metadata Adds the file computed_hashes.json"="11/10/2021 3:33 PM, 461 bytes, A Adds the file verified_contents.json"="11/2/2021 10:13 AM, 2032 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\images Adds the file logo-white-text.png"="11/2/2021 10:13 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\images\icons Adds the file 128x128.png"="11/10/2021 3:33 PM, 3547 bytes, A Adds the file 16x16.png"="11/10/2021 3:33 PM, 658 bytes, A Adds the file 64x64.png"="11/10/2021 3:33 PM, 1934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek Adds the file 000003.log"="11/10/2021 3:33 PM, 1183 bytes, A Adds the file CURRENT"="11/10/2021 3:33 PM, 16 bytes, A Adds the file LOCK"="11/10/2021 3:33 PM, 0 bytes, A Adds the file LOG"="11/10/2021 3:33 PM, 369 bytes, A Adds the file MANIFEST-000001"="11/10/2021 3:33 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bidpobjoffokopphiihehcdnbkgnhcek"="REG_SZ", "E43FE9FF9178C51B17B4E21C8DEB26A9E9122203DE321B8449916E684B8E3508" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/10/21 Scan Time: 3:43 PM Log File: 969b04ec-4234-11ec-9765-080027235d76.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.47046 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 247044 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bidpobjoffokopphiihehcdnbkgnhcek, Quarantined, 16027, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek, Quarantined, 16027, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BIDPOBJOFFOKOPPHIIHEHCDNBKGNHCEK, Quarantined, 16027, 799722, 1.0.47046, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16027, 799722, , , , , 32449F51B81CFF1B7D736C3917F219BE, 9AD86B9D378C3F96E8D6729D7DBA4FCF2D9315CB1944D4DF99F41278316C21D7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16027, 799722, , , , , 7DBC88CE3AB2D33ADCA9CD338EA82551, C07DE02416B82045EFE3CFDD79375A8E32B53CF2394201DBCDEEE247BC4E8D02 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\000003.log, Quarantined, 16027, 799722, , , , , CDB167F2FC2ABF221A10AF4980B4797B, 63D51C1DE6174655DB46F8740AD931DDE6F5B2FE1C3224C1C543E0AE719B3E71 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\CURRENT, Quarantined, 16027, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\LOCK, Quarantined, 16027, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\LOG, Quarantined, 16027, 799722, , , , , 343A04C118092FC11253CFFD269896F0, B3F6E8181E4FE14A6F074F013AE8381DDFE8EDF72FE04A516440B68AC181EA84 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\MANIFEST-000001, Quarantined, 16027, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BIDPOBJOFFOKOPPHIIHEHCDNBKGNHCEK\1.0.0_0\MANIFEST.JSON, Quarantined, 16027, 799722, 1.0.47046, , ame, , 3D033C530C0968CEE232BBFDD81E96B7, 35A2B69A80A96D6A350F2E604EDDA49CF89E0BA4D81D8505BFC9A72A6A7948F8 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 197, 832955, 1.0.47046, , ame, , 7DBC88CE3AB2D33ADCA9CD338EA82551, C07DE02416B82045EFE3CFDD79375A8E32B53CF2394201DBCDEEE247BC4E8D02 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Anywhere Search? The Malwarebytes research team has determined that Anywhere Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is also a browser NewTab. How do I know if my computer is affected by Anywhere Search? You may see this entry in your list of installed Chrome extensions: these changed settings: You may have noticed these warnings during install: How did Anywhere Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: How do I remove Anywhere Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Anywhere Search? No, Malwarebytes removes Anywhere Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. Technical details for experts Possible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://hboldpniicbdhlfcejjlkdgnbppiaajn/my.html" CHR DefaultSearchURL: Default -> hxxps://anywheresearch.com/?id=26&keyword={searchTerms} CHR DefaultSearchKeyword: Default -> Anywhere Search CHR Extension: (Anywhere Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboldpniicbdhlfcejjlkdgnbppiaajn [2021-11-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboldpniicbdhlfcejjlkdgnbppiaajn\1.0.7_0 Adds the file code.js"="4/30/2021 6:43 PM, 51 bytes, A Adds the file manifest.json"="11/8/2021 12:48 PM, 1516 bytes, A Adds the file my.html"="4/30/2021 6:43 PM, 174 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboldpniicbdhlfcejjlkdgnbppiaajn\1.0.7_0\_metadata Adds the file computed_hashes.json"="11/8/2021 12:48 PM, 918 bytes, A Adds the file verified_contents.json"="7/14/2021 8:47 PM, 2173 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboldpniicbdhlfcejjlkdgnbppiaajn\1.0.7_0\image Adds the file 128.png"="11/8/2021 12:48 PM, 1121 bytes, A Adds the file 16.png"="11/8/2021 12:48 PM, 270 bytes, A Adds the file 32.png"="11/8/2021 12:48 PM, 488 bytes, A Adds the file 48.png"="11/8/2021 12:48 PM, 837 bytes, A Adds the file 64.png"="11/8/2021 12:48 PM, 913 bytes, A Adds the file Thumbs.db"="3/14/2021 12:26 AM, 7168 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hboldpniicbdhlfcejjlkdgnbppiaajn"="REG_SZ", "6C7DAF8E4E4BDD906F7FD4D631CBE2D8A268517B32591ECEEF707A15EC8F82A5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/8/21 Scan Time: 12:58 PM Log File: 25c0309e-408b-11ec-919d-080027235d76.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.46966 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 246956 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hboldpniicbdhlfcejjlkdgnbppiaajn, Quarantined, 332, 995470, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HBOLDPNIICBDHLFCEJJLKDGNBPPIAAJN, Quarantined, 332, 995470, 1.0.46966, , ame, , , File: 3 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 332, 995470, , , , , CC5D7431C68DDF152F02C9FADA5FECCE, BE4F69166992EF75FD2E7A1B6B7E9BF6399DDB538E916C9D3B21F9B83BB95498 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 332, 995470, , , , , E1CBD9E419132BB8B32D36F5C2441FEF, F622574A998ABAF11FA196E8BC03FF15D0651839502180CF3C680E7BECE063B4 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HBOLDPNIICBDHLFCEJJLKDGNBPPIAAJN\1.0.7_0\MANIFEST.JSON, Quarantined, 332, 995470, 1.0.46966, , ame, , BAF2CA3429120FE175C1A3184C14FFF1, 92A0242553775B2A6FD93D950116805915A90DC26849FDBFA4BACA6456015677 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Speed Check? The Malwarebytes research team has determined that Speed Check is a browser hijacker and forced Edge extension. This extension was available for Chrome and Firefox according tho their website, but those have been removed from the webstores. How do I know if my computer is affected by Speed Check? You may see these warnings during install: You may see this entry in your list of installed Edge extensions: and this icon in the browser's menu-bar: How did Speed Check get on my computer? Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore. and is being promoted on their website: How do I remove Speed Check? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Speed Check? No, Malwarebytes removes Speed Check completely. Technical details for experts Possible signs in FRST logs: Edge Extension: (Speed Check) - C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll [2021-11-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll\1.0_0 Adds the file manifest.json"="11/4/2021 11:21 AM, 987 bytes, A Adds the file ttrag.js"="9/9/2021 5:17 PM, 8869 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll\1.0_0\__MACOSX Adds the file ._ics"="9/9/2021 3:37 PM, 211 bytes, A Adds the file ._manifest.json"="9/9/2021 3:37 PM, 211 bytes, A Adds the file ._ttrag.js"="9/9/2021 5:17 PM, 211 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll\1.0_0\__MACOSX\ics Adds the file ._image128.png"="9/9/2021 3:37 PM, 211 bytes, A Adds the file ._image16.png"="9/9/2021 3:37 PM, 211 bytes, A Adds the file ._image32.png"="9/9/2021 3:37 PM, 211 bytes, A Adds the file ._image64.png"="9/9/2021 3:37 PM, 211 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll\1.0_0\_metadata Adds the file computed_hashes.json"="11/4/2021 11:21 AM, 1045 bytes, A Adds the file verified_contents.json"="9/13/2021 11:54 AM, 2960 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kncjaipolcjphijglhbalgdpigdeldll\1.0_0\ics Adds the file image128.png"="11/4/2021 11:21 AM, 8193 bytes, A Adds the file image16.png"="11/4/2021 11:21 AM, 818 bytes, A Adds the file image32.png"="11/4/2021 11:21 AM, 1934 bytes, A Adds the file image64.png"="11/4/2021 11:21 AM, 3940 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll Adds the file 000003.log"="11/4/2021 11:21 AM, 317 bytes, A Adds the file CURRENT"="11/4/2021 11:21 AM, 16 bytes, A Adds the file LOCK"="11/4/2021 11:21 AM, 0 bytes, A Adds the file LOG"="11/4/2021 11:21 AM, 371 bytes, A Adds the file MANIFEST-000001"="11/4/2021 11:21 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings] "kncjaipolcjphijglhbalgdpigdeldll"="REG_SZ", "A89589C024F1C7CAC3B15D3C54D86230006D5604BC18FE9E533C5BAC1769E25B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/4/21 Scan Time: 11:31 AM Log File: 53ebb40e-3d5a-11ec-9ba9-080027235d76.json -Software Information- Version: 4.4.9.142 Components Version: 1.0.1486 Update Package Version: 1.0.46768 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259693 Threats Detected: 9 Threats Quarantined: 9 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\MICROSOFT\EDGE\PREFERENCEMACS\Default\extensions.settings|kncjaipolcjphijglhbalgdpigdeldll, Quarantined, 298, 994286, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll, Quarantined, 298, 994286, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\EXTENSIONS\kncjaipolcjphijglhbalgdpigdeldll, Quarantined, 298, 994286, 1.0.46768, , ame, , , File: 6 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Secure Preferences, Replaced, 298, 994286, , , , , 184C32B404CEF12D2EB4B502A4DACEF2, F5861FF291C9F1E30C06C9A89910FCDF1ED5995F3BCCAF561EE77C44389B9CC2 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll\000003.log, Quarantined, 298, 994286, , , , , 92BFC1ADD9549F52AF3C696DCC36A681, D0662BBB6AB0A62566195D19F7688E9CB51838899ECDF08ADC3D62F4FDE1EBEA PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll\CURRENT, Quarantined, 298, 994286, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll\LOCK, Quarantined, 298, 994286, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll\LOG, Quarantined, 298, 994286, , , , , BD55481E29F5E906466345224A6E8F9A, 45F3940977E658510C3DF1D39D5C52F5172957B5A586FB6FE11337C960C0282C PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kncjaipolcjphijglhbalgdpigdeldll\MANIFEST-000001, Quarantined, 298, 994286, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Domain Quality? The Malwarebytes research team has determined that Domain Quality is a browser hijacker and forced Edge extension. This extension was available for Chrome and Firefox according tho their website, but those have been removed from the webstores. How do I know if my computer is affected by Domain Quality? You may see these warnings during install: You may see this entry in your list of installed Edge extensions: How did Domain Quality get on my computer? Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore. and is being promoted on their website: How do I remove Domain Quality? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Domain Quality? No, Malwarebytes removes Domain Quality completely. Technical details for experts Possible signs in FRST logs: Edge Extension: (Domain Quality) - C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mibdbcmijlhpfbghdpgecafbaimbihll [2021-11-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mibdbcmijlhpfbghdpgecafbaimbihll\1.0_0 Adds the file fundPas.js"="9/3/2021 12:34 PM, 8682 bytes, A Adds the file manifest.json"="11/3/2021 10:54 AM, 1013 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mibdbcmijlhpfbghdpgecafbaimbihll\1.0_0\_metadata Adds the file computed_hashes.json"="11/3/2021 10:54 AM, 227 bytes, A Adds the file verified_contents.json"="9/3/2021 3:29 PM, 2109 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\mibdbcmijlhpfbghdpgecafbaimbihll\1.0_0\conesF Adds the file image128.png"="11/3/2021 10:54 AM, 6078 bytes, A Adds the file image16.png"="11/3/2021 10:54 AM, 727 bytes, A Adds the file image32.png"="11/3/2021 10:54 AM, 1611 bytes, A Adds the file image64.png"="11/3/2021 10:54 AM, 2842 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings] "mibdbcmijlhpfbghdpgecafbaimbihll"="REG_SZ", "C7DFADA31CA78AA91900A543871A060BDA90795836EECC8A86933D15E3C86A03" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/3/21 Scan Time: 11:14 AM Log File: e297b5f8-3c8e-11ec-beef-080027235d76.json -Software Information- Version: 4.4.9.142 Components Version: 1.0.1486 Update Package Version: 1.0.46718 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259683 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 2 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\MICROSOFT\EDGE\PREFERENCEMACS\Default\extensions.settings|mibdbcmijlhpfbghdpgecafbaimbihll, Quarantined, 298, 980942, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll, Quarantined, 298, 980942, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\MIBDBCMIJLHPFBGHDPGECAFBAIMBIHLL, Quarantined, 298, 980942, 1.0.46718, , ame, , , File: 7 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Secure Preferences, Replaced, 298, 980942, , , , , 89A9F853B5164E3CC514B36F1AD2CC4C, 17056E84BC27F3F42D8A8F432D59A452D2C66C1E80A349CA021C22589784C139 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll\000003.log, Quarantined, 298, 980942, , , , , 04745E4090E6D2D6FCC2DD53D80F8CFD, 8D7DB095B372D95503CABD522A82B49EEE66678C2F13D5EE16CC678836B2D103 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll\CURRENT, Quarantined, 298, 980942, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll\LOCK, Quarantined, 298, 980942, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll\LOG, Quarantined, 298, 980942, , , , , 33033261C3A3EBB2DD072A322D6033EE, B749B33F8434E616F021485E5665F2FE4E518883CD9A02134BD4F35699DBC7E1 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\mibdbcmijlhpfbghdpgecafbaimbihll\MANIFEST-000001, Quarantined, 298, 980942, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\MIBDBCMIJLHPFBGHDPGECAFBAIMBIHLL\1.0_0\FUNDPAS.JS, Quarantined, 298, 980942, 1.0.46718, , ame, , 1A123AD0900F3197034142AE00887421, C1759C6FC33983A3C021FE36636A812EF9D9A394DE94736833DB624C9BE6686D Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Search-Streamly? The Malwarebytes research team has determined that Search-Streamly is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular changes the default search engine to their own and pushes notifications. How do I know if my computer is affected by Search-Streamly? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Search-Streamly get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Search-Streamly? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search-Streamly? No, Malwarebytes removes Search-Streamly completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search-Streamly hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps//feed.search-streamly.com/?q={searchTerms}&publisher=search-streamly&barcodeid=579280000000000 CHR DefaultSearchKeyword: Default -> Search-Streamly CHR DefaultSuggestURL: Default -> hxxps//api.search-streamly.com/suggest/get?q={searchTerms} CHR Extension: (Search-Streamly) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid [2021-10-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0 Adds the file manifest.json"="10/26/2021 2:36 PM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/26/2021 2:36 PM, 6255 bytes, A Adds the file verified_contents.json"="8/6/2020 1:56 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\images Adds the file logo-white-text.png"="8/6/2020 1:56 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\images\icons Adds the file 128x128.png"="10/26/2021 2:36 PM, 4496 bytes, A Adds the file 16x16.png"="10/26/2021 2:36 PM, 515 bytes, A Adds the file 64x64.png"="10/26/2021 2:36 PM, 2196 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\scripts Adds the file background.js"="8/6/2020 1:56 PM, 514520 bytes, A Adds the file sitecontent.js"="8/6/2020 1:56 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid Adds the file 000003.log"="10/26/2021 2:38 PM, 788 bytes, A Adds the file CURRENT"="10/26/2021 2:36 PM, 16 bytes, A Adds the file LOCK"="10/26/2021 2:36 PM, 0 bytes, A Adds the file LOG"="10/26/2021 2:36 PM, 367 bytes, A Adds the file MANIFEST-000001"="10/26/2021 2:36 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bkkgimecfbbbcgaalhpfgjappihanfid Adds the file Search-Streamly.ico"="10/26/2021 2:36 PM, 176434 bytes, A Adds the file Search-Streamly.ico.md5"="10/26/2021 2:36 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bkkgimecfbbbcgaalhpfgjappihanfid"="REG_SZ", "48773173CF76D75BA80335A7D39E1210203D388CB68F8431F250307D2EE43071" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/26/21 Scan Time: 4:12 PM Log File: b214b8aa-3666-11ec-819a-080027235d76.json -Software Information- Version: 4.4.9.142 Components Version: 1.0.1486 Update Package Version: 1.0.46402 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259583 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bkkgimecfbbbcgaalhpfgjappihanfid, Quarantined, 17004, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid, Quarantined, 17004, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKKGIMECFBBBCGAALHPFGJAPPIHANFID, Quarantined, 17004, 799722, 1.0.46402, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 17004, 799722, , , , , 9F2FFA09BD1B52ABDC2908FB887D15FB, 5014C31E43414FE0B273660B2FF27F4634EAF592B2182C16A26CD6713EEB1E9D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 17004, 799722, , , , , 9957C864E6F6D49863794ED9847FDDB3, 940E2DC3C43819E1A7B20D95C590B8405656ED352DAEF6DA3AA35359B2FB5F20 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\000003.log, Quarantined, 17004, 799722, , , , , 3304073DFEF2BCD3F98519F129E5386D, 46ED7ED6B8CB0E8ABB6F44C279505D0C5A893C1A5F68C4E16A9101BFD68EA5D2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\CURRENT, Quarantined, 17004, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\LOCK, Quarantined, 17004, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\LOG, Quarantined, 17004, 799722, , , , , 95E1CD941E558255782414987CA9D9D8, D2E630676E4C121D2F0003F1CE9F7D4F682D928505841DF5E6E7B466EF5B5E58 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\MANIFEST-000001, Quarantined, 17004, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKKGIMECFBBBCGAALHPFGJAPPIHANFID\1.1.0_0\MANIFEST.JSON, Quarantined, 17004, 799722, 1.0.46402, , ame, , B40D207A04049A901B1EF9CC3358A407, B257CAB973493C61D5BFACBB27D209208E6D1E4632061137F1E89465668BC0E7 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 839078, 1.0.46402, , ame, , 9957C864E6F6D49863794ED9847FDDB3, 940E2DC3C43819E1A7B20D95C590B8405656ED352DAEF6DA3AA35359B2FB5F20 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.