Metallica

What is Quick App? The Malwarebytes research team has determined that Quick App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one chnages your default search engine. How do I know if my computer is affected by Quick App? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Quick App get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Quick App? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Quick App? No, Malwarebytes removes Quick App completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Quick App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.quicknewtab.com/results.php?type=ds&src=extv2&e=google&q={searchTerms} CHR DefaultSearchKeyword: Default -> Quick CHR Extension: (Quick) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog [2021-04-07] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog\21.3.17_0 Adds the file background.js"="3/28/2021 10:49 PM, 1394 bytes, A Adds the file index.html"="3/28/2021 10:19 PM, 9849 bytes, A Adds the file manifest.json"="4/7/2021 8:53 AM, 1542 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog\21.3.17_0\_metadata Adds the file computed_hashes.json"="4/7/2021 8:53 AM, 3292 bytes, A Adds the file verified_contents.json"="3/28/2021 10:36 PM, 2303 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog\21.3.17_0\css Adds the file s.css"="12/7/2019 11:42 PM, 17942 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog\21.3.17_0\icons Adds the file button.png"="4/7/2021 8:53 AM, 941 bytes, A Adds the file icon128.png"="4/7/2021 8:53 AM, 16644 bytes, A Adds the file icon48.png"="4/7/2021 8:53 AM, 286 bytes, A Adds the file icon64.png"="4/7/2021 8:53 AM, 6589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eehgikplhckpjnmmeofabmggefoipnog\21.3.17_0\s Adds the file jquery.js"="12/6/2019 3:52 PM, 97166 bytes, A Adds the file s.js"="3/28/2021 10:35 PM, 61693 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eehgikplhckpjnmmeofabmggefoipnog"="REG_SZ", "7146279A05E43C16ABADD0DFFA9726D5243BE3C481A3A5ECC436F2E85A71A9AE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/7/21 Scan Time: 2:12 PM Log File: 7f3371a8-979a-11eb-9e15-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1249 Update Package Version: 1.0.39187 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233755 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eehgikplhckpjnmmeofabmggefoipnog, Quarantined, 336, 928822, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\Google\Chrome\USER DATA\Default\EXTENSIONS\eehgikplhckpjnmmeofabmggefoipnog, Quarantined, 336, 928822, 1.0.39187, , ame, , , File: 2 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 928822, , , , , 226666EA8717F009882A6BC253BACE9D, B002AA0C13F06729EB1FD6ED8F5443433B278EBCB651657B1980315A75AD06AD PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 336, 928822, , , , , FC912CFF12CECA69A8B4CE3B5E48B395, C7E0FB9473C836732379C7FCCA258918CCB85B2372E476B3574A698E73ADF008 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Color page? The Malwarebytes research team has determined that Color page is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one closes your search tab and opens a new one with their own search engine. How do I know if my computer is affected by Color page? You may see this entry in your list of installed Chrome extensions: You may have noticed these warnings during install: How did Color page get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Color page? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Color page? No, Malwarebytes removes Color page completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Color page hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Color page) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\coamdeaenpoheelhimdnhlbfkaoajfog [2021-04-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\coamdeaenpoheelhimdnhlbfkaoajfog\1.1_0 Adds the file background.js"="3/24/2021 7:36 PM, 44168 bytes, A Adds the file content.js"="3/22/2021 8:17 PM, 2651 bytes, A Adds the file icon.png"="4/6/2021 10:56 AM, 3643 bytes, A Adds the file jquery-3.2.1.js"="6/26/2017 10:50 AM, 268039 bytes, A Adds the file manifest.json"="4/6/2021 10:56 AM, 953 bytes, A Adds the file popup.css"="6/29/2017 11:55 AM, 790 bytes, A Adds the file popup.html"="6/29/2017 11:54 AM, 1429 bytes, A Adds the file popup.js"="3/22/2021 8:16 PM, 4641 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\coamdeaenpoheelhimdnhlbfkaoajfog\1.1_0\_metadata Adds the file computed_hashes.json"="4/6/2021 10:56 AM, 4230 bytes, A Adds the file verified_contents.json"="3/24/2021 7:40 PM, 2055 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog Adds the file 000003.log"="4/6/2021 10:57 AM, 0 bytes, A Adds the file CURRENT"="4/6/2021 10:57 AM, 16 bytes, A Adds the file LOCK"="4/6/2021 10:57 AM, 0 bytes, A Adds the file LOG"="4/6/2021 10:57 AM, 185 bytes, A Adds the file MANIFEST-000001"="4/6/2021 10:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "coamdeaenpoheelhimdnhlbfkaoajfog"="REG_SZ", "D8ADD679600197724B54C73266CC3763541938858AADD3A1DDE002F255F69354" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/6/21 Scan Time: 12:52 PM Log File: 22c16698-96c6-11eb-8203-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1249 Update Package Version: 1.0.39149 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233716 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 10 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|coamdeaenpoheelhimdnhlbfkaoajfog, Quarantined, 336, 928503, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog, Quarantined, 336, 928503, , , , , , PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\Google\Chrome\USER DATA\Default\EXTENSIONS\coamdeaenpoheelhimdnhlbfkaoajfog, Quarantined, 336, 928503, 1.0.39149, , ame, , , File: 8 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 928503, , , , , 371906A6A0E099443741EAD24E3FD97B, 26945309E04F482623D05A0C1C85C83E9E698371FC846B8E33741B1E333DC284 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 336, 928503, , , , , 1E6A6B597A6C9440C2A219A898DCA94F, F221B53FFF23E3E5B6FD5B07945CCA3A43F6A31FA799F864DAB18556CAE4DD53 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\000003.log, Quarantined, 336, 928503, , , , , , PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\CURRENT, Quarantined, 336, 928503, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\LOCK, Quarantined, 336, 928503, , , , , , PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\LOG, Quarantined, 336, 928503, , , , , 46E88B6DF53F640D823C700C77F6AF88, 01679614B1D590740984E5D40C366883373A58930F724B519FFB54226BBCD6B8 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\LOG.old, Quarantined, 336, 928503, , , , , 23A216C0F68D92B38863C591DEB03B42, 2C2B4AF0794A0943FED0B98F60369B289B79A773FD334A0409B739DC1CE33788 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\coamdeaenpoheelhimdnhlbfkaoajfog\MANIFEST-000001, Quarantined, 336, 928503, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is FlashSearch?The Malwarebytes research team has determined that FlashSearch is adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by FlashSearch?You may see this entry in your list of installed Chrome extensions:You may have noticed these warnings during install:How did FlashSearch get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove FlashSearch?Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FlashSearch? No, Malwarebytes removes FlashSearch completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Name of the rogue hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (FlashSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg [2021-04-01] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0 Adds the file manifest.json"="4/1/2021 9:02 AM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0\_metadata Adds the file computed_hashes.json"="4/1/2021 9:02 AM, 1491 bytes, A Adds the file verified_contents.json"="2/17/2021 8:12 PM, 2383 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0\common Adds the file contentscript.js"="2/17/2021 8:12 PM, 347 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0\img Adds the file logo.png"="2/17/2021 8:12 PM, 5273 bytes, A Adds the file logo_128x.png"="4/1/2021 9:02 AM, 5102 bytes, A Adds the file logo_16x.png"="2/17/2021 8:12 PM, 442 bytes, A Adds the file logo_48x.png"="4/1/2021 9:02 AM, 1125 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0\pages Adds the file popup.html"="2/17/2021 8:12 PM, 236 bytes, A Adds the file popupstyle.css"="2/17/2021 8:12 PM, 108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncpimaccodlljbbloinhafphklmgjoeg\1.0_0\release Adds the file browseraction_release.js"="2/17/2021 8:12 PM, 36949 bytes, A Adds the file enhancer_release.js"="2/17/2021 8:12 PM, 17350 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg Adds the file 000003.log"="4/1/2021 9:02 AM, 1189 bytes, A Adds the file CURRENT"="4/1/2021 9:02 AM, 16 bytes, A Adds the file LOCK"="4/1/2021 9:02 AM, 0 bytes, A Adds the file LOG"="4/1/2021 9:02 AM, 185 bytes, A Adds the file MANIFEST-000001"="4/1/2021 9:02 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ncpimaccodlljbbloinhafphklmgjoeg"="REG_SZ", "86DE6F5BF4538767ECCF6A42C4403E4412FA1D0F3E313AE42D521BCB248E795C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/1/21 Scan Time: 5:04 PM Log File: 86c526f8-92fb-11eb-b2c9-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1236 Update Package Version: 1.0.38976 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233697 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FlashSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ncpimaccodlljbbloinhafphklmgjoeg, Quarantined, 16181, 927175, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.FlashSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg, Quarantined, 16181, 927175, , , , , , PUP.Optional.FlashSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NCPIMACCODLLJBBLOINHAFPHKLMGJOEG, Quarantined, 16181, 927175, 1.0.38976, , ame, , , File: 9 PUP.Optional.FlashSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16181, 927175, , , , , 8977B6842678DC0D0B292133EC6ADD5D, F6EEE6BA507D549BB5CB49C1A2E029A9D4007CFDCED607BFF8D0F7A7CCE5FBEF PUP.Optional.FlashSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16181, 927175, , , , , 3D8E29AECA518B2861A1C50F30EFA55A, 05949EAC8D7EDDEF59F0EFBBD2E5E85C1A8203B69BDB914D1DE3563ED3B9C263 PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\000003.log, Quarantined, 16181, 927175, , , , , 39F493FC7301CD30AF4F6F44930C2C67, 4E4680E1E6D7558409C6089B7F265143C446FD2C467616FB1C8277B1803E86F0 PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\CURRENT, Quarantined, 16181, 927175, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\LOCK, Quarantined, 16181, 927175, , , , , , PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\LOG, Quarantined, 16181, 927175, , , , , 8D5B442BF904780FF1880345425A29AE, 3CF2C08384E1C6B4386E6FBE2BF91A1D70C8C0C97974487A965499B727D9D2F1 PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\LOG.old, Quarantined, 16181, 927175, , , , , 8471201DA06DEE6BC5262D8AF7DB3D74, FD874EBBA226A2259C7272144644A87D3408BAAC32C5158CF2B7ABDEF554FFB1 PUP.Optional.FlashSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ncpimaccodlljbbloinhafphklmgjoeg\MANIFEST-000001, Quarantined, 16181, 927175, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.FlashSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NCPIMACCODLLJBBLOINHAFPHKLMGJOEG\1.0_0\MANIFEST.JSON, Quarantined, 16181, 927175, 1.0.38976, , ame, , ECD4859144D851D3B374024610D36831, AEC70238BAE46E2D55B7C871331044DEA98BF7C55C68C75385E2664C04351FD8 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Tag Search? The Malwarebytes research team has determined that Tag Search is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Tag Search? You may see this entry in your list of installed Chrome extensions: these warnings during install: and this new context menu when you select text on a website: How did Tag Search get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Tag Search? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Tag Search? No, Malwarebytes removes Tag Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below, Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Tag Search adware. It would have blocked the installer before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Tag Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf [2021-03-31] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0 Adds the file manifest.json"="3/31/2021 8:55 AM, 1115 bytes, A Adds the file methods.js"="12/29/2020 2:40 PM, 3980 bytes, A Adds the file tag.js"="12/29/2020 1:53 PM, 5252 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\_metadata Adds the file computed_hashes.json"="3/31/2021 8:55 AM, 1377 bytes, A Adds the file verified_contents.json"="12/29/2020 2:40 PM, 2151 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\image Adds the file 128magnifying-glass.png"="3/31/2021 8:55 AM, 8302 bytes, A Adds the file 16magnifying-glass.png"="3/31/2021 8:55 AM, 811 bytes, A Adds the file 32magnifying-glass.png"="3/31/2021 8:55 AM, 1783 bytes, A Adds the file 64magnifying-glass.png"="3/31/2021 8:55 AM, 3846 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\js_lib Adds the file jquery.js"="11/26/2020 6:48 PM, 86670 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf Adds the file 000003.log"="3/31/2021 8:55 AM, 224 bytes, A Adds the file CURRENT"="3/31/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="3/31/2021 8:55 AM, 0 bytes, A Adds the file LOG"="3/31/2021 8:55 AM, 185 bytes, A Adds the file MANIFEST-000001"="3/31/2021 8:55 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gdeljicacjfkikakemhlhmnnepbinpgf"="REG_SZ", "77BBD7C4E03E9B3360EDDE091ADDE5672DD007FAEF693ED2DAB73D6596F3E5E0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/31/21 Scan Time: 1:56 PM Log File: 21bacf12-9218-11eb-9207-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1236 Update Package Version: 1.0.38934 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233730 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 2 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\Google\Chrome\USER DATA\Default\EXTENSIONS\gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, 1.0.38934, , ame, , , File: 7 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 298, 926811, , , , , F3153FE17CB442FF8037EBD2CE56E025, FA2554B1E9807019B15795668A7400C1B98760323549E23784FE9F557FDC125F PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 298, 926811, , , , , B65DCAF86E01EDC9EA6B5E53056973BE, ACBE02E782A9C7E6C8023A973292D903A842CA7962CA6DB900B3F024D920F5A6 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\000003.log, Quarantined, 298, 926811, , , , , BDD4E6E04A4397AF7BC83417945C8D9F, 58D42CDCE1DFA83D87E7F20945ACF4379CC9F046160E764C794C51894B83BD1F PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\CURRENT, Quarantined, 298, 926811, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\LOCK, Quarantined, 298, 926811, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\LOG, Quarantined, 298, 926811, , , , , 7F612FDA0225E1D800BC5A5D4167EF19, 99DEF1E21088FB0CDA60930C8BD468BA1F5A3E8B0D54CE3B1EABEA1684207607 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\MANIFEST-000001, Quarantined, 298, 926811, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is GifsGalore?The Malwarebytes research team has determined that GifsGalore is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by GifsGalore?You may see this browser extension:these warnings during install:this new startpage:and this new setting:How did GifsGalore get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove GifsGalore?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GifsGalore? No, Malwarebytes' Anti-Malware removes GifsGalore completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the GifsGalore hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://igdakanpfjlfgekpjeoipnejchlfdelk/ntp1.html" CHR Extension: (GifsGalore) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk [2021-03-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0 Adds the file manifest.json"="3/30/2021 9:08 AM, 2658 bytes, A Adds the file ntp1.html"="12/23/2020 3:25 PM, 1348 bytes, A Adds the file ntp2.html"="12/23/2020 3:25 PM, 1282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0\_metadata Adds the file computed_hashes.json"="3/30/2021 9:08 AM, 8698 bytes, A Adds the file verified_contents.json"="12/23/2020 3:25 PM, 9289 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0\config Adds the file config.json"="12/23/2020 3:25 PM, 3001 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0\icons Adds the file icon128.png"="3/30/2021 9:08 AM, 5711 bytes, A Adds the file icon16.png"="3/30/2021 9:08 AM, 586 bytes, A Adds the file icon19disabled.png"="12/23/2020 3:25 PM, 1528 bytes, A Adds the file icon19on.png"="3/30/2021 9:08 AM, 681 bytes, A Adds the file icon48.png"="3/30/2021 9:08 AM, 2191 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igdakanpfjlfgekpjeoipnejchlfdelk\13.962.19.39170_0\js Adds the file ajax.js"="12/23/2020 3:25 PM, 3263 bytes, A Adds the file B2BService.js"="12/23/2020 3:25 PM, 11775 bytes, A Adds the file babAPI.js"="12/23/2020 3:25 PM, 5950 bytes, A Adds the file babClickHandler.js"="12/23/2020 3:25 PM, 3485 bytes, A Adds the file babContentScript.js"="12/23/2020 3:25 PM, 10509 bytes, A Adds the file babContentScriptAPI.js"="12/23/2020 3:25 PM, 13191 bytes, A Adds the file babRemoteConfigProcessor.js"="12/23/2020 3:25 PM, 4311 bytes, A Adds the file babTypeFactory.js"="12/23/2020 3:25 PM, 1999 bytes, A Adds the file babTypeInjectionEmbededPage.js"="12/23/2020 3:25 PM, 3383 bytes, A Adds the file babTypeInjectionIframe.js"="12/23/2020 3:25 PM, 2114 bytes, A Adds the file babTypeInjectionIframeAPIProxy.js"="12/23/2020 3:25 PM, 3160 bytes, A Adds the file babTypeInjectionScript.js"="12/23/2020 3:25 PM, 4111 bytes, A Adds the file background.js"="12/23/2020 3:25 PM, 31627 bytes, A Adds the file browserUtils.js"="12/23/2020 3:25 PM, 1896 bytes, A Adds the file chrome.js"="12/23/2020 3:25 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="12/23/2020 3:25 PM, 23601 bytes, A Adds the file dailyContentService.js"="12/23/2020 3:25 PM, 11632 bytes, A Adds the file dateTimeUtils.js"="12/23/2020 3:25 PM, 1213 bytes, A Adds the file dlp.js"="12/23/2020 3:25 PM, 15732 bytes, A Adds the file dlpHelper.js"="12/23/2020 3:25 PM, 1717 bytes, A Adds the file extensionDetect.js"="12/23/2020 3:25 PM, 4357 bytes, A Adds the file extensionDetectWithHash.js"="12/23/2020 3:25 PM, 3986 bytes, A Adds the file globalConfigService.js"="12/23/2020 3:25 PM, 1319 bytes, A Adds the file index.js"="12/23/2020 3:25 PM, 49 bytes, A Adds the file localStorageContentScript.js"="12/23/2020 3:25 PM, 2237 bytes, A Adds the file logger.js"="12/23/2020 3:25 PM, 531 bytes, A Adds the file loggingLevelUtils.js"="12/23/2020 3:25 PM, 1976 bytes, A Adds the file meta.js"="12/23/2020 3:25 PM, 3300 bytes, A Adds the file newTabPageRedirectHandler.js"="12/23/2020 3:25 PM, 2902 bytes, A Adds the file notificationService.js"="12/23/2020 3:25 PM, 15360 bytes, A Adds the file offerService.js"="12/23/2020 3:25 PM, 17241 bytes, A Adds the file pageUtils.js"="12/23/2020 3:25 PM, 4197 bytes, A Adds the file PartnerId.js"="12/23/2020 3:25 PM, 16402 bytes, A Adds the file polyfill.js"="12/23/2020 3:25 PM, 875 bytes, A Adds the file product.js"="12/23/2020 3:25 PM, 8337 bytes, A Adds the file pTagService.js"="12/23/2020 3:25 PM, 7300 bytes, A Adds the file remoteConfigLoader.js"="12/23/2020 3:25 PM, 6653 bytes, A Adds the file scheduler.js"="12/23/2020 3:25 PM, 4419 bytes, A Adds the file splashPageRedirectHandler.js"="12/23/2020 3:25 PM, 3762 bytes, A Adds the file storageUtils.js"="12/23/2020 3:25 PM, 1718 bytes, A Adds the file surveyService.js"="12/23/2020 3:25 PM, 5401 bytes, A Adds the file templateParser.js"="12/23/2020 3:25 PM, 3153 bytes, A Adds the file ul.js"="12/23/2020 3:25 PM, 7044 bytes, A Adds the file urlFragmentActions.js"="12/23/2020 3:25 PM, 2453 bytes, A Adds the file urlUtils.js"="12/23/2020 3:25 PM, 6382 bytes, A Adds the file util.js"="12/23/2020 3:25 PM, 6714 bytes, A Adds the file watchExtensionsHandler.js"="12/23/2020 3:25 PM, 10297 bytes, A Adds the file webtooltabAPI.js"="12/23/2020 3:25 PM, 12619 bytes, A Adds the file webTooltabAPIProxy.js"="12/23/2020 3:25 PM, 8782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk Adds the file 000003.log"="3/30/2021 9:08 AM, 10009 bytes, A Adds the file CURRENT"="3/30/2021 9:08 AM, 16 bytes, A Adds the file LOCK"="3/30/2021 9:08 AM, 0 bytes, A Adds the file LOG"="3/30/2021 9:08 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/30/2021 9:08 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk Adds the file 000003.log"="3/30/2021 9:08 AM, 1396 bytes, A Adds the file CURRENT"="3/30/2021 9:08 AM, 16 bytes, A Adds the file LOCK"="3/30/2021 9:08 AM, 0 bytes, A Adds the file LOG"="3/30/2021 9:08 AM, 183 bytes, A Adds the file MANIFEST-000001"="3/30/2021 9:08 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "igdakanpfjlfgekpjeoipnejchlfdelk"="REG_SZ", "D341832317990F8AF11DE36AE114A9354A33B44D79F0B67A89774A56ACB5FB68" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/30/21 Scan Time: 9:23 AM Log File: d869adc8-9128-11eb-b44c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1236 Update Package Version: 1.0.38884 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233667 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 2 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|igdakanpfjlfgekpjeoipnejchlfdelk, Quarantined, 1868, 867816, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk, Quarantined, 1868, 867816, , , , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk, Quarantined, 1868, 867816, , , , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGDAKANPFJLFGEKPJEOIPNEJCHLFDELK, Quarantined, 1868, 867816, 1.0.38884, , ame, , , File: 13 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1868, 867816, , , , , 1FF46D65AC56731F4CC9FDE88572E02E, 9074AD673F201AC293499FCB06F4D90A35039FEB47BC7D07B96A0BA37FAE5C3C PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1868, 867816, , , , , 967A8C1E733EFB9D11EAB36C3F9BB114, 3CDE287D99DCCF2449350C27A1062E6A398EB87717F54AF8F65A465F0FA2431A PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\000003.log, Quarantined, 1868, 867816, , , , , C4BF13DFDC2A2147123924821167FD26, 342E7B2FA356D0A5A98ACC53BFAEC64C1C4665743DD186483D4396611E821694 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\CURRENT, Quarantined, 1868, 867816, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\LOCK, Quarantined, 1868, 867816, , , , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\LOG, Quarantined, 1868, 867816, , , , , 5473979E2704F65773F90C956027D6C9, AA2C8ABA407D37DE3528E6FEC7053AE97A72240CB89792D0C124F1248F9EC3C1 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\MANIFEST-000001, Quarantined, 1868, 867816, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\000003.log, Quarantined, 1868, 867816, , , , , F79799266BDBF54CDD8F97DB392E62FB, 5D134056F72446369472046280345CB83755CBA5C7BCD848FE3E7A748A1197DD PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\CURRENT, Quarantined, 1868, 867816, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\LOCK, Quarantined, 1868, 867816, , , , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\LOG, Quarantined, 1868, 867816, , , , , B559EE124E1F73DE5D2C927B1C6E7C72, B1A869E0DED56B13F1F45F8A83DAB616540CED254C733788ED02173AC46D5225 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igdakanpfjlfgekpjeoipnejchlfdelk\MANIFEST-000001, Quarantined, 1868, 867816, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGDAKANPFJLFGEKPJEOIPNEJCHLFDELK\13.962.19.39170_0\MANIFEST.JSON, Quarantined, 1868, 867816, 1.0.38884, , ame, , F1D2ABD724AD30845C70F886E1B1C48A, 6ED53582147D11FA22585C994216338D6C301C710546F758BC6757350A0F638A Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is 365Scores - Live Scores and Sports News?The Malwarebytes research team has determined that 365Scores - Live Scores and Sports News is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a newtab hijacker and uses web push notifications. It also adds recommended searches to the search results generated from the newtab page.How do I know if my computer is affected by 365Scores - Live Scores and Sports News?You may see this browser extension:these warnings during install:this new startpage:and this new setting:How did 365Scores - Live Scores and Sports News get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove 365Scores - Live Scores and Sports News?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of 365Scores - Live Scores and Sports News? No, Malwarebytes' Anti-Malware removes 365Scores - Live Scores and Sports News completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the 365Scores - Live Scores and Sports News hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://nmpppefjehmjbiplimkfjeamnohldmko/new-tab/index.html" CHR Extension: (365Scores - Live Scores and Sports News) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko [2021-03-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0 Adds the file background.html"="10/18/2020 3:58 AM, 839 bytes, A Adds the file manifest.json"="3/29/2021 1:12 PM, 1656 bytes, A Adds the file popup.html"="11/3/2020 7:36 AM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\_metadata Adds the file computed_hashes.json"="3/29/2021 1:12 PM, 76910 bytes, A Adds the file verified_contents.json"="3/21/2021 7:18 AM, 41312 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\Images Adds the file 365.png"="10/18/2020 3:58 AM, 251 bytes, A Adds the file 365_128.png"="10/18/2020 3:58 AM, 21930 bytes, A Adds the file 365_19.png"="10/18/2020 3:58 AM, 2018 bytes, A Adds the file 365_24.png"="10/18/2020 3:58 AM, 1522 bytes, A Adds the file 365_48.png"="10/18/2020 3:58 AM, 4674 bytes, A Adds the file 365_64.png"="10/18/2020 3:58 AM, 16195 bytes, A Adds the file 365_video.png"="10/18/2020 3:58 AM, 4054 bytes, A Adds the file logo-128.png"="3/29/2021 1:12 PM, 12946 bytes, A Adds the file logo-16.png"="3/29/2021 1:12 PM, 1535 bytes, A Adds the file logo-48.png"="3/29/2021 1:12 PM, 4607 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\js Adds the file background.js"="11/11/2020 11:15 PM, 12787 bytes, A Adds the file DAL.js"="10/18/2020 3:58 AM, 24602 bytes, A Adds the file DataMgr.js"="11/3/2020 7:36 AM, 64703 bytes, A Adds the file date.js"="10/18/2020 3:58 AM, 26299 bytes, A Adds the file DateFormat.js"="10/18/2020 3:58 AM, 4087 bytes, A Adds the file Event.js"="10/18/2020 3:58 AM, 962 bytes, A Adds the file general.js"="10/18/2020 3:58 AM, 11602 bytes, A Adds the file HashList.js"="10/18/2020 3:58 AM, 2315 bytes, A Adds the file PerfMgr.js"="11/3/2020 7:36 AM, 6460 bytes, A Adds the file popup.js"="11/3/2020 7:36 AM, 79283 bytes, A Adds the file sportifier.js"="10/18/2020 3:58 AM, 1088 bytes, A Adds the file Statistics.js"="10/18/2020 3:58 AM, 16131 bytes, A Adds the file Time.js"="10/18/2020 3:58 AM, 4648 bytes, A Adds the file UIMgr.js"="3/21/2021 3:04 AM, 73382 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\js\jquery Adds the file jquery.blockUI.js"="10/18/2020 3:58 AM, 19307 bytes, A Adds the file jquery.jcarousel.js"="10/18/2020 3:58 AM, 36260 bytes, A Adds the file jquery.min.js"="10/18/2020 3:58 AM, 94843 bytes, A Adds the file jquery.tools.min.js"="10/18/2020 3:58 AM, 12925 bytes, A Adds the file jquery-mousewheel.js"="10/18/2020 3:58 AM, 2237 bytes, A Adds the file jquery-ui.js"="10/18/2020 3:58 AM, 205097 bytes, A Adds the file jScrollbar.jquery.js"="10/18/2020 3:58 AM, 2780 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\new-tab Adds the file aws-sdk-2.756.0.min.js"="11/8/2020 1:07 AM, 249327 bytes, A Adds the file index.html"="3/21/2021 7:18 AM, 114 bytes, A Adds the file new-tab.css"="3/21/2021 7:23 AM, 4231 bytes, A Adds the file new-tab.html"="3/21/2021 7:23 AM, 1583 bytes, A Adds the file new-tab-controller.js"="3/21/2021 6:53 AM, 24029 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\new-tab\images Adds the file 365-black-logo.jpg"="3/21/2021 1:11 AM, 7851 bytes, A Adds the file 365-black-logo.png"="3/21/2021 1:14 AM, 2789 bytes, A Adds the file 365-logo.png"="11/11/2020 11:15 PM, 29261 bytes, A Adds the file menu.png"="3/21/2021 1:17 AM, 251 bytes, A Adds the file search.png"="3/21/2021 5:14 AM, 568 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\notifications Adds the file BaseballRun.html"="10/18/2020 3:58 AM, 2079 bytes, A Adds the file DefaultScore.html"="10/18/2020 3:58 AM, 2080 bytes, A Adds the file DefaultWithScore.html"="10/18/2020 3:58 AM, 2049 bytes, A Adds the file NewVideo.html"="10/18/2020 3:58 AM, 2025 bytes, A Adds the file SoccerGoal.html"="10/18/2020 3:58 AM, 2118 bytes, A Adds the file SoccerRedCard.html"="10/18/2020 3:58 AM, 1773 bytes, A Adds the file SoccerScoreFixed.html"="10/18/2020 3:58 AM, 1832 bytes, A Adds the file SoccerYellowCard.html"="10/18/2020 3:58 AM, 1737 bytes, A Adds the file Status.html"="10/18/2020 3:58 AM, 2034 bytes, A Adds the file TennisBreak.html"="10/18/2020 3:58 AM, 1984 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\notifications\images Adds the file notice-bg.png"="10/18/2020 3:58 AM, 3796 bytes, A Adds the file Red-Card.png"="10/18/2020 3:58 AM, 6941 bytes, A Adds the file Video.png"="10/18/2020 3:58 AM, 12597 bytes, A Adds the file Yellow-Card.png"="10/18/2020 3:58 AM, 6934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\notifications\js Adds the file BaseballRun.js"="10/18/2020 3:58 AM, 2049 bytes, A Adds the file DefaultScore.js"="10/18/2020 3:58 AM, 2086 bytes, A Adds the file DefaultWithScore.js"="10/18/2020 3:58 AM, 2018 bytes, A Adds the file NewVideo.js"="10/18/2020 3:58 AM, 1862 bytes, A Adds the file Notifications.js"="10/18/2020 3:58 AM, 9893 bytes, A Adds the file SoccerGoal.js"="10/18/2020 3:58 AM, 2134 bytes, A Adds the file SoccerRedCard.js"="10/18/2020 3:58 AM, 1647 bytes, A Adds the file SoccerScoreFixed.js"="10/18/2020 3:58 AM, 1180 bytes, A Adds the file SoccerYellowCard.js"="10/18/2020 3:58 AM, 1651 bytes, A Adds the file Status.js"="10/18/2020 3:58 AM, 1960 bytes, A Adds the file TennisBreak.js"="10/18/2020 3:58 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\Sounds Adds the file camera.wav"="10/18/2020 3:58 AM, 112968 bytes, A Adds the file Crowd.wav"="10/18/2020 3:58 AM, 54380 bytes, A Adds the file Goal.mp3"="10/18/2020 3:58 AM, 19772 bytes, A Adds the file sound1.wav"="10/18/2020 3:58 AM, 11016 bytes, A Adds the file sound2.wav"="10/18/2020 3:58 AM, 23868 bytes, A Adds the file sound3.wav"="10/18/2020 3:58 AM, 11540 bytes, A Adds the file sound4.wav"="10/18/2020 3:58 AM, 29304 bytes, A Adds the file sound5.wav"="10/18/2020 3:58 AM, 22616 bytes, A Adds the file sound6.wav"="10/18/2020 3:58 AM, 12900 bytes, A Adds the file tennis.wav"="10/18/2020 3:58 AM, 21988 bytes, A Adds the file whistle.wav"="10/18/2020 3:58 AM, 13212 bytes, A Adds the file whistle-long.wav"="10/18/2020 3:58 AM, 19900 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI Adds the file betlines.html"="10/18/2020 3:58 AM, 1725 bytes, A Adds the file broadcast.html"="10/18/2020 3:58 AM, 1554 bytes, A Adds the file GameDetails.html"="10/18/2020 3:58 AM, 3071 bytes, A Adds the file KnockOutTemplate.html"="10/18/2020 3:58 AM, 3356 bytes, A Adds the file OpenMe.html"="10/18/2020 3:58 AM, 495 bytes, A Adds the file settings.html"="10/18/2020 3:58 AM, 49907 bytes, A Adds the file ShareTemplate.html"="10/18/2020 3:58 AM, 1631 bytes, A Adds the file stats.html"="10/18/2020 3:58 AM, 3119 bytes, A Adds the file Videos.html"="10/18/2020 3:58 AM, 2054 bytes, A Adds the file WelcomePage.html"="10/18/2020 3:58 AM, 1598 bytes, A Adds the file WelcomeTab.html"="10/18/2020 3:58 AM, 866 bytes, A Adds the file Wizard.html"="10/18/2020 3:58 AM, 3258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI\css Adds the file 365scores-chrome.css"="11/3/2020 7:36 AM, 36698 bytes, A Adds the file betlines.css"="10/18/2020 3:58 AM, 5006 bytes, A Adds the file broadcast.css"="10/18/2020 3:58 AM, 3337 bytes, A Adds the file button.css"="10/18/2020 3:58 AM, 1206 bytes, A Adds the file GameDetails.css"="10/18/2020 3:58 AM, 10281 bytes, A Adds the file list.css"="10/18/2020 3:58 AM, 1790 bytes, A Adds the file OpenMe.css"="10/18/2020 3:58 AM, 390 bytes, A Adds the file settings.css"="10/18/2020 3:58 AM, 125 bytes, A Adds the file Sharestyle.css"="10/18/2020 3:58 AM, 58288 bytes, A Adds the file stats.css"="10/18/2020 3:58 AM, 6600 bytes, A Adds the file videos.css"="10/18/2020 3:58 AM, 7981 bytes, A Adds the file WelcomePage.css"="10/18/2020 3:58 AM, 3929 bytes, A Adds the file WelcomeTab.css"="10/18/2020 3:58 AM, 2427 bytes, A Adds the file Wizard.css"="11/3/2020 7:36 AM, 10438 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI\images Adds the file 365.png"="10/18/2020 3:58 AM, 251 bytes, A Adds the file 365_icon.png"="10/18/2020 3:58 AM, 4036 bytes, A Adds the file add-more-icon.png"="11/3/2020 7:36 AM, 2738 bytes, A Adds the file apple_icon.png"="10/18/2020 3:58 AM, 1331 bytes, A Adds the file arrow_up.png"="10/18/2020 3:58 AM, 1310 bytes, A Adds the file arrowLeft.png"="10/18/2020 3:58 AM, 171 bytes, A Adds the file arrow-left.png"="10/18/2020 3:58 AM, 2575 bytes, A Adds the file arrowRight.png"="10/18/2020 3:58 AM, 173 bytes, A Adds the file arrow-right.png"="10/18/2020 3:58 AM, 2573 bytes, A Adds the file ball.png"="10/18/2020 3:58 AM, 1640 bytes, A Adds the file bar.png"="10/18/2020 3:58 AM, 2955 bytes, A Adds the file bet.gif"="10/18/2020 3:58 AM, 845 bytes, A Adds the file bet.png"="10/18/2020 3:58 AM, 174 bytes, A Adds the file button.png"="10/18/2020 3:58 AM, 1437 bytes, A Adds the file buttons.png"="10/18/2020 3:58 AM, 7422 bytes, A Adds the file button-selected.png"="10/18/2020 3:58 AM, 1544 bytes, A Adds the file chart.png"="10/18/2020 3:58 AM, 3169 bytes, A Adds the file close.png"="10/18/2020 3:58 AM, 349 bytes, A Adds the file close-blue.png"="10/18/2020 3:58 AM, 626 bytes, A Adds the file club365_icon64.png"="10/18/2020 3:58 AM, 5252 bytes, A Adds the file comments.png"="10/18/2020 3:58 AM, 196 bytes, A Adds the file country-icon.png"="10/18/2020 3:58 AM, 1105 bytes, A Adds the file CustomX.png"="10/18/2020 3:58 AM, 642 bytes, A Adds the file detail-bg.png"="10/18/2020 3:58 AM, 12694 bytes, A Adds the file euro-bg.png"="10/18/2020 3:58 AM, 2497 bytes, A Adds the file fb-inner-bottom.png"="10/18/2020 3:58 AM, 4621 bytes, A Adds the file fb-inner-top.png"="10/18/2020 3:58 AM, 2027 bytes, A Adds the file feedback.png"="11/3/2020 7:36 AM, 773 bytes, A Adds the file flag.png"="10/18/2020 3:58 AM, 1205 bytes, A Adds the file free.png"="10/18/2020 3:58 AM, 6243 bytes, A Adds the file graph-icon.png"="10/18/2020 3:58 AM, 1458 bytes, A Adds the file green_bullet.gif"="10/18/2020 3:58 AM, 220 bytes, A Adds the file green-bullet.png"="10/18/2020 3:58 AM, 3626 bytes, A Adds the file green-button.png"="10/18/2020 3:58 AM, 4446 bytes, A Adds the file h2h.png"="10/18/2020 3:58 AM, 346 bytes, A Adds the file head-icon.png"="10/18/2020 3:58 AM, 1370 bytes, A Adds the file help.png"="10/18/2020 3:58 AM, 417 bytes, A Adds the file helpBg2.png"="10/18/2020 3:58 AM, 149951 bytes, A Adds the file helpico.png"="10/18/2020 3:58 AM, 672 bytes, A Adds the file helpIcon.png"="10/18/2020 3:58 AM, 24838 bytes, A Adds the file i.png"="10/18/2020 3:58 AM, 687 bytes, A Adds the file icon1.png"="10/18/2020 3:58 AM, 4094 bytes, A Adds the file icon-1x2.png"="10/18/2020 3:58 AM, 3935 bytes, A Adds the file icon-bc-live.png"="10/18/2020 3:58 AM, 3838 bytes, A Adds the file icon-bc-review.png"="10/18/2020 3:58 AM, 247 bytes, A Adds the file icon-bc-tv.png"="10/18/2020 3:58 AM, 1246 bytes, A Adds the file icon-cov.png"="10/18/2020 3:58 AM, 772 bytes, A Adds the file icon-live.png"="10/18/2020 3:58 AM, 4202 bytes, A Adds the file info.png"="10/18/2020 3:58 AM, 632 bytes, A Adds the file info-icon.png"="10/18/2020 3:58 AM, 1604 bytes, A Adds the file inner-bottom.png"="10/18/2020 3:58 AM, 5626 bytes, A Adds the file inner-center.png"="10/18/2020 3:58 AM, 2754 bytes, A Adds the file inner-team-bg.png"="10/18/2020 3:58 AM, 25859 bytes, A Adds the file inner-top.png"="10/18/2020 3:58 AM, 5951 bytes, A Adds the file left-looser.png"="10/18/2020 3:58 AM, 778 bytes, A Adds the file live.png"="10/18/2020 3:58 AM, 661 bytes, A Adds the file liveicon.png"="10/18/2020 3:58 AM, 3838 bytes, A Adds the file logo.png"="11/3/2020 7:36 AM, 12566 bytes, A Adds the file logo_.png"="10/18/2020 3:58 AM, 4304 bytes, A Adds the file logo-big.png"="10/18/2020 3:58 AM, 6257 bytes, A Adds the file main-bg-banner-bet.png"="10/18/2020 3:58 AM, 93934 bytes, A Adds the file main-bg-banner-head-to-head.png"="10/18/2020 3:58 AM, 95031 bytes, A Adds the file main-bg-banner-head-to-head-table.png"="10/18/2020 3:58 AM, 101320 bytes, A Adds the file main-bg-bet.png"="10/18/2020 3:58 AM, 93307 bytes, A Adds the file main-bg-custom - Copy.png"="10/18/2020 3:58 AM, 91992 bytes, A Adds the file main-bg-custom.png"="10/18/2020 3:58 AM, 91992 bytes, A Adds the file main-bg-head-to-head.png"="10/18/2020 3:58 AM, 94418 bytes, A Adds the file main-bg-head-to-head-table.png"="10/18/2020 3:58 AM, 100658 bytes, A Adds the file main-bg-league-table.png"="10/18/2020 3:58 AM, 97675 bytes, A Adds the file main-bg-wizard.png"="10/18/2020 3:58 AM, 6703 bytes, A Adds the file main-bg-wizard-intro.png"="10/18/2020 3:58 AM, 5260 bytes, A Adds the file main-bottom.png"="10/18/2020 3:58 AM, 905 bytes, A Adds the file main-center.png"="10/18/2020 3:58 AM, 252 bytes, A Adds the file MainLogo.png"="10/18/2020 3:58 AM, 1580 bytes, A Adds the file main-top.png"="10/18/2020 3:58 AM, 1721 bytes, A Adds the file main-top-no-header.png"="10/18/2020 3:58 AM, 3743 bytes, A Adds the file menu-left.png"="10/18/2020 3:58 AM, 378 bytes, A Adds the file menu-right.png"="10/18/2020 3:58 AM, 303 bytes, A Adds the file minimize.png"="10/18/2020 3:58 AM, 259 bytes, A Adds the file Mobile_Promotion.png"="10/18/2020 3:58 AM, 130833 bytes, A Adds the file new_logo_big.png"="10/18/2020 3:58 AM, 3881 bytes, A Adds the file new_logo_med.png"="10/18/2020 3:58 AM, 2704 bytes, A Adds the file NewIcon.png"="10/18/2020 3:58 AM, 6481 bytes, A Adds the file notice-ball.png"="10/18/2020 3:58 AM, 3700 bytes, A Adds the file notice-bg.png"="10/18/2020 3:58 AM, 3796 bytes, A Adds the file notice-flag.png"="10/18/2020 3:58 AM, 5404 bytes, A Adds the file notification-off.png"="11/3/2020 7:36 AM, 2019 bytes, A Adds the file notification-on.png"="11/3/2020 7:36 AM, 1412 bytes, A Adds the file ok.png"="10/18/2020 3:58 AM, 3291 bytes, A Adds the file play.png"="10/18/2020 3:58 AM, 577 bytes, A Adds the file play_button.png"="10/18/2020 3:58 AM, 740 bytes, A Adds the file play_icon.png"="10/18/2020 3:58 AM, 2926 bytes, A Adds the file PlayByPlay.png"="10/18/2020 3:58 AM, 280 bytes, A Adds the file preficon.png"="10/18/2020 3:58 AM, 694 bytes, A Adds the file preloader.gif"="10/18/2020 3:58 AM, 14157 bytes, A Adds the file preloader_big.gif"="10/18/2020 3:58 AM, 15209 bytes, A Adds the file right-looser.png"="10/18/2020 3:58 AM, 762 bytes, A Adds the file search-bg.png"="10/18/2020 3:58 AM, 46402 bytes, A Adds the file search-bg-rtl.png"="10/18/2020 3:58 AM, 923 bytes, A Adds the file search-button.png"="10/18/2020 3:58 AM, 3187 bytes, A Adds the file select-preferences-image.png"="10/18/2020 3:58 AM, 136500 bytes, A Adds the file select-preferences-image2.png"="10/18/2020 3:58 AM, 79721 bytes, A Adds the file set-preferences.png"="10/18/2020 3:58 AM, 7958 bytes, A Adds the file settings.png"="11/3/2020 7:36 AM, 3761 bytes, A Adds the file SettingsBanner.jpg"="10/18/2020 3:58 AM, 49478 bytes, A Adds the file SettingsLogo.png"="10/18/2020 3:58 AM, 3842 bytes, A Adds the file side-arrow-down.png"="11/3/2020 7:36 AM, 550 bytes, A Adds the file side-arrow-up.png"="11/3/2020 7:36 AM, 517 bytes, A Adds the file soocialButs.png"="10/18/2020 3:58 AM, 10800 bytes, A Adds the file spacer.png"="10/18/2020 3:58 AM, 922 bytes, A Adds the file star.png"="10/18/2020 3:58 AM, 468 bytes, A Adds the file status-bg.png"="10/18/2020 3:58 AM, 590 bytes, A Adds the file step1-msg-screenshot.png"="10/18/2020 3:58 AM, 39837 bytes, A Adds the file stripeBg.png"="10/18/2020 3:58 AM, 187 bytes, A Adds the file t.gif"="10/18/2020 3:58 AM, 1138 bytes, A Adds the file tab.png"="10/18/2020 3:58 AM, 723 bytes, A Adds the file tabs-arrow.png"="10/18/2020 3:58 AM, 190 bytes, A Adds the file tabs-arrow-rtl.png"="10/18/2020 3:58 AM, 194 bytes, A Adds the file tab-selected.png"="10/18/2020 3:58 AM, 3173 bytes, A Adds the file team-left.png"="10/18/2020 3:58 AM, 848 bytes, A Adds the file team-logo.png"="10/18/2020 3:58 AM, 2317 bytes, A Adds the file team-right.png"="10/18/2020 3:58 AM, 858 bytes, A Adds the file TellAFriend.png"="10/18/2020 3:58 AM, 458 bytes, A Adds the file time.png"="10/18/2020 3:58 AM, 1049 bytes, A Adds the file time-status-bg.png"="10/18/2020 3:58 AM, 3618 bytes, A Adds the file tv-icon.png"="10/18/2020 3:58 AM, 1355 bytes, A Adds the file video-team-shadow.png"="10/18/2020 3:58 AM, 1181 bytes, A Adds the file video-thumb-layer.png"="10/18/2020 3:58 AM, 2104 bytes, A Adds the file welcome01.jpg"="10/18/2020 3:58 AM, 27517 bytes, A Adds the file welcome01-rtl.jpg"="10/18/2020 3:58 AM, 27572 bytes, A Adds the file welcomeBar.png"="10/18/2020 3:58 AM, 1010 bytes, A Adds the file welcomeFB.png"="10/18/2020 3:58 AM, 6017 bytes, A Adds the file welcomeStartBut.png"="10/18/2020 3:58 AM, 2885 bytes, A Adds the file welcomeStartButArrow.png"="10/18/2020 3:58 AM, 2655 bytes, A Adds the file welcomeStartButArrow-rtl.png"="10/18/2020 3:58 AM, 2740 bytes, A Adds the file whowin.png"="10/18/2020 3:58 AM, 9542 bytes, A Adds the file window-top.png"="10/18/2020 3:58 AM, 4433 bytes, A Adds the file wizard-button.png"="10/18/2020 3:58 AM, 5168 bytes, A Adds the file wizard-button-arrow.png"="10/18/2020 3:58 AM, 1454 bytes, A Adds the file wizard-fade.png"="10/18/2020 3:58 AM, 1351 bytes, A Adds the file wizard-intro-button.png"="10/18/2020 3:58 AM, 3525 bytes, A Adds the file wizard-intro-button-arrow.png"="10/18/2020 3:58 AM, 1580 bytes, A Adds the file wizard-intro-content-bg.png"="10/18/2020 3:58 AM, 3182 bytes, A Adds the file wizard-intro-content-inner-box-bg.png"="10/18/2020 3:58 AM, 55078 bytes, A Adds the file wizard-intro-sidebar-bg.png"="10/18/2020 3:58 AM, 55170 bytes, A Adds the file wizard-intro-success-bar.png"="10/18/2020 3:58 AM, 1880 bytes, A Adds the file wizard-intro-toolbar-img.png"="10/18/2020 3:58 AM, 11936 bytes, A Adds the file wizard-label-bg-fix.png"="10/18/2020 3:58 AM, 957 bytes, A Adds the file wizard-remove-logo.png"="10/18/2020 3:58 AM, 1624 bytes, A Adds the file wizard-search-arrow.png"="10/18/2020 3:58 AM, 2877 bytes, A Adds the file wizard-search-arrow-rtl.png"="10/18/2020 3:58 AM, 998 bytes, A Adds the file wizard-search-x.png"="10/18/2020 3:58 AM, 1295 bytes, A Adds the file wizard-sound-off.png"="10/18/2020 3:58 AM, 474 bytes, A Adds the file wizard-sound-on.png"="10/18/2020 3:58 AM, 319 bytes, A Adds the file wizard-steps.png"="10/18/2020 3:58 AM, 50098 bytes, A Adds the file xsign-large.png"="10/18/2020 3:58 AM, 1802 bytes, A Adds the file xsign-small.png"="10/18/2020 3:58 AM, 1487 bytes, A Adds the file your-fav-button.png"="10/18/2020 3:58 AM, 5215 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI\images\flags Adds the file Flag_CZE.png"="10/18/2020 3:58 AM, 502 bytes, A Adds the file Flag_ENG.png"="10/18/2020 3:58 AM, 203 bytes, A Adds the file Flag_ESP.png"="10/18/2020 3:58 AM, 191 bytes, A Adds the file Flag_FRA.png"="10/18/2020 3:58 AM, 3594 bytes, A Adds the file Flag_GER.png"="10/18/2020 3:58 AM, 185 bytes, A Adds the file Flag_GRE.png"="10/18/2020 3:58 AM, 230 bytes, A Adds the file Flag_ITA.png"="10/18/2020 3:58 AM, 191 bytes, A Adds the file Flag_POR.png"="10/18/2020 3:58 AM, 698 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI\images\notif Adds the file 10L.png"="10/18/2020 3:58 AM, 5598 bytes, A Adds the file 11L.png"="10/18/2020 3:58 AM, 4839 bytes, A Adds the file 2L.png"="10/18/2020 3:58 AM, 2590 bytes, A Adds the file 3L.png"="10/18/2020 3:58 AM, 2136 bytes, A Adds the file 4L.png"="10/18/2020 3:58 AM, 1022 bytes, A Adds the file 5L.png"="10/18/2020 3:58 AM, 2438 bytes, A Adds the file 6L.png"="10/18/2020 3:58 AM, 2221 bytes, A Adds the file 7L.png"="10/18/2020 3:58 AM, 2280 bytes, A Adds the file 8L.png"="10/18/2020 3:58 AM, 2515 bytes, A Adds the file 9L.png"="10/18/2020 3:58 AM, 1388 bytes, A Adds the file ball.png"="10/18/2020 3:58 AM, 4853 bytes, A Adds the file Red-Card.png"="10/18/2020 3:58 AM, 4358 bytes, A Adds the file watchlive_icon.png"="10/18/2020 3:58 AM, 4335 bytes, A Adds the file watchlive_notification.png"="10/18/2020 3:58 AM, 98497 bytes, A Adds the file Yellow-Card.png"="10/18/2020 3:58 AM, 4258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpppefjehmjbiplimkfjeamnohldmko\1.9.8_0\UI\js Adds the file betlines.js"="11/3/2020 7:36 AM, 14781 bytes, A Adds the file broadcast.js"="10/18/2020 3:58 AM, 6389 bytes, A Adds the file GameDetails.js"="11/3/2020 7:36 AM, 26975 bytes, A Adds the file OpenMe.js"="11/26/2020 4:13 AM, 388 bytes, A Adds the file settings.js"="11/8/2020 5:16 AM, 21013 bytes, A Adds the file ShareTemplate.js"="10/18/2020 3:58 AM, 3491 bytes, A Adds the file stats.js"="11/3/2020 7:36 AM, 26316 bytes, A Adds the file videos.js"="11/3/2020 7:36 AM, 21673 bytes, A Adds the file WelcomePage.js"="10/18/2020 3:58 AM, 6880 bytes, A Adds the file Wizard.js"="11/3/2020 7:36 AM, 56553 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nmpppefjehmjbiplimkfjeamnohldmko"="REG_SZ", "03A0E5E94DAEEF99A813C4781A83A4B75E2620CC2F2C4C1A5D43BB999BC9471A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/29/21 Scan Time: 2:08 PM Log File: 82191568-9087-11eb-8008-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1236 Update Package Version: 1.0.38857 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233630 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 1 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.NewTab, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nmpppefjehmjbiplimkfjeamnohldmko, Quarantined, 334, 926062, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.NewTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\nmpppefjehmjbiplimkfjeamnohldmko, Quarantined, 334, 926062, 1.0.38857, , ame, , , File: 2 PUP.Optional.NewTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 334, 926062, , , , , 975DF49EADEEAD0FA152B3891B6DF181, 17DD60F36468606701CC9509D7A8A344E95860E42E1F152E9C3B3756E0632C40 PUP.Optional.NewTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 334, 926062, , , , , F51DD333B9657E4B3D3037E86B03CFF5, 26B21343F88DCC778670A6C8CFDC565761DD86A332112E8D97C3A20A25F181DE Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Conf Search? The Malwarebytes research team has determined that Conf Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by Conf Search? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Conf Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Conf Search? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Conf Search? No, Malwarebytes removes Conf Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Conf Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://conf-search.com/?q={searchTerms} CHR DefaultSearchKeyword: Default -> Conf Search CHR Extension: (Conf Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald [2021-03-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald\1.0.3_0 Adds the file manifest.json"="3/26/2021 10:56 AM, 1684 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald\1.0.3_0\_metadata Adds the file computed_hashes.json"="3/26/2021 10:56 AM, 3279 bytes, A Adds the file verified_contents.json"="2/15/2021 10:09 AM, 2207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald\1.0.3_0\image Adds the file 128.png"="3/26/2021 10:56 AM, 7827 bytes, A Adds the file 16.png"="3/26/2021 10:56 AM, 737 bytes, A Adds the file 32.png"="3/26/2021 10:56 AM, 2464 bytes, A Adds the file 48.png"="3/26/2021 10:56 AM, 4279 bytes, A Adds the file 64.png"="3/26/2021 10:56 AM, 6099 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald\1.0.3_0\js Adds the file background.js"="2/4/2021 2:14 PM, 3272 bytes, A Adds the file jquery-2.2.4.js"="3/27/2020 8:37 PM, 257286 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffflpajbchhcnblnedgbdondpbbhald\1.0.3_0\options Adds the file options.html"="2/4/2021 2:18 PM, 2257 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald Adds the file 000003.log"="3/26/2021 10:56 AM, 61 bytes, A Adds the file CURRENT"="3/26/2021 10:56 AM, 16 bytes, A Adds the file LOCK"="3/26/2021 10:56 AM, 0 bytes, A Adds the file LOG"="3/26/2021 10:59 AM, 409 bytes, A Adds the file LOG.old"="3/26/2021 10:58 AM, 409 bytes, A Adds the file MANIFEST-000001"="3/26/2021 10:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald Adds the file 000003.log"="3/26/2021 10:56 AM, 50 bytes, A Adds the file CURRENT"="3/26/2021 10:56 AM, 16 bytes, A Adds the file LOCK"="3/26/2021 10:56 AM, 0 bytes, A Adds the file LOG"="3/26/2021 10:56 AM, 183 bytes, A Adds the file MANIFEST-000001"="3/26/2021 10:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nffflpajbchhcnblnedgbdondpbbhald"="REG_SZ", "307022BFCE23A70E727351D4A900D1911751775102BC931EE8100618E34DF794" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/26/21 Scan Time: 11:09 AM Log File: 4f2b27d6-8e1b-11eb-a9be-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38723 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233560 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchHijack.Generic.ChrPRST, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nffflpajbchhcnblnedgbdondpbbhald, Quarantined, 16213, 828115, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald, Quarantined, 16213, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald, Quarantined, 16213, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NFFFLPAJBCHHCNBLNEDGBDONDPBBHALD, Quarantined, 16213, 828115, 1.0.38723, , ame, , , File: 14 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16213, 828115, , , , , 0C72F01BD8546323E95DDF56203156E5, 63A1CAEA35436804DA17C2C4A7718DB58E50ED504956C5FCBB90A247B25819A8 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16213, 828115, , , , , 8FDC94FC6F8694FA776DE91EB8015B10, D22231118FD05B55DA584F2362AB5733B032E651FF756B39639A3442AFE9CF4B PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\000003.log, Quarantined, 16213, 828115, , , , , 646D9C8D38B9AB8CE7E554CB56E7D463, F232664DA6B83F414E3816FE96BC60E00BA53AF5F1E3F97B19E70B4A937747E9 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\CURRENT, Quarantined, 16213, 828115, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\LOCK, Quarantined, 16213, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\LOG, Quarantined, 16213, 828115, , , , , 70849E7D40BB0B9850E2B734048D9782, 7967B8C1E3757194ADC99FF61F543DA62FFCBEE51DDDF15EC53EF866853AF78D PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\LOG.old, Quarantined, 16213, 828115, , , , , 9EB77B5B283B5A58FD605B476738908A, 11456962D8F263B04794B62BBAF49E7984B4271A6DC63C8B59E2227723EECCC0 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\MANIFEST-000001, Quarantined, 16213, 828115, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\000003.log, Quarantined, 16213, 828115, , , , , 188157BE4692F62927478C491E352750, 4EF43973EAC2559FA08924E1A220889F44E365E1BCF8192022E41FCFAC9AC862 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\CURRENT, Quarantined, 16213, 828115, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\LOCK, Quarantined, 16213, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\LOG, Quarantined, 16213, 828115, , , , , 9674A18DC424B9E4BC0796CBE59720D7, 088CC61D94808BC646AFE5C266054ED6C6D1BC8349F1B2F6EA750316B9650AB6 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nffflpajbchhcnblnedgbdondpbbhald\MANIFEST-000001, Quarantined, 16213, 828115, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NFFFLPAJBCHHCNBLNEDGBDONDPBBHALD\1.0.3_0\MANIFEST.JSON, Quarantined, 16213, 828115, 1.0.38723, , ame, , 2800E64E013A90DD7DAEAD4B11266356, FED1786AACBF28808819C3CCCF68B0D4C3FC4616C8386FB9826BA8777F1A7C7F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Search Button? The Malwarebytes research team has determined that Search Button is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one closes your search tab and opens a new one with their own search engine. It also adds recommended searches to the search results. How do I know if my computer is affected by Search Button? You may see this entry in your list of installed Chrome extensions: You may have noticed these warnings during install: How did Search Button get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Search Button? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Button? No, Malwarebytes removes Search Button completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search Button hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Search Button) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imomoaphompmapmhcdioafbdmgnmdagk [2021-03-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imomoaphompmapmhcdioafbdmgnmdagk\2.2.6_0 Adds the file gainsay.js"="3/21/2021 8:57 AM, 9310 bytes, A Adds the file harmonised.html"="3/20/2021 11:40 AM, 1721 bytes, A Adds the file jquery-3.5.1.min.js.js"="3/19/2021 10:48 PM, 89502 bytes, A Adds the file manifest.json"="3/24/2021 4:08 PM, 1034 bytes, A Adds the file postpones.js"="3/19/2021 10:48 PM, 2296 bytes, A Adds the file recrystallized.css"="3/19/2021 10:48 PM, 2949 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imomoaphompmapmhcdioafbdmgnmdagk\2.2.6_0\_metadata Adds the file computed_hashes.json"="3/24/2021 4:08 PM, 2303 bytes, A Adds the file verified_contents.json"="3/21/2021 8:56 AM, 2545 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imomoaphompmapmhcdioafbdmgnmdagk\2.2.6_0\icons Adds the file camp.png"="3/19/2021 10:48 PM, 1910 bytes, A Adds the file gate.png"="3/24/2021 4:08 PM, 3253 bytes, A Adds the file happen.png"="3/24/2021 4:08 PM, 1300 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imomoaphompmapmhcdioafbdmgnmdagk\2.2.6_0\img Adds the file fists.png"="3/19/2021 10:48 PM, 1310 bytes, A Adds the file pry.svg"="3/19/2021 10:48 PM, 298 bytes, A Adds the file search.svg"="3/19/2021 10:48 PM, 298 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "imomoaphompmapmhcdioafbdmgnmdagk"="REG_SZ", "BEC687613EEEBB2297178BE6DD85EF64FCCE284D2D22BD5FF37D174EA80CA3F5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/25/21 Scan Time: 11:14 AM Log File: daac21b2-8d52-11eb-b800-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38671 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233550 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 2 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|imomoaphompmapmhcdioafbdmgnmdagk, Quarantined, 336, 924465, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IMOMOAPHOMPMAPMHCDIOAFBDMGNMDAGK, Quarantined, 336, 924465, 1.0.38671, , ame, , , File: 3 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 924465, , , , , F4F2AE6742A7D8C80D7F3EF2D07B4CBA, 43C75C105017B56B7496F10DD750088134A6C6F27F525D5C3F3A544D613246C3 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 336, 924465, , , , , A2B83484A45AC33AE42249E4266B743F, 61ADEB434A1EF8669FA325E562C2660C14DBFA3AB87CD07FE7E320BFB31D2994 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IMOMOAPHOMPMAPMHCDIOAFBDMGNMDAGK\2.2.6_0\MANIFEST.JSON, Quarantined, 336, 924465, 1.0.38671, , ame, , CB9C0AA8BFDD23518B8C921009854FC8, 5BAA333D0F4B591E641C0C9E90EDC1B485394B47CE57C14E9542E4C1631FBBF4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Movieapp Search?The Malwarebytes research team has determined that Movieapp Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one redirects to their own search engine and adds Recommended Searches.How do I know if my computer is affected by Movieapp Search?You may see this entry in your list of installed Chrome extensions:and this changed setting:You may have noticed these warnings during install:How did Movieapp Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Movieapp Search?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Movieapp Search? No, Malwarebytes removes Movieapp Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Movieapp Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.movieapp.net/search.php?src=mvasdr&type=ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> Movieapp CHR DefaultSuggestURL: Default -> hxxps://search.movieapp.net/suggest.php?q={searchTerms} CHR Extension: (Movieapp) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafjekgodphomngmogijlhnfingjgboh [2021-03-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafjekgodphomngmogijlhnfingjgboh\3.0.20_0 Adds the file background.js"="10/29/2020 8:33 PM, 2158 bytes, A Adds the file manifest.json"="3/23/2021 8:56 AM, 1888 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafjekgodphomngmogijlhnfingjgboh\3.0.20_0\_metadata Adds the file computed_hashes.json"="3/23/2021 8:56 AM, 404 bytes, A Adds the file verified_contents.json"="3/22/2021 3:43 PM, 1649 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafjekgodphomngmogijlhnfingjgboh\3.0.20_0\icons Adds the file icon128.png"="3/23/2021 8:56 AM, 6279 bytes, A Adds the file icon16.png"="5/29/2020 1:53 PM, 610 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mafjekgodphomngmogijlhnfingjgboh"="REG_SZ", "C806E755B36C3D7DD6BBB7C11FB427F2371D96CAE137236BB5701FB317781A7B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/23/21 Scan Time: 4:05 PM Log File: 2fd024ce-8be9-11eb-a2ed-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38581 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233534 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 49 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SosoInteractive, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mafjekgodphomngmogijlhnfingjgboh, Quarantined, 16151, 923806, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SosoInteractive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MAFJEKGODPHOMNGMOGIJLHNFINGJGBOH, Quarantined, 16151, 923806, 1.0.38581, , ame, , , File: 3 PUP.Optional.SosoInteractive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16151, 923806, , , , , B41A1F7A7BD87ED3908254A59E99B438, 281F71168DB128FD1BED4155DFFDA4DEEDC66A7DC4451C5E5ECE84555C21063B PUP.Optional.SosoInteractive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16151, 923806, , , , , D0C0FAAFB7437C5849EF55A22A85722F, 3606B1BB78F5871E4BFBCB3AE6F162C340DEF168C62C9B4FB80F3884B1595335 PUP.Optional.SosoInteractive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MAFJEKGODPHOMNGMOGIJLHNFINGJGBOH\3.0.20_0\BACKGROUND.JS, Quarantined, 16151, 923806, 1.0.38581, , ame, , 552006CFB20C0AFFD4F57F22A2DAE2ED, A06DB43A848EFD3D36825564BCC0BB46D329B1B039217F3E0CE8809740743508 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is InstaQuick? The Malwarebytes research team has determined that InstaQuick is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by InstaQuick? You may see these warnings during install: and this entry in your list of installed Programs and Features: How did InstaQuick get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove InstaQuick? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of InstaQuick? No, Malwarebytes removes InstaQuick completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the InstaQuick adware. It would have blocked the installer before it became too late. and we would have blocked access to their domain. Technical details for experts Possible signs in FRST logs: (InstaQuick -> InstaQuick) [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\InstaQuick.exe <6> HKLM-x32\...\Run: [InstaQuick] => C:\Users\{username}\AppData\Roaming\InstaQuick\InstaQuick.exe [5304992 2021-02-04] (InstaQuick -> InstaQuick) [File not signed] C:\Users\{username}\AppData\Local\InstaQuick C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InstaQuick C:\Users\{username}\AppData\Roaming\InstaQuick (InstaQuick) C:\Users\{username}\Desktop\InstaQuick.17.2102.1acwk.exe InstaQuick - Instagram for Desktop (HKLM-x32\...\InstaQuick) (Version: 17.2102.1acwk - InstaQuick) () [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\swiftshader\libegl.dll () [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\swiftshader\libglesv2.dll (InstaQuick -> Microsoft Corporation) [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\D3DCompiler_47.dll (InstaQuick -> The NW.js Community) [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\node.dll (InstaQuick -> The NW.js Community) [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\nw.dll (InstaQuick -> The NW.js Community) [File not signed] C:\Users\{username}\AppData\Roaming\InstaQuick\nw_elf.dll Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data Adds the file CrashpadMetrics-active.pma"="3/22/2021 8:40 AM, 1048576 bytes, A Adds the file First Run"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Local State"="3/22/2021 8:41 AM, 3427 bytes, A Adds the file lockfile"="3/22/2021 8:40 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\BrowserMetrics Adds the file BrowserMetrics-605849D8-1384.pma"="3/22/2021 8:40 AM, 4194304 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Crashpad Adds the file metadata"="3/22/2021 8:40 AM, 0 bytes, A Adds the file settings.dat"="3/22/2021 8:40 AM, 40 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Crashpad\reports Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Cookies"="3/22/2021 8:41 AM, 20480 bytes, A Adds the file Cookies-journal"="3/22/2021 8:41 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file Favicons"="3/22/2021 8:40 AM, 20480 bytes, A Adds the file Favicons-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Google Profile.ico"="3/22/2021 8:40 AM, 151668 bytes, A Adds the file History"="3/22/2021 8:40 AM, 118784 bytes, A Adds the file History-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Login Data"="3/22/2021 8:40 AM, 18432 bytes, A Adds the file Login Data-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000002"="3/22/2021 8:40 AM, 50 bytes, A Adds the file Network Action Predictor"="3/22/2021 8:40 AM, 36864 bytes, A Adds the file Network Action Predictor-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Network Persistent State"="3/22/2021 8:41 AM, 499 bytes, A Adds the file page_load_capping_opt_out.db"="3/22/2021 8:40 AM, 16384 bytes, A Adds the file page_load_capping_opt_out.db-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Preferences"="3/22/2021 8:41 AM, 2430 bytes, A Adds the file previews_opt_out.db"="3/22/2021 8:40 AM, 16384 bytes, A Adds the file previews_opt_out.db-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file QuotaManager"="3/22/2021 8:41 AM, 53248 bytes, A Adds the file QuotaManager-journal"="3/22/2021 8:41 AM, 0 bytes, A Adds the file README"="3/22/2021 8:40 AM, 162 bytes, A Adds the file Secure Preferences"="3/22/2021 8:40 AM, 4724 bytes, A Adds the file Top Sites"="3/22/2021 8:40 AM, 20480 bytes, A Adds the file Top Sites-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the file TransportSecurity"="3/22/2021 8:41 AM, 1592 bytes, A Adds the file Visited Links"="3/22/2021 8:40 AM, 0 bytes, A Adds the file Web Data"="3/22/2021 8:40 AM, 65536 bytes, A Adds the file Web Data-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\blob_storage Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Cache Adds the file data_0"="3/22/2021 8:40 AM, 45056 bytes, A Adds the file data_1"="3/22/2021 8:40 AM, 270336 bytes, A Adds the file data_2"="3/22/2021 8:40 AM, 1056768 bytes, A Adds the file data_3"="3/22/2021 8:40 AM, 4202496 bytes, A Adds the file f_000001"="3/22/2021 8:40 AM, 33478 bytes, A Adds the file f_000011"="3/22/2021 8:40 AM, 259232 bytes, A Adds the file index"="3/22/2021 8:40 AM, 262512 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\data_reduction_proxy_leveldb Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000002"="3/22/2021 8:40 AM, 50 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\databases Adds the file Databases.db"="3/22/2021 8:40 AM, 28672 bytes, A Adds the file Databases.db-journal"="3/22/2021 8:40 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\databases\chrome-extension_mhbghaopeodicgkmjaffmkmdfddmncnh_0 Adds the file 1"="3/22/2021 8:40 AM, 16384 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Extension Rules Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Extension State Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\GPUCache Adds the file data_0"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file data_1"="3/22/2021 8:40 AM, 270336 bytes, A Adds the file data_2"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file data_3"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file index"="3/22/2021 8:40 AM, 262512 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\IndexedDB\https_www.instagram.com_0.indexeddb.leveldb Adds the file 000003.log"="3/22/2021 8:40 AM, 318 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 23 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Local Storage\leveldb Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Session Storage Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Site Characteristics Database Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Sync Data\LevelDB Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Thumbnails Adds the file 000003.log"="3/22/2021 8:40 AM, 0 bytes, A Adds the file CURRENT"="3/22/2021 8:40 AM, 16 bytes, A Adds the file LOCK"="3/22/2021 8:40 AM, 0 bytes, A Adds the file LOG"="3/22/2021 8:40 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/22/2021 8:40 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Default\Web Applications\_nwjs_mhbghaopeodicgkmjaffmkmdfddmncnh Adds the file InstaQuick.ico"="3/22/2021 8:40 AM, 172894 bytes, A Adds the file InstaQuick.ico.md5"="3/22/2021 8:40 AM, 16 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\ShaderCache\GPUCache Adds the file data_0"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file data_1"="3/22/2021 8:40 AM, 270336 bytes, A Adds the file data_2"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file data_3"="3/22/2021 8:40 AM, 8192 bytes, A Adds the file index"="3/22/2021 8:40 AM, 262512 bytes, A Adds the folder C:\Users\{username}\AppData\Local\InstaQuick\User Data\Stability Adds the file 4996-1616398806548303.pma"="3/22/2021 8:40 AM, 1048576 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\InstaQuick Adds the file d3dcompiler_47.dll"="2/4/2021 11:49 AM, 3710752 bytes, A Adds the file ffmpeg.dll"="2/4/2021 11:50 AM, 1488160 bytes, A Adds the file icudtl.dat"="1/19/2021 11:29 AM, 10245952 bytes, A Adds the file InstaQuick.exe"="2/4/2021 11:49 AM, 5304992 bytes, A Adds the file libEGL.dll"="2/4/2021 11:50 AM, 96544 bytes, A Adds the file libGLESv2.dll"="2/4/2021 11:50 AM, 4434720 bytes, A Adds the file natives_blob.bin"="1/19/2021 11:29 AM, 92247 bytes, A Adds the file node.dll"="2/4/2021 11:50 AM, 12371744 bytes, A Adds the file notification_helper.exe"="2/4/2021 11:49 AM, 493344 bytes, A Adds the file nw.dll"="2/4/2021 11:50 AM, 94750496 bytes, A Adds the file nw_100_percent.pak"="1/19/2021 11:29 AM, 1021430 bytes, A Adds the file nw_200_percent.pak"="1/19/2021 11:29 AM, 1341563 bytes, A Adds the file nw_elf.dll"="2/4/2021 11:50 AM, 493856 bytes, A Adds the file resources.pak"="1/19/2021 11:29 AM, 5550400 bytes, A Adds the file snapshot_blob.bin"="1/19/2021 11:29 AM, 1283220 bytes, A Adds the file storage.json"="3/22/2021 8:39 AM, 80 bytes, A Adds the file Uninstall.exe"="3/22/2021 8:39 AM, 472524 bytes, A Adds the file v8_context_snapshot.bin"="1/19/2021 11:29 AM, 1607648 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\InstaQuick\locales Adds the folder C:\Users\{username}\AppData\Roaming\InstaQuick\swiftshader Adds the file libEGL.dll"="1/19/2021 11:29 AM, 122368 bytes, A Adds the file libGLESv2.dll"="1/19/2021 11:29 AM, 2256896 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InstaQuick Adds the file InstaQuick.lnk"="3/22/2021 8:39 AM, 1873 bytes, A Adds the file Uninstall.lnk"="3/22/2021 8:39 AM, 1866 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "InstaQuick"="REG_SZ", "C:\Users\{username}\AppData\Roaming\InstaQuick\InstaQuick.exe --su" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstaQuick] "DisplayIcon"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\InstaQuick\Uninstall.exe"" "DisplayName"="REG_SZ", "InstaQuick - Instagram for Desktop" "DisplayVersion"="REG_SZ", "17.2102.1acwk" "EstimatedSize"="REG_DWORD", 179797 "Publisher"="REG_SZ", "InstaQuick" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\InstaQuick\Uninstall.exe"" [HKEY_CURRENT_USER\Software\AppDataLow\Software\InstaQuick] "uid"="REG_SZ", "BD2E4143-63F5-4568-BE87-73C4F20BC096" [HKEY_CURRENT_USER\Software\nwjs] "FirstNotDefault"="REG_QWORD, .../ "metricsid"="REG_SZ", "b94fb534-649f-41ab-b791-f6472c7aac8a" "metricsid_enableddate"="REG_SZ", "1616398809" "metricsid_installdate"="REG_SZ", "1616398808" [HKEY_CURRENT_USER\Software\nwjs\BLBeacon] "failed_count"="REG_DWORD", 0 "state"="REG_DWORD", 1 "version"="REG_SZ", "71.0.3578.98" [HKEY_CURRENT_USER\Software\nwjs\PreferenceMACs\Default] "browser.show_home_button"="REG_SZ", "D4AE6B748030C65B37203BF504F4BAB6B7189D30A8068E933D27D272B9825121" "default_search_provider_data.template_url_data"="REG_SZ", "577902E48778C2084EA38A666D6F118AC7A10E564E6D2C614157FE4553B1CDF1" "google.services.account_id"="REG_SZ", "6FD09700B4A149D948B55F3C0AB72673D5C367B9E751454C6202DC1D3DFA6802" "google.services.last_account_id"="REG_SZ", "6AF24852E27EDB5DFA7E36D3AC87D5EBDB6B1A2ACB4AF4E651C22798B2394A67" "google.services.last_username"="REG_SZ", "BF235C9F83153EC2D71D60021ED0AA56728D62A5264E811DCEBFF589EA33BE81" "google.services.username"="REG_SZ", "A70B5C736433139A005D3E49D73AB8574672434936A4FA21F55757B0E4882F3C" "homepage"="REG_SZ", "6BEC350ECF8125372A826D71D2DB258A636A08AF0C652D9E774072EFB372A346" "homepage_is_newtabpage"="REG_SZ", "71E415DF84698054516E68295FA7E443543243920785F715BF71F2641FD03239" "media.storage_id_salt"="REG_SZ", "7CB55C624C43F9AF857E83B87E0E531816C28E8B247C5FBF4E6515960AD67692" "pinned_tabs"="REG_SZ", "988BA7AF49CBEED46002524FB1DC5972CCCEE6DF03B77A755B3E322D74E33697" "prefs.preference_reset_time"="REG_SZ", "3BB6D1CF1E2266580804D7B343EB3D436157898CC157308C74F704B5D85BFEB3" "safebrowsing.incidents_sent"="REG_SZ", "749D4F2A5067553DBA6E47E7C37A086D83F1623F54420951FD2646E8E8E27C80" "search_provider_overrides"="REG_SZ", "D868509C983E4D4868450576F8A3D3E7E05C68568CF8D7DF91589972AEF37E93" "session.restore_on_startup"="REG_SZ", "43A753CE09B9BF0DC9660872B81B90FD2A0D9B708609FE84D2B964F6828053EA" "session.startup_urls"="REG_SZ", "5622145A2429114A31AC87D39A6757FFC8802A76D4158BC08DC268C76568D401" "settings_reset_prompt.last_triggered_for_default_search"="REG_SZ", "1B7549747E6FD7C37E6D498A93AB6980CF3A2002D339CFD5D09C6997B37FA7E3" "settings_reset_prompt.last_triggered_for_homepage"="REG_SZ", "3937DC165E7432A408A1AEAC832766F0C8D5A7C7ADB070399FE60CB887003332" "settings_reset_prompt.last_triggered_for_startup_urls"="REG_SZ", "9CA5289F21296A288C9A358716171FDF673C04D4A30D443BB97A408B83B08135" "settings_reset_prompt.prompt_wave"="REG_SZ", "8E49A1A3D2AA3456F777518FDCC2BA30722E089ECFD7B7265C2EE8BB90D3EF15" "software_reporter.prompt_seed"="REG_SZ", "CC15095EDB89D7530910B1296F1D27AF2AC038D4F6B627A0668381488E697535" "software_reporter.prompt_version"="REG_SZ", "04FFA133961EA613587BC3C40EBACF2A6F42BCECBCEAE1CE4312993E3A3E752E" [HKEY_CURRENT_USER\Software\nwjs\StabilityMetrics] "user_experience_metrics.stability.exited_cleanly"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/22/21 Scan Time: 12:22 PM Log File: db431486-8b00-11eb-a0fa-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38517 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233833 Threats Detected: 19 Threats Quarantined: 18 Time Elapsed: 3 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 8 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\D3DCOMPILER_47.DLL, Quarantined, 3596, 923360, , , , , 6F2978198B7CC08E34769B2660B2C6DF, 3C511D1ED4C5F5D710BE5CACCD7BF596F97F848EBC53F490223A60ECD5542B74 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\SWIFTSHADER\LIBGLESV2.DLL, Quarantined, 3596, 923360, , , , , DC0A1C2539D26524AADF8AA8937CEF0B, 6C3F9D4062A383983716C6956DEE35C6832E6C7D5DE82D60220D3BF6BEB74A56 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\SWIFTSHADER\LIBEGL.DLL, Quarantined, 3596, 923360, , , , , 1C85AE3C2CD01A0FA35306E4A79AB09D, E73AEE1DF92CC5ED40F38097310F98C58C41E729C05FE554877B42B620C7D658 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, , , , , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, , , , , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, , , , , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, , , , , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, , , , , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F Registry Key: 2 PUP.Optional.InstaQuick, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\InstaQuick, Quarantined, 3596, 923363, 1.0.38517, , ame, , , PUP.Optional.InstaQuick, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\InstaQuick, Quarantined, 3596, 923362, 1.0.38517, , ame, , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\LOCAL\INSTAQUICK, Removal Failed, 3596, 923359, 1.0.38517, , ame, , , PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK, Quarantined, 3596, 923360, 1.0.38517, , ame, , , PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\INSTAQUICK, Quarantined, 3596, 923361, 1.0.38517, , ame, , , File: 6 PUP.Optional.InstaQuick, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InstaQuick\InstaQuick.lnk, Quarantined, 3596, 923361, , , , , F45D8F715F6A1157FD446B77D6CDDFE5, A0AAEBC3557D85EA3C6061A367111531FE7B07E7838A384C356CB2CDF809C5E6 PUP.Optional.InstaQuick, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InstaQuick\Uninstall.lnk, Quarantined, 3596, 923361, , , , , 567EE12CA4B7BA400771D090903FF71D, E5CD824956130AC3CD32FFA717B39B8664CBDEF09171F0E7A08D80D13232AD90 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\D3DCOMPILER_47.DLL, Quarantined, 3596, 923360, 1.0.38517, , ame, , 6F2978198B7CC08E34769B2660B2C6DF, 3C511D1ED4C5F5D710BE5CACCD7BF596F97F848EBC53F490223A60ECD5542B74 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\SWIFTSHADER\LIBGLESV2.DLL, Quarantined, 3596, 923360, 1.0.38517, , ame, , DC0A1C2539D26524AADF8AA8937CEF0B, 6C3F9D4062A383983716C6956DEE35C6832E6C7D5DE82D60220D3BF6BEB74A56 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\SWIFTSHADER\LIBEGL.DLL, Quarantined, 3596, 923360, 1.0.38517, , ame, , 1C85AE3C2CD01A0FA35306E4A79AB09D, E73AEE1DF92CC5ED40F38097310F98C58C41E729C05FE554877B42B620C7D658 PUP.Optional.InstaQuick, C:\USERS\{username}\APPDATA\ROAMING\INSTAQUICK\NW_ELF.DLL, Quarantined, 3596, 923360, 1.0.38517, , ame, , B179DD1DB5D623A4B44CB29A733C5BAC, A4F4B8F64DC649AE49C1771AA8357A1D139D082F1C39063ECBE2A3010E504E3F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is nok app? The Malwarebytes research team has determined that nok app is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one closes your search tab and opens a new one with their own search engine. How do I know if my computer is affected by nok app? You may see this entry in your list of installed Chrome extensions: You may have noticed these warnings during install: How did nok app get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove nok app? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of nok app? No, Malwarebytes removes nok app completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the nok app hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (nok app) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igbjecfohkegdmjapeikagjnamfnkobn [2021-03-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igbjecfohkegdmjapeikagjnamfnkobn\6.4.11_0 Adds the file manifest.json"="3/19/2021 10:24 AM, 1113 bytes, A Adds the file sr.js"="2/21/2021 11:32 AM, 7540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igbjecfohkegdmjapeikagjnamfnkobn\6.4.11_0\_metadata Adds the file computed_hashes.json"="3/19/2021 10:24 AM, 396 bytes, A Adds the file verified_contents.json"="2/21/2021 11:31 AM, 1639 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igbjecfohkegdmjapeikagjnamfnkobn\6.4.11_0\icons Adds the file icon128.png"="3/19/2021 10:24 AM, 2188 bytes, A Adds the file icon48.png"="3/19/2021 10:24 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn Adds the file 000003.log"="3/19/2021 10:25 AM, 224 bytes, A Adds the file CURRENT"="3/19/2021 10:24 AM, 16 bytes, A Adds the file LOCK"="3/19/2021 10:24 AM, 0 bytes, A Adds the file LOG"="3/19/2021 10:24 AM, 183 bytes, A Adds the file MANIFEST-000001"="3/19/2021 10:24 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "igbjecfohkegdmjapeikagjnamfnkobn"="REG_SZ", "069022FAAEAF4683A85C90B97D929AC12935860A611C941DFBCDF1E3FEF6631D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/19/21 Scan Time: 10:30 AM Log File: ce2f2b62-8895-11eb-94e6-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38375 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233495 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|igbjecfohkegdmjapeikagjnamfnkobn, Quarantined, 16197, 836150, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn, Quarantined, 16197, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGBJECFOHKEGDMJAPEIKAGJNAMFNKOBN, Quarantined, 16197, 836150, 1.0.38375, , ame, , , File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16197, 836150, , , , , 8A6CEF55A366C1BA63C5886CDB36A4B4, E9431AF4EDE62539F5556D8B5996568777B337E4D031E1770A70F75C6C8444F0 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16197, 836150, , , , , 75E3724D5A757FBDE52572E020D75C15, 2AB87DFB473F34D1743B94C0E865EFAD52BDD0AB21FE303DCBF3A559582D3FA0 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn\000003.log, Quarantined, 16197, 836150, , , , , FE67FA02D608B7EF7634AA00C0A95EF3, C6360004CBB78C773A015C6279B5FC6C94099E2B6E782F6C101FACB01CFED4EF PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn\CURRENT, Quarantined, 16197, 836150, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn\LOCK, Quarantined, 16197, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn\LOG, Quarantined, 16197, 836150, , , , , E156FEA19E33C5D942B732CFBDB0B204, 80A8103FF0E7002BB82797DCAF3A58AE0CAFAC60574FF3F752EE13D6B3AAEF59 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igbjecfohkegdmjapeikagjnamfnkobn\MANIFEST-000001, Quarantined, 16197, 836150, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGBJECFOHKEGDMJAPEIKAGJNAMFNKOBN\6.4.11_0\MANIFEST.JSON, Quarantined, 16197, 836150, 1.0.38375, , ame, , EC721CD7258A7CE8923245A85592B404, 6C76365CFFF723E0955B120CD3270B32240FA9738A7A8E2AC84051CF7BB8D036 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Simple Malware Protector? Simple Malware Protector is a system optimizer that triggers our PUP detection rules. By doing so we offer users a choice to consider whether they want to use this software. More information can be found on our Malwarebytes Labs blog. How do I know if I am affected by Simple Malware Protector? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these types of windows during install: and this type of screens during operations: You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did Simple Malware Protector get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website. How do I remove Simple Malware Protector? Our program Malwarebytes can detect and remove this PUP. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Simple Malware Protector? No, Malwarebytes removes Simple Malware Protector completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. What if I want to keep Simple Malware Protector? Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it. Open Malwarebytes for Windows. Click the Detection History Click the Allow List To add an item to the Allow List, click Add. Select the exclusion type Allow a file or folder and use the Select a folder button to select the main folder for the software that you wish to keep. Repeat this for any secondary files or folder(s) that belong to the software. If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you in dealing with this system optimizer. As you can see below the full version of Malwarebytes would have warned you against the Simple Malware Protector installer. Technical details for experts You may see these entries in FRST logs: (Corel Corporation -> SimpleStar) C:\Program Files (x86)\Simple Malware Protector\SimpleMalwareProtector.exe Task: {22ED5DB2-3333-4853-8E3A-EE8E7FAA1E60} - System32\Tasks\smp_notifier_executor => C:\Program Files (x86)\Simple Malware Protector\notifier.exe [1891016 2021-01-27] (Corel Corporation -> Corel Corporation) Task: {E3740806-B555-4383-8694-7E3E38FF006B} - System32\Tasks\Simple Malware Protector_startup => C:\Program Files (x86)\Simple Malware Protector\SimpleMalwareProtector.exe [7681736 2021-01-27] (Corel Corporation -> SimpleStar) C:\Users\{username}\AppData\Local\SimpleStar C:\Windows\system32\Tasks\smp_notifier_executor C:\Windows\system32\Tasks\Simple Malware Protector_startup C:\ProgramData\Desktop\Simple Malware Protector.lnk C:\Users\{username}\AppData\Roaming\SimpleStar C:\ProgramData\SimpleStar C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simple Malware Protector C:\Program Files (x86)\Simple Malware Protector (Corel Corporation) C:\Windows\system32\smpnative64.exe (SimpleStar ) C:\Users\{username}\Desktop\Simple_Setup.exe Simple Malware Protector (HKLM-x32\...\E33A688D-A9DE-4653-9D98-86CBB8910021_SimpleStar_~542DC577_is1) (Version: 2.1.1000.26615 - SimpleStar) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Simple Malware Protector Adds the file AppManager.exe"="1/27/2021 2:11 PM, 505032 bytes, A Adds the file AppResource.dll"="1/27/2021 2:11 PM, 13105352 bytes, A Adds the file categories.ini"="10/30/2020 11:40 AM, 44596 bytes, A Adds the file Chinese_asp_ZH-CN.ini"="1/19/2021 11:45 AM, 55864 bytes, A Adds the file danish_asp_DA.ini"="1/19/2021 11:45 AM, 99052 bytes, A Adds the file dutch_asp_NL.ini"="1/19/2021 11:45 AM, 99440 bytes, A Adds the file eng_asp_en.ini"="1/19/2021 11:45 AM, 54191 bytes, A Adds the file Finnish_asp_FI.ini"="1/19/2021 11:45 AM, 99206 bytes, A Adds the file french_asp_FR.ini"="1/19/2021 11:45 AM, 110672 bytes, A Adds the file german_asp_DE.ini"="1/19/2021 11:45 AM, 109028 bytes, A Adds the file helper.dll"="1/27/2021 2:11 PM, 2339528 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/27/2021 2:12 PM, 57032 bytes, A Adds the file italian_asp_IT.ini"="1/19/2021 11:45 AM, 104274 bytes, A Adds the file japanese_asp_JA.ini"="1/19/2021 11:45 AM, 67834 bytes, A Adds the file lci.lci"="3/18/2021 9:07 AM, 664 bytes, H Adds the file loading_withWhiteBG.avi"="1/18/2021 12:20 PM, 103936 bytes, A Adds the file Microsoft.Win32.TaskScheduler.DLL"="1/27/2021 2:12 PM, 123080 bytes, A Adds the file norwegian_asp_NO.ini"="1/19/2021 11:45 AM, 94786 bytes, A Adds the file notifier.exe"="1/27/2021 2:12 PM, 1891016 bytes, A Adds the file portuguese_asp_PT-BR.ini"="1/19/2021 11:45 AM, 101156 bytes, A Adds the file russian_asp_ru.ini"="1/19/2021 11:45 AM, 101630 bytes, A Adds the file scandll.dll"="1/27/2021 2:11 PM, 58568 bytes, A Adds the file SimpleMalwareProtector.exe"="1/27/2021 2:12 PM, 7681736 bytes, A Adds the file SimpleMalwareProtector.exe.config"="1/18/2021 12:19 PM, 6214 bytes, A Adds the file smp.ico"="1/18/2021 12:20 PM, 34494 bytes, A Adds the file spanish_asp_ES.ini"="1/19/2021 11:45 AM, 106462 bytes, A Adds the file swedish_asp_SV.ini"="1/26/2021 1:03 PM, 96526 bytes, A Adds the file System.Core.dll"="1/27/2021 2:12 PM, 675528 bytes, A Adds the file System.Data.SQLite.dll"="1/27/2021 2:12 PM, 894152 bytes, A Adds the file tray.exe"="1/27/2021 2:11 PM, 2059976 bytes, A Adds the file unins000.dat"="3/18/2021 9:07 AM, 98275 bytes, A Adds the file unins000.exe"="3/18/2021 9:07 AM, 1217224 bytes, A Adds the file unins000.msg"="3/18/2021 9:07 AM, 22701 bytes, A Adds the file unrar.dll"="1/27/2021 2:12 PM, 219848 bytes, A Adds the file Xceed.Compression.dll"="1/27/2021 2:12 PM, 110280 bytes, A Adds the file Xceed.Compression.Formats.dll"="1/27/2021 2:12 PM, 73416 bytes, A Adds the file Xceed.FileSystem.dll"="1/27/2021 2:12 PM, 130760 bytes, A Adds the file Xceed.Zip.dll"="1/27/2021 2:12 PM, 204488 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simple Malware Protector Adds the file Register Simple Malware Protector.lnk"="3/18/2021 9:07 AM, 1233 bytes, A Adds the file Simple Malware Protector.lnk"="3/18/2021 9:07 AM, 1207 bytes, A Adds the file Uninstall Simple Malware Protector.lnk"="3/18/2021 9:07 AM, 1137 bytes, A Adds the folder C:\ProgramData\SimpleStar\Simple Malware Protector Adds the file AddonSafelist"="1/18/2021 12:20 PM, 13312 bytes, A Adds the file log.xslt"="1/18/2021 12:20 PM, 24753 bytes, A Adds the folder C:\ProgramData\SimpleStar\Simple Malware Protector\signatures Adds the file completedatabase.db"="3/18/2021 9:13 AM, 262275072 bytes, A Adds the file Cookies.bin"="3/18/2021 9:13 AM, 233960 bytes, A Adds the file DigSign.bin"="3/18/2021 9:14 AM, 132248 bytes, A Adds the file FilePaths.bin"="3/18/2021 9:13 AM, 5846920 bytes, A Adds the file FileSignature.bin"="3/18/2021 9:14 AM, 39806312 bytes, A Adds the file Folders.bin"="3/18/2021 9:14 AM, 1698944 bytes, A Adds the file Md5.bin"="3/18/2021 9:14 AM, 129842640 bytes, A Adds the file Registry.bin"="3/18/2021 9:14 AM, 39300384 bytes, A Adds the file SetupSign.bin"="3/18/2021 9:14 AM, 13504 bytes, A Adds the file StrSetupSign.bin"="3/18/2021 9:14 AM, 1824 bytes, A Adds the folder C:\ProgramData\SimpleStar\Simple Malware Protector\updates Adds the file 3262completedatabase.zip"="3/18/2021 9:11 AM, 36169813 bytes, A Adds the file 4221mupdate.zip"="3/18/2021 9:13 AM, 108841406 bytes, A Adds the file 4222update.zip"="3/18/2021 9:13 AM, 413832 bytes, A Adds the file 4223update.zip"="3/18/2021 9:13 AM, 671671 bytes, A Adds the file 4224update.zip"="3/18/2021 9:13 AM, 175199 bytes, A Adds the file 4225update.zip"="3/18/2021 9:13 AM, 18596 bytes, A Adds the file 4226update.zip"="3/18/2021 9:13 AM, 191470 bytes, A Adds the folder C:\Users\{username}\AppData\Local\SimpleStar\Simple Malware Protector Adds the file ScanEngineErrorLog.txt"="3/18/2021 9:17 AM, 6083 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SimpleStar\Simple Malware Protector Adds the file ASPLog.txt"="3/18/2021 9:18 AM, 6520 bytes, A Adds the file QDetail.db"="3/18/2021 9:07 AM, 4096 bytes, A Adds the file Settings.db"="3/18/2021 9:17 AM, 12288 bytes, A Adds the file Update.ini"="3/18/2021 9:10 AM, 2360 bytes, A Adds the file uuid.txt"="3/18/2021 9:07 AM, 35 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SimpleStar\Simple Malware Protector\Logs Adds the file log_18-03-21_09-17-10.xml"="3/18/2021 9:17 AM, 70532 bytes, A Adds the file SMLog.xml"="3/18/2021 9:17 AM, 3376 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Simple Malware Protector.lnk"="3/18/2021 9:07 AM, 1189 bytes, A In the existing folder C:\Windows\System32 Adds the file smpnative64.exe"="1/27/2021 2:12 PM, 29384 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Simple Malware Protector_startup"="3/18/2021 9:07 AM, 3116 bytes, A Adds the file smp_notifier_executor"="3/18/2021 9:07 AM, 3634 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\E33A688D-A9DE-4653-9D98-86CBB8910021_SimpleStar_~542DC577_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector\SimpleMalwareProtector.exe" "DisplayName"="REG_SZ", "Simple Malware Protector" "DisplayVersion"="REG_SZ", "2.1.1000.26615" "EstimatedSize"="REG_DWORD", 32132 "HelpLink"="REG_SZ", "https://goto.simplestar.com/action/?product=SMP&LinkType=Support/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector" "Inno Setup: Icon Group"="REG_SZ", "Simple Malware Protector" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20210318" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 1 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "SimpleStar" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Simple Malware Protector\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Simple Malware Protector\unins000.exe"" "URLInfoAbout"="REG_SZ", "https://www.simplestar.com" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SimpleStar\Params] "affiliateid"="REG_SZ", "" "SMPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "simplestar" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SimpleStar\Simple Malware Protector] "affiliateid"="REG_SZ", "" "afterInstallUrl"="REG_SZ", "https://goto.simplestar.com/action/?product=SMP&LinkType=Install&BuildID=5&t=" "buildid"="REG_SZ", "5" "BuyNowURL"="REG_SZ", "https://goto.simplestar.com/action/?product=SMP&LinkType=Purchase&BuildID=5&t=" "BuyNowURLADU"="REG_SZ", "" "BuyNowURLASP"="REG_SZ", "" "BuyNowURLPB"="REG_SZ", "" "BuyNowURLRCP"="REG_SZ", "" "cmd_t"="REG_SZ", "" "Expired"="REG_DWORD", 0 "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector" "isphone"="REG_SZ", "0" "IsScanOptional"="REG_DWORD", 1 "issilent"="REG_DWORD", 1 "MaxFixLimit"="REG_DWORD", 0 "REGVER"="REG_DWORD", 0 "REGVER-UNINSTALL"="REG_DWORD", 0 "RenewNowURL"="REG_SZ", "https://goto.simplestar.com/action/?product=SMP&LinkType=Renew&BuildID=5&t=" "RenewNowURLADU"="REG_SZ", "" "RenewNowURLASP"="REG_SZ", "" "RenewNowURLPB"="REG_SZ", "" "RenewNowURLRCP"="REG_SZ", "" "showbc"="REG_DWORD", 0 "showfth"="REG_DWORD", 0 "showfthsetting"="REG_DWORD", 0 "showpb"="REG_DWORD", 0 "showsm"="REG_DWORD", 1 "support_email"="REG_SZ", "support@simplestar.com" "SUPPORT_URL"="REG_SZ", "https://goto.simplestar.com/action/?product=SMP&LinkType=Support&BuildID=5&t=" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "uid"="REG_SZ", "72205a28-a34819b8-a4bb0795-f972a54c" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "simplestar" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SimpleStar\Simple Malware Protector\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\SimpleStar\params] "SMPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector" [HKEY_CURRENT_USER\Software\SimpleStar\Simple Malware Protector] "affiliateid"="REG_SZ", "" "buildid"="REG_SZ", "5" "cmd_t"="REG_SZ", "" "CurrentScanTime"="REG_BINARY, ........ "FirstInstallDate"="REG_SZ", "18-03-2021" "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Simple Malware Protector" "StrLastErrorsFixed"="REG_SZ", "0" "StrLastScanResults"="REG_SZ", "92" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_days"="REG_SZ", "0" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "simplestar" "x-at"="REG_SZ", "" [HKEY_CURRENT_USER\Software\SimpleStar\Simple Malware Protector\2.1.1000.26615] [HKEY_CURRENT_USER\Software\SimpleStar\Simple Malware Protector\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/18/21 Scan Time: 9:26 AM Log File: a1d5a9f6-87c3-11eb-934c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38331 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233646 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\SIMPLEMALWAREPROTECTOR.EXE, Quarantined, 869, 911866, , , , , 20B90A718CF55D95616A79342DBA5D06, C88800519501E455CF6A45CD88776E54CE094A90B03312CF5ACBC796932E3A42 Module: 2 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\SIMPLEMALWAREPROTECTOR.EXE, Quarantined, 869, 911866, , , , , 20B90A718CF55D95616A79342DBA5D06, C88800519501E455CF6A45CD88776E54CE094A90B03312CF5ACBC796932E3A42 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\SCANDLL.DLL, Quarantined, 869, 911917, , , , , 3614951BABCC88D57F1A26AA2042666D, 92AD4CCA4ECCEC613CF4D58917901A50C4BE2C44845E1E81DDAB7D18AC4033D2 Registry Key: 3 PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Simple Malware Protector_startup, Quarantined, 869, 911866, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E3740806-B555-4383-8694-7E3E38FF006B}, Quarantined, 869, 911866, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{E3740806-B555-4383-8694-7E3E38FF006B}, Quarantined, 869, 911866, , , , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 6 PUP.Optional.AdvancedSystemProtector, C:\WINDOWS\SYSTEM32\TASKS\Simple Malware Protector_startup, Quarantined, 869, 911866, , , , , 71C36A0F2F183A885E5F26F5867423AA, 9B20A18FC5FAB6BFCFBB08871730B07D13B0131175F1A882BCF3AB429921AC34 PUP.Optional.AdvancedSystemProtector, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Simple Malware Protector.lnk, Quarantined, 869, 911866, , , , , 6AD0A9E4EF88F0AF810329B557F6631E, 9F988C7F8E3F5C1D5AD382CA90073DCEBB4D1530D3FAA3DCD03E254465EB083B PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\SIMPLEMALWAREPROTECTOR.EXE, Quarantined, 869, 911866, 1.0.38331, , ame, , 20B90A718CF55D95616A79342DBA5D06, C88800519501E455CF6A45CD88776E54CE094A90B03312CF5ACBC796932E3A42 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\SCANDLL.DLL, Quarantined, 869, 911917, 1.0.38331, , ame, , 3614951BABCC88D57F1A26AA2042666D, 92AD4CCA4ECCEC613CF4D58917901A50C4BE2C44845E1E81DDAB7D18AC4033D2 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\SIMPLE MALWARE PROTECTOR\APPMANAGER.EXE, Quarantined, 869, 911911, 1.0.38331, , ame, , 8E5255733B46E1835407C6411FCCCEBE, 13061DB0897E812E0749903B7C9F800936854805D4323755765C55307F36837D PUP.Optional.SimpleStar, C:\USERS\{username}\DESKTOP\SIMPLE_SETUP.EXE, Quarantined, 1659, 921088, 1.0.38331, , ame, , 60157D8096122784436BD1748C2C0C58, 24E3E15DAEE753690446A2FB09F8AB410F05B4C0D5F25AC4318CFADE2D429487 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this potentially unwanted program. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Your Lovely Tab?The Malwarebytes research team has determined that Your Lovely Tab is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one closes your search tab and opens a new one with their own search engine.How do I know if my computer is affected by Your Lovely Tab?You may see this entry in your list of installed Chrome extensions:You may have noticed these warnings during install:How did Your Lovely Tab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Your Lovely Tab?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Your Lovely Tab? No, Malwarebytes removes Your Lovely Tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Your Lovely Tab hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Your Lovely Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejiifmohcdfbclcpiiedcihibigfkgo [2021-03-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejiifmohcdfbclcpiiedcihibigfkgo\6.3.73_0 Adds the file manifest.json"="3/17/2021 8:55 AM, 1119 bytes, A Adds the file sr.js"="1/10/2021 9:08 PM, 7535 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejiifmohcdfbclcpiiedcihibigfkgo\6.3.73_0\_metadata Adds the file computed_hashes.json"="3/17/2021 8:55 AM, 396 bytes, A Adds the file verified_contents.json"="1/10/2021 9:08 PM, 1639 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejiifmohcdfbclcpiiedcihibigfkgo\6.3.73_0\icons Adds the file icon128.png"="3/17/2021 8:55 AM, 2188 bytes, A Adds the file icon48.png"="3/17/2021 8:55 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo Adds the file 000003.log"="3/17/2021 8:57 AM, 225 bytes, A Adds the file CURRENT"="3/17/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="3/17/2021 8:55 AM, 0 bytes, A Adds the file LOG"="3/17/2021 8:55 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/17/2021 8:55 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "oejiifmohcdfbclcpiiedcihibigfkgo"="REG_SZ", "93F0FF450A63C9E5DD4E7E735C912D8EDA34FD763A727B2FBD8FE8ECFB1BC9AD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/17/21 Scan Time: 9:05 AM Log File: 8486deb4-86f7-11eb-89f5-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38283 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233458 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|oejiifmohcdfbclcpiiedcihibigfkgo, Quarantined, 16179, 836150, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo, Quarantined, 16179, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OEJIIFMOHCDFBCLCPIIEDCIHIBIGFKGO, Quarantined, 16179, 836150, 1.0.38283, , ame, , , File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16179, 836150, , , , , 8DDC2632144F440A543FB0A80A1E1C4B, 9DFD07EEFC4DFCB7C7C4A3971EE9478DB481B8FDC644CD233778B401E2AD55C5 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16179, 836150, , , , , 9CC936D15B81CDDC7895A2EAF6EDB875, C8E97C768A92D8F2716E990FA550F138F04DA473C63D55945845A6613CCDB91E PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo\000003.log, Quarantined, 16179, 836150, , , , , 4D7DAE750110B75EA8E84D2E8F25E9B6, 0511B6A80EC7976A161FFEC28E53A46671EDDBA64805327A8792DD64D92389EE PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo\CURRENT, Quarantined, 16179, 836150, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo\LOCK, Quarantined, 16179, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo\LOG, Quarantined, 16179, 836150, , , , , B97761CA17321662B0510A0894E77345, 9217FBE0B9EB4F933700356BFD8F8401E8644148043823848EFEBC2B10FFCBFA PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oejiifmohcdfbclcpiiedcihibigfkgo\MANIFEST-000001, Quarantined, 16179, 836150, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OEJIIFMOHCDFBCLCPIIEDCIHIBIGFKGO\6.3.73_0\MANIFEST.JSON, Quarantined, 16179, 836150, 1.0.38283, , ame, , C4A56958ABC2F4030A9CA37F44B78F01, D750031AED38E7E6F70851060408450AC5DDAEC8FE560A6631DDCF0F7DA4EB1F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is PDFConverterSearchPro? The Malwarebytes research team has determined that PDFConverterSearchPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFConverterSearchPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchPro? No, Malwarebytes removes PDFConverterSearchPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchpro.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchpro.com/?q={searchTerms}&publisher=pdfconvertersearchpro&barcodeid=586550000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchPro CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchpro.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb [2021-03-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0 Adds the file manifest.json"="3/15/2021 2:06 PM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/15/2021 2:06 PM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:31 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:31 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images\icons Adds the file 128x128.png"="3/15/2021 2:06 PM, 3646 bytes, A Adds the file 16x16.png"="3/15/2021 2:06 PM, 543 bytes, A Adds the file 64x64.png"="3/15/2021 2:06 PM, 1960 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:31 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb Adds the file 000003.log"="3/15/2021 2:06 PM, 0 bytes, A Adds the file CURRENT"="3/15/2021 2:06 PM, 16 bytes, A Adds the file LOCK"="3/15/2021 2:06 PM, 0 bytes, A Adds the file LOG"="3/15/2021 2:06 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/15/2021 2:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_akdcioboelamekgappfajnjfpgpimmmb Adds the file PDFConverterSearchPro.ico"="3/15/2021 2:06 PM, 172121 bytes, A Adds the file PDFConverterSearchPro.ico.md5"="3/15/2021 2:06 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "akdcioboelamekgappfajnjfpgpimmmb"="REG_SZ", "F3AE581B78A68DEC8C113BF12D95B1AB3E28ABE5AC03BE5B0B7B6664A6E24343" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/21 Scan Time: 2:15 PM Log File: 8d238472-8590-11eb-b310-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38187 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233439 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB, Quarantined, 16186, 799722, 1.0.38187, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16186, 799722, , , , , DF544FF17FCE1471E0F7FC6ABFEADA65, 61F3AF62ECF69C06A7A7BBC7CA38B72920C161EFB4D9F33D34BDB3B55A8D1DF9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16186, 799722, , , , , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\000003.log, Quarantined, 16186, 799722, , , , , D722D2A43C3A2FBE17F095BD1316ACF3, F12A197380F21674F773C3EBBEE4643EB875CD3F750371257DCFA4D79848E8EC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\CURRENT, Quarantined, 16186, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOCK, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOG, Quarantined, 16186, 799722, , , , , F44B24CA498215DC0FF0F73CF36E8652, 6C8E76DBE5234B4946CB3F860C904B7748A27B6C157FD0E8FF12DD9D5417DC22 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\MANIFEST-000001, Quarantined, 16186, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB\1.1.0_0\MANIFEST.JSON, Quarantined, 16186, 799722, 1.0.38187, , ame, , 879C7B4C7B8FC5E96F26A9C1F015F354, E62CEAE65513F9F91D63A51F8468FD9B41573A00948B3E7AACBB89EA44C0A175 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.38187, , ame, , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is goGame app?The Malwarebytes research team has determined that goGame app is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one closes your search tab and opens a new one with their own search engine.How do I know if my computer is affected by goGame app?You may see this entry in your list of installed Chrome extensions:You may have noticed these warnings during install:How did goGame app get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove goGame app?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of goGame app? No, Malwarebytes removes goGame app completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the goGame app hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (goGame app) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mindjgnkamgejcfhggajieealfmbkhlp [2021-03-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mindjgnkamgejcfhggajieealfmbkhlp\6.3.83_0 Adds the file manifest.json"="3/14/2021 12:03 PM, 1117 bytes, A Adds the file sr.js"="2/6/2021 9:50 PM, 7539 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mindjgnkamgejcfhggajieealfmbkhlp\6.3.83_0\_metadata Adds the file computed_hashes.json"="3/14/2021 12:03 PM, 396 bytes, A Adds the file verified_contents.json"="2/2/2021 11:18 AM, 1639 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mindjgnkamgejcfhggajieealfmbkhlp\6.3.83_0\icons Adds the file icon128.png"="3/14/2021 12:03 PM, 2188 bytes, A Adds the file icon48.png"="3/14/2021 12:03 PM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp Adds the file 000003.log"="3/14/2021 12:04 PM, 226 bytes, A Adds the file CURRENT"="3/14/2021 12:03 PM, 16 bytes, A Adds the file LOCK"="3/14/2021 12:03 PM, 0 bytes, A Adds the file LOG"="3/14/2021 12:03 PM, 184 bytes, A Adds the file MANIFEST-000001"="3/14/2021 12:03 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mindjgnkamgejcfhggajieealfmbkhlp"="REG_SZ", "6102D58A1ACABEB2C792BF526B35261BEAA9F0CBA2079B99E29F0086F3B7506D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/14/21 Scan Time: 12:11 PM Log File: f98c582c-84b5-11eb-a495-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38137 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233382 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mindjgnkamgejcfhggajieealfmbkhlp, Quarantined, 16186, 836150, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp, Quarantined, 16186, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MINDJGNKAMGEJCFHGGAJIEEALFMBKHLP, Quarantined, 16186, 836150, 1.0.38137, , ame, , , File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16186, 836150, , , , , FB1AC27BB1B7B36800A05BAF8D594751, 19B0CD717DEEE856A19AED9B814D7A7DDD95E83EC2035F6AD74FFA54B32E6456 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16186, 836150, , , , , DDDB0F969013B253F0D2D3690DF6391F, AAA7BF41D98331DA94554D9E9A3307B5EE06DE90B5C9918149EEDF5F1054181C PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp\000003.log, Quarantined, 16186, 836150, , , , , 08C8371C01D13FE6E9D427504B7672C4, A9DDF1D2BBC2218D91759583CA0AA610AD1D3A2852B89A5FF61FAA7E0FCFD5E1 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp\CURRENT, Quarantined, 16186, 836150, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp\LOCK, Quarantined, 16186, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp\LOG, Quarantined, 16186, 836150, , , , , 09922250C9E56C4007383826633973F7, A2C7847C6832616AFFF3504E54FAE1334422B0EA5F1CA641DD7F645F39600B7E PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mindjgnkamgejcfhggajieealfmbkhlp\MANIFEST-000001, Quarantined, 16186, 836150, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MINDJGNKAMGEJCFHGGAJIEEALFMBKHLP\6.3.83_0\MANIFEST.JSON, Quarantined, 16186, 836150, 1.0.38137, , ame, , 0D7E2037C1CCE94E6412DD47AC079EFE, 019B5B97DDF9BB4C1761427EF81CDE04808F89FCEFBF34F2C5525D8090492179 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Cactus Search? The Malwarebytes research team has determined that Cactus Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is also a browser NewTab. How do I know if my computer is affected by Cactus Search? You may see this entry in your list of installed Chrome extensions: these changed settings: You may have noticed these warnings during install: How did Cactus Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Cactus Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Cactus Search? No, Malwarebytes removes Cactus Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Cactus Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://cfmfhjkkbmhnjadclpiegblfmddccdjk/newtab.html" CHR DefaultSearchURL: Default -> hxxps://cactus-search.com/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> Cactussearch CHR Extension: (Cactus Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk [2021-03-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0 Adds the file index.html"="11/19/2020 4:06 PM, 457 bytes, A Adds the file manifest.json"="3/11/2021 8:56 AM, 1871 bytes, A Adds the file newtab.html"="11/19/2020 4:06 PM, 410 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0\_locales\en Adds the file messages.json"="3/11/2021 8:56 AM, 245 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0\_metadata Adds the file computed_hashes.json"="3/11/2021 8:56 AM, 2342 bytes, A Adds the file verified_contents.json"="11/19/2020 4:06 PM, 2555 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0\content Adds the file partnerScript.js"="11/19/2020 4:06 PM, 236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0\icons Adds the file 128.png"="3/11/2021 8:56 AM, 5152 bytes, A Adds the file 16.png"="3/11/2021 8:56 AM, 640 bytes, A Adds the file 48.png"="3/11/2021 8:56 AM, 1864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmfhjkkbmhnjadclpiegblfmddccdjk\1.2.0_0\js Adds the file app.js"="11/19/2020 4:06 PM, 130069 bytes, A Adds the file app.js.LICENSE.txt"="11/19/2020 4:06 PM, 790 bytes, A Adds the file app.js.map"="11/19/2020 4:06 PM, 77 bytes, A Adds the file background.js"="11/19/2020 4:06 PM, 10925 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cfmfhjkkbmhnjadclpiegblfmddccdjk"="REG_SZ", "0D88E6C90AF195940F7E4D729277B0F7C6D25230EAB718DE88399279723D6935" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/11/21 Scan Time: 9:05 AM Log File: 838e50c0-8240-11eb-9c65-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37987 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233379 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 4 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.CactusSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cfmfhjkkbmhnjadclpiegblfmddccdjk, Quarantined, 16221, 919244, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.CactusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CFMFHJKKBMHNJADCLPIEGBLFMDDCCDJK, Quarantined, 16221, 919244, 1.0.37987, , ame, , , File: 3 PUP.Optional.CactusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16221, 919244, , , , , 8F2D8409E0495EB20708075BCBE1D710, 039025B1CB131EDB04E180E35A9A95BAEF30ED31F5CB7A73CDAF30C99361C02D PUP.Optional.CactusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16221, 919244, , , , , 32973ECFD5DB4F587FE0F173F4F14247, 3FA98395C0329E660C7526158761905299D683C9050241F948B08960A748EC2D PUP.Optional.CactusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CFMFHJKKBMHNJADCLPIEGBLFMDDCCDJK\1.2.0_0\MANIFEST.JSON, Quarantined, 16221, 919244, 1.0.37987, , ame, , CFB3C921AB7C33A48E5F1303BE684A26, 97A5CF8EA986B9EC6454B2CAFA8C5F0E29E71CF93BB5A71D96A5B08332290534 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Storm Search?The Malwarebytes research team has determined that Storm Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one changes your default search engine.How do I know if my computer is affected by Storm Search?You may see this entry in your list of installed Chrome extensions:and this changed setting:You may have noticed these warnings during install:How did Storm Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Storm Search?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Storm Search? No, Malwarebytes removes Storm Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Storm Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://find.stormsearch.net/?q={searchTerms} CHR DefaultSearchKeyword: Default -> Storm CHR Extension: (Storm) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen [2021-03-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen\1.12_0 Adds the file answ.txt"="7/2/2020 12:23 PM, 2229 bytes, A Adds the file manifest.json"="3/10/2021 8:54 AM, 1698 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen\1.12_0\_metadata Adds the file computed_hashes.json"="3/10/2021 8:54 AM, 3381 bytes, A Adds the file verified_contents.json"="7/2/2020 12:08 PM, 2309 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen\1.12_0\image Adds the file 128.png"="3/10/2021 8:54 AM, 1528 bytes, A Adds the file 16.png"="3/10/2021 8:54 AM, 189 bytes, A Adds the file 32.png"="3/10/2021 8:54 AM, 506 bytes, A Adds the file 48.png"="3/10/2021 8:54 AM, 714 bytes, A Adds the file 64.png"="3/10/2021 8:54 AM, 947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen\1.12_0\js Adds the file background.js"="7/2/2020 12:10 PM, 3277 bytes, A Adds the file jquery-2.2.4.js"="3/27/2020 8:37 PM, 257286 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbefkjlfamkdegiobdlgilnolpifeaen\1.12_0\options Adds the file options.html"="7/2/2020 12:09 PM, 2271 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen Adds the file 000003.log"="3/10/2021 8:54 AM, 61 bytes, A Adds the file CURRENT"="3/10/2021 8:54 AM, 16 bytes, A Adds the file LOCK"="3/10/2021 8:54 AM, 0 bytes, A Adds the file LOG"="3/10/2021 8:54 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/10/2021 8:54 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen Adds the file 000003.log"="3/10/2021 8:54 AM, 51 bytes, A Adds the file CURRENT"="3/10/2021 8:54 AM, 16 bytes, A Adds the file LOCK"="3/10/2021 8:54 AM, 0 bytes, A Adds the file LOG"="3/10/2021 8:54 AM, 183 bytes, A Adds the file MANIFEST-000001"="3/10/2021 8:54 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nbefkjlfamkdegiobdlgilnolpifeaen"="REG_SZ", "1C6F3B48FC95078C05918B2FC71B98FB8C4E03FE8965F5D46087F83295374FDD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/10/21 Scan Time: 9:10 AM Log File: 06bc59d4-8178-11eb-bff6-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37937 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233363 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 3 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchHijack.Generic.ChrPRST, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nbefkjlfamkdegiobdlgilnolpifeaen, Quarantined, 16151, 828115, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen, Quarantined, 16151, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen, Quarantined, 16151, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NBEFKJLFAMKDEGIOBDLGILNOLPIFEAEN, Quarantined, 16151, 828115, 1.0.37937, , ame, , , File: 13 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16151, 828115, , , , , D4CF7E50E03B023A42878B22EC0203DD, F21FC50B572A0F61C65ADBACF54451FE79B98E758977DDC0CACF93DAE792B4E4 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16151, 828115, , , , , 835B69483B47B563970505A93C7EB928, DD9DDC988EB00A21A6641F5357E7798E584F2093B52B9CD4645E1F354C35D2FD PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\000003.log, Quarantined, 16151, 828115, , , , , 3FFF6C148BE39C61F2800E892A577DC0, B0BBDEB47524D093CC1ABC040D508198C027E2CD4111A258C6DC73243848123E PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\CURRENT, Quarantined, 16151, 828115, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\LOCK, Quarantined, 16151, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\LOG, Quarantined, 16151, 828115, , , , , 4EC4C2DF8D8B0C60C9B0FC2A7774F10D, 1C48CE4155AA2CFE634ED6A2E5C550EE2F0B72B0038780C110787729366E5AAD PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\MANIFEST-000001, Quarantined, 16151, 828115, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\000003.log, Quarantined, 16151, 828115, , , , , 95A55DD5EA0AAD3CF00259DDC5D294F3, 23180DFFAF40E3F05F2C2FE88FC7E9327A3C07146268E10871BF148AF706C591 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\CURRENT, Quarantined, 16151, 828115, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\LOCK, Quarantined, 16151, 828115, , , , , , PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\LOG, Quarantined, 16151, 828115, , , , , BDB2DA0217D168C59CFF3D423B415FA7, 34F6E0597F6F413C9D51F08C2B671BD97689612B0C2EA26326464D2C054BE5F0 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nbefkjlfamkdegiobdlgilnolpifeaen\MANIFEST-000001, Quarantined, 16151, 828115, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchHijack.Generic.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NBEFKJLFAMKDEGIOBDLGILNOLPIFEAEN\1.12_0\MANIFEST.JSON, Quarantined, 16151, 828115, 1.0.37937, , ame, , 434D9363EDB7594A63BC1C6BC7847233, C56D95574CD351B0B4E3191CB991119E627E16B113ED9CA3E392A05F8983775B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Advanced System Protector? Advanced System Protector is a system optimizer that triggers our PUP detection rules. By doing so we offer users a choice to consider whether they want to use this software. More information can be found on our Malwarebytes Labs blog. How do I know if I am affected by Advanced System Protector? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this type of windows during install: and this type of screens during operations: You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did Advanced System Protector get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website. How do I remove Advanced System Protector? Our program Malwarebytes can detect and remove this PUP. For a more complete removal it is better to run the built-in uninstaller first. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Advanced System Protector? No, Malwarebytes removes Advanced System Protector completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. What if I want to keep Advanced System Protector? Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it. Open Malwarebytes for Windows. Click the Detection History Click the Allow List To add an item to the Allow List, click Add. Select the exclusion type Allow a file or folder and use the Select a folder button to select the main folder for the software that you wish to keep. Repeat this for any secondary files or folder(s) that belong to the software. If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you in dealing with this system optimizer. As you can see below the full version of Malwarebytes would have warned you against the Advanced System Protector installer. Technical details for experts You may see these entries in FRST logs: (SYSTWEAK SOFTWARE -> Systweak Software) C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe Task: {1DBAD206-30B0-4BCB-B8E1-17C1EEC3BAEE} - System32\Tasks\Advanced System Protector => C:\Program Files (x86)\Advanced System Protector\AspManager.exe [1007864 2020-12-16] (SYSTWEAK SOFTWARE -> Systweak Software) Task: {D2AE2E3D-3A88-482F-B743-D48140E07ECD} - System32\Tasks\Advanced System Protector_startup => C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe [8983288 2020-12-16] (SYSTWEAK SOFTWARE -> Systweak Software) C:\Windows\system32\Tasks\Advanced System Protector C:\Windows\system32\Tasks\Advanced System Protector_startup C:\ProgramData\Desktop\Advanced System Protector.lnk C:\Users\{username}\AppData\Roaming\Systweak C:\Users\{username}\AppData\Local\Systweak C:\ProgramData\Systweak C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector C:\Program Files (x86)\Advanced System Protector (Systweak Software) C:\Windows\system32\sasnative64.exe Advanced System Protector (HKLM-x32\...\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1) (Version: 2.3.1001.27010 - Systweak Software) <==== ATTENTION ContextMenuHandlers1: [Advanced System Protector] -> {00212D92-C5D8-4ff4-AE50-B20F0F85C40A} => C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll [2020-12-16] (SYSTWEAK SOFTWARE -> Systweak Software) Significant alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Advanced System Protector Adds the file AdvancedSystemProtector.exe"="12/16/2020 11:02 AM, 8983288 bytes, A Adds the file AdvancedSystemProtector.exe.config"="12/8/2020 4:35 PM, 8316 bytes, A Adds the file AppResource.dll"="12/16/2020 11:02 AM, 5140216 bytes, A Adds the file asp.ico"="12/8/2020 4:35 PM, 17542 bytes, A Adds the file AspManager.exe"="12/16/2020 11:02 AM, 1007864 bytes, A Adds the file aspsys.dll"="12/16/2020 11:02 AM, 984824 bytes, A Adds the file categories.ini"="12/8/2020 4:35 PM, 44596 bytes, A Adds the file Chinese_asp_ZH-CN.ini"="12/8/2020 4:35 PM, 68320 bytes, A Adds the file Communication.dll"="12/16/2020 11:02 AM, 362232 bytes, A Adds the file danish_asp_DA.ini"="12/8/2020 4:35 PM, 119390 bytes, A Adds the file dutch_asp_NL.ini"="12/8/2020 4:35 PM, 120766 bytes, A Adds the file eng_asp_en.ini"="12/8/2020 4:35 PM, 131796 bytes, A Adds the file Finnish_asp_FI.ini"="12/8/2020 4:35 PM, 120236 bytes, A Adds the file french_asp_FR.ini"="12/8/2020 4:35 PM, 135418 bytes, A Adds the file german_asp_DE.ini"="12/8/2020 4:35 PM, 133458 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="12/16/2020 11:02 AM, 55032 bytes, A Adds the file italian_asp_IT.ini"="12/8/2020 4:35 PM, 125334 bytes, A Adds the file japanese_asp_JA.ini"="12/8/2020 4:35 PM, 83742 bytes, A Adds the file libyara.NET.dll"="12/16/2020 11:02 AM, 1165560 bytes, A Adds the file loading_withWhiteBG.avi"="12/8/2020 4:35 PM, 103936 bytes, A Adds the file Microsoft.Win32.TaskScheduler.DLL"="12/16/2020 11:02 AM, 121080 bytes, A Adds the file norwegian_asp_NO.ini"="12/8/2020 4:35 PM, 114688 bytes, A Adds the file portuguese_asp_PT-BR.ini"="12/8/2020 4:35 PM, 122654 bytes, A Adds the file Restartexp.exe"="12/16/2020 11:02 AM, 14072 bytes, A Adds the file russian_asp_ru.ini"="12/8/2020 4:35 PM, 122402 bytes, A Adds the file scandll.dll"="12/16/2020 11:02 AM, 127736 bytes, A Adds the file spanish_asp_ES.ini"="12/8/2020 4:35 PM, 128178 bytes, A Adds the file SQLite.Interop.dll"="12/16/2020 11:02 AM, 1126136 bytes, A Adds the file swedish_asp_SV.ini"="12/8/2020 4:35 PM, 116524 bytes, A Adds the file System.Core.dll"="12/16/2020 11:02 AM, 673528 bytes, A Adds the file System.Data.SQLite.dll"="12/16/2020 11:02 AM, 369400 bytes, A Adds the file unins000.dat"="3/9/2021 10:35 AM, 166533 bytes, A Adds the file unins000.exe"="3/9/2021 10:34 AM, 1198328 bytes, A Adds the file unins000.msg"="3/9/2021 10:35 AM, 22701 bytes, A Adds the file unrar.dll"="12/16/2020 11:02 AM, 260344 bytes, A Adds the file Xceed.Compression.dll"="12/16/2020 11:02 AM, 108280 bytes, A Adds the file Xceed.Compression.Formats.dll"="12/16/2020 11:02 AM, 71416 bytes, A Adds the file Xceed.FileSystem.dll"="12/16/2020 11:02 AM, 128760 bytes, A Adds the file Xceed.Zip.dll"="12/16/2020 11:02 AM, 202488 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector Adds the file Advanced System Protector.lnk"="3/9/2021 10:35 AM, 1219 bytes, A Adds the file Register Advanced System Protector.lnk"="3/9/2021 10:35 AM, 1245 bytes, A Adds the file Uninstall Advanced System Protector.lnk"="3/9/2021 10:35 AM, 1168 bytes, A Adds the folder C:\ProgramData\Systweak\Advanced System Protector\signatures Adds the file completedatabase.db"="3/9/2021 10:38 AM, 263494656 bytes, A Adds the file Cookies.bin"="3/9/2021 10:38 AM, 233960 bytes, A Adds the file DigSign.bin"="3/9/2021 10:39 AM, 132248 bytes, A Adds the file FilePathFIX.bin"="3/9/2021 10:39 AM, 597664 bytes, A Adds the file FilePaths.bin"="3/9/2021 10:38 AM, 5840928 bytes, A Adds the file FileSignature.bin"="3/9/2021 10:38 AM, 39753240 bytes, A Adds the file Folders.bin"="3/9/2021 10:38 AM, 1688256 bytes, A Adds the file Md5.bin"="3/9/2021 10:39 AM, 129766720 bytes, A Adds the file Registry.bin"="3/9/2021 10:39 AM, 39293320 bytes, A Adds the file SetupSign.bin"="3/9/2021 10:39 AM, 13504 bytes, A Adds the file StrSetupSign.bin"="3/9/2021 10:39 AM, 1824 bytes, A Adds the folder C:\ProgramData\Systweak\Advanced System Protector\updates Adds the file 100oupdate.zip"="3/9/2021 10:37 AM, 67519 bytes, A Adds the file 3262completedatabase.zip"="3/9/2021 10:37 AM, 36169813 bytes, A Adds the file 4221mupdate.zip"="3/9/2021 10:37 AM, 108841406 bytes, A Adds the file 4222update.zip"="3/9/2021 10:37 AM, 413832 bytes, A Adds the file 4223update.zip"="3/9/2021 10:37 AM, 671671 bytes, A Adds the folder C:\ProgramData\Systweak\Advanced System Protector\yr Adds the file yrnp.txt"="3/9/2021 10:37 AM, 1283672 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector Adds the file aspcontexthelper64.dll"="12/16/2020 11:02 AM, 86776 bytes, A Adds the file ScanEngineErrorLog.txt"="3/9/2021 10:42 AM, 4898 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Systweak\Advanced System Protector Adds the file ASPLog.txt"="3/9/2021 10:42 AM, 4071 bytes, A Adds the file ASPStartupManagerErrorLog.txt"="3/9/2021 10:42 AM, 238 bytes, A Adds the file QDetail.db"="3/9/2021 10:36 AM, 16384 bytes, A Adds the file Settings.db"="3/9/2021 10:42 AM, 45056 bytes, A Adds the file Update.ini"="3/9/2021 10:36 AM, 3686 bytes, A Adds the file Utility_kit.ini"="3/9/2021 10:36 AM, 12408 bytes, A Adds the file yrscnloc.ini"="3/9/2021 10:39 AM, 748 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Systweak\Advanced System Protector\Logs Adds the file log_09-03-21_10-42-38.xml"="3/9/2021 10:42 AM, 92305 bytes, A Adds the file SMLog.xml"="3/9/2021 10:42 AM, 3046 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Advanced System Protector.lnk"="3/9/2021 10:35 AM, 1201 bytes, A In the existing folder C:\Windows\System32 Adds the file sasnative64.exe"="12/16/2020 11:02 AM, 37112 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Advanced System Protector"="3/9/2021 10:36 AM, 3740 bytes, A Adds the file Advanced System Protector_startup"="3/9/2021 10:36 AM, 3120 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced System Protector] "(Default)"="REG_SZ", "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Advanced System Protector] "(Default)"="REG_SZ", "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}"="REG_SZ", "Scan with Advanced System Protector" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard] "CID"="REG_SZ", "1366989322" "CompanyID"="REG_DWORD", 1963947 "ProductCode"="REG_SZ", "{A22B8513-EA8C-46A1-9735-F5BE971C368D}" "referralid"="REG_SZ", "mzjv3r" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdvancedSystemProtector_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" "DisplayName"="REG_SZ", "Advanced System Protector" "DisplayVersion"="REG_SZ", "2.3.1001.27010" "EstimatedSize"="REG_DWORD", 24004 "HelpLink"="REG_SZ", "http://www.systweak.com/antispyware/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector" "Inno Setup: Icon Group"="REG_SZ", "Advanced System Protector" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20210309" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 3 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Systweak Software" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Advanced System Protector\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Advanced System Protector\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.systweak.com/antispyware/" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 3 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak\Advanced System Protector] "affiliateid"="REG_SZ", "" "afterInstallUrl"="REG_SZ", "http://powerbundle.systweak.com/ASP/firstinstall/?newasp=1&utm_content=AfterInstall&utm_term=Setup&page=install&" "BuyNowURL"="REG_SZ", "http://www.systweak.com/antispyware/price.asp?" "BuyNowURLADU"="REG_SZ", "http://powerbundle.systweak.com/pb/price/?pname=adu&" "BuyNowURLASP"="REG_SZ", "http://powerbundle.systweak.com/pb/price/?pname=asp&" "BuyNowURLPB"="REG_SZ", "http://powerbundle.systweak.com/PB/purchase/?pname=asp&" "BuyNowURLRCP"="REG_SZ", "http://powerbundle.systweak.com/pb/price/?pname=rcp&" "Expired"="REG_DWORD", 0 "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector" "isphone"="REG_SZ", "0" "IsScanOptional"="REG_DWORD", 1 "IsShowcaseDepOnUpdIni"="REG_DWORD", 0 "issilent"="REG_DWORD", 0 "Key"="REG_SZ", "" "MaxFixLimit"="REG_DWORD", 0 "NoLPHIconNeeded"="REG_DWORD", 1 "REGVER"="REG_DWORD", 0 "REGVER-UNINSTALL"="REG_DWORD", 0 "RenewNowURL"="REG_SZ", "http://www.systweak.com/antispyware/price.asp?renew=1&" "RenewNowURLADU"="REG_SZ", "http://powerbundle.systweak.com/pb/renewal/?pname=adu&" "RenewNowURLASP"="REG_SZ", "http://powerbundle.systweak.com/pb/renewal/?pname=asp&" "RenewNowURLPB"="REG_SZ", "http://powerbundle.systweak.com/PB/pbrenewal/?pname=asp&" "RenewNowURLRCP"="REG_SZ", "http://powerbundle.systweak.com/pb/renewal/?pname=rcp&" "showbc"="REG_DWORD", 0 "showfth"="REG_DWORD", 1 "showfthsetting"="REG_DWORD", 1 "showpb"="REG_DWORD", 0 "showsadtab"="REG_DWORD", 1 "showsm"="REG_DWORD", 1 "showutk"="REG_DWORD", 1 "support_email"="REG_SZ", "support@systweak.com" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_cid"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "systweak" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak\Advanced System Protector\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak\aso3] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak\Params] "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector" "TELNO"="REG_SZ", "" [HKEY_CURRENT_USER\Software\LogMeInRescueCallingCard] "CID"="REG_SZ", "1366989322" "CompanyID"="REG_DWORD", 1963947 "ProductCode"="REG_SZ", "{A22B8513-EA8C-46A1-9735-F5BE971C368D}" "referralid"="REG_SZ", "mzjv3r" [HKEY_CURRENT_USER\Software\Systweak\Advanced System Protector] "affiliateid"="REG_SZ", "" "CurrentScanTime"="REG_BINARY, ........ "Expired"="REG_DWORD", 0 "FirstInstallDate"="REG_SZ", "09-03-2021" "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector" "IsFreeCleanDone"="REG_DWORD", 0 "IsPN"="REG_DWORD", 1 "Key"="REG_SZ", "" "MaxFixLimit"="REG_DWORD", 0 "REGVER"="REG_DWORD", 0 "REGVER-UNINSTALL"="REG_DWORD", 0 "StrLastErrorsFixed"="REG_SZ", "0" "StrLastScanResults"="REG_SZ", "120" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "systweak" "x-at"="REG_SZ", "" "YrVer"="REG_SZ", "9" [HKEY_CURRENT_USER\Software\Systweak\Advanced System Protector\2.3.1001.27010] [HKEY_CURRENT_USER\Software\Systweak\Advanced System Protector\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Systweak\params] "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Advanced System Protector" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/9/21 Scan Time: 11:00 AM Log File: 4e028238-80be-11eb-ac31-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37897 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233731 Threats Detected: 73 Threats Quarantined: 73 Time Elapsed: 3 min, 14 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe, Quarantined, 865, 235325, , , , , 6301DFF73EF84A4EB5F692DA1B1E71FA, F329AD8522CF53F9F54E645DE78F81E34D83AB3E459BA5108981F28960F6CABF Module: 6 PUP.Optional.AdvancedSystemProtector, C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll, Quarantined, 865, 180843, , , , , 5F10F8DDBAC1A9EE80E8D3220C734694, 5256B0448B24096FE9E9BCBA836D29DCFE150CE2FC8ADEC3BA80FA87EBE59F23 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe, Quarantined, 865, 235325, , , , , 6301DFF73EF84A4EB5F692DA1B1E71FA, F329AD8522CF53F9F54E645DE78F81E34D83AB3E459BA5108981F28960F6CABF PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\aspsys.dll, Quarantined, 865, 235325, , , , , A434AFF6DB455ABD89716A06AE943EF4, DCD19100E6FC0B15C8F329616A39BBEBA057886D22F6F849DC4079B987F8F086 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\libyara.NET.dll, Quarantined, 865, 235325, , , , , 1EA4074FFD052CD036B448EB0CD24951, AE5B261FB477DE62960435933258F31E75942709447B0083F537D834AA05A731 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll, Quarantined, 865, 235325, , , , , 410EF665AD9D5D5FC9F4F26294CD250C, 79C6B707652656FF61AE6256B95165ECB93B172C5CBF4DF1D0B7AECD0FBC4189 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\unrar.dll, Quarantined, 865, 235325, , , , , FB9C090B1BCE9AD6A5E4A560DDD70AB9, 88D76D52423FC7F18CB5B3B87D3576540BBF4D8BD3A90A144AF3244FC6F09128 Registry Key: 12 PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Advanced System Protector_startup, Quarantined, 865, 190115, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D2AE2E3D-3A88-482F-B743-D48140E07ECD}, Quarantined, 865, 190115, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{D2AE2E3D-3A88-482F-B743-D48140E07ECD}, Quarantined, 865, 190115, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\CLASSES\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}, Quarantined, 865, 180843, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\CLASSES\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InprocServer32, Quarantined, 865, 180843, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\Advanced System Protector, Quarantined, 865, 326803, 1.0.37897, , ame, , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Advanced System Protector, Quarantined, 865, 235325, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1DBAD206-30B0-4BCB-B8E1-17C1EEC3BAEE}, Quarantined, 865, 235325, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{1DBAD206-30B0-4BCB-B8E1-17C1EEC3BAEE}, Quarantined, 865, 235325, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1, Quarantined, 865, 235325, , , , , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AdvancedSystemProtector_RASAPI32, Quarantined, 865, 246262, 1.0.37897, , ame, , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AdvancedSystemProtector_RASMANCS, Quarantined, 865, 246262, 1.0.37897, , ame, , , Registry Value: 3 PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\CLASSES\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\APPROVED|{00212D92-C5D8-4FF4-AE50-B20F0F85C40A}, Quarantined, 865, 326804, 1.0.37897, , ame, , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1DBAD206-30B0-4BCB-B8E1-17C1EEC3BAEE}|PATH, Quarantined, 865, 348601, 1.0.37897, , ame, , , PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D2AE2E3D-3A88-482F-B743-D48140E07ECD}|PATH, Quarantined, 865, 259033, 1.0.37897, , ame, , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.AdvancedSystemProtector, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Advanced System Protector, Quarantined, 865, 175380, 1.0.37897, , ame, , , PUP.Optional.AdvancedSystemProtector, C:\USERS\{username}\APPDATA\LOCAL\SYSTWEAK\ADVANCED SYSTEM PROTECTOR, Quarantined, 865, 180843, 1.0.37897, , ame, , , PUP.Optional.SysTweak, C:\USERS\{username}\APPDATA\LOCAL\SYSTWEAK, Quarantined, 857, 335041, 1.0.37897, , ame, , , File: 48 PUP.Optional.AdvancedSystemProtector, C:\USERS\PUBLIC\DESKTOP\ADVANCED SYSTEM PROTECTOR.LNK, Quarantined, 865, 190775, 1.0.37897, , ame, , 4039FB5EAB9ADEC34DEE932BC4F0A283, B5595C5120146A12EFC8B9EC1AED2E7951AA545B1F751208B8DFD85A7F0EB498 PUP.Optional.AdvancedSystemProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector\Advanced System Protector.lnk, Quarantined, 865, 175380, , , , , 0AD9A3DE222AE2CD46253501372F78F8, 663F98858937B75C6E55ECE076FFFA71649DAF3B29CA3E604F37F643780C2521 PUP.Optional.AdvancedSystemProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector\Register Advanced System Protector.lnk, Quarantined, 865, 175380, , , , , EDCB1CEF7A61844CA017DF0F97D2E95E, 14434DDFCF681DFAAB65708CC19C8967E04251D668553337E906BA248E5EDCF0 PUP.Optional.AdvancedSystemProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector\Uninstall Advanced System Protector.lnk, Quarantined, 865, 175380, , , , , 60153BC9AFA94AE695D08AB9EA32DCF5, 31077607DE7A3D2EB9AF066F3C3B46AF9EDDB4BD7B923F6CA958E3B88669F2EF PUP.Optional.AdvancedSystemProtector, C:\WINDOWS\SYSTEM32\TASKS\ADVANCED SYSTEM PROTECTOR_STARTUP, Quarantined, 865, 190115, 1.0.37897, , ame, , F843AB34A2F48133B0F0DBB27D9F66BF, 2981E7653E90C5E42E131FF949051BBBF642DCF669AE5B7BEFF3E8854F755327 PUP.Optional.AdvancedSystemProtector, C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll, Quarantined, 865, 180843, , , , , 5F10F8DDBAC1A9EE80E8D3220C734694, 5256B0448B24096FE9E9BCBA836D29DCFE150CE2FC8ADEC3BA80FA87EBE59F23 PUP.Optional.AdvancedSystemProtector, C:\Users\{username}\AppData\Local\Systweak\Advanced System Protector\ScanEngineErrorLog.txt, Quarantined, 865, 180843, , , , , CC6DF19650DA1E36A23AC92E185BEB5F, 77A7DA26A664866C487495EC852301B0F52100C7E7039DB0A15887579384CB25 PUP.Optional.AdvancedSystemProtector, C:\PROGRAM FILES (X86)\ADVANCED SYSTEM PROTECTOR\LOADING_WITHWHITEBG.AVI, Quarantined, 865, 235325, 1.0.37897, , ame, , 583B036CE812CD9DF8A6BBB8B7B3116C, 60F4505028DD26E3FF5BBD86F6B3AD7B43A76616BD91D39AB95DA5535436FFA2 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe, Quarantined, 865, 235325, , , , , 6301DFF73EF84A4EB5F692DA1B1E71FA, F329AD8522CF53F9F54E645DE78F81E34D83AB3E459BA5108981F28960F6CABF PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.config, Quarantined, 865, 235325, , , , , BF0D2D9EF29EFB894B942640850C07D7, 253E70FDD35C79D2F6932810E08095C6CEFCEADE365FFFE5726FAF25B49C588B PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AppResource.dll, Quarantined, 865, 235325, , , , , 4E05AEBFD005900ECDB803C1C9419929, 83953D25F3CE3B47173E5010D073E990D5CFAE15B4A0F12B1941E4174917CDF7 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\asp.ico, Quarantined, 865, 235325, , , , , B901782363304EF68B5C6FB9919CD57A, 20A80FE27C1ECE224A476A81219442D9F2AC8CD6FF5A385858CDD78527E27CFC PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\AspManager.exe, Quarantined, 865, 235325, , , , , A34DCBA0A249CF482A9EB460EB8F4DAD, 9585328862E63F417692B85CEB76AC215F396F8EB955A86954379EC83B361C9C PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\aspsys.dll, Quarantined, 865, 235325, , , , , A434AFF6DB455ABD89716A06AE943EF4, DCD19100E6FC0B15C8F329616A39BBEBA057886D22F6F849DC4079B987F8F086 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\categories.ini, Quarantined, 865, 235325, , , , , F209C342E0373D5D28E7FF2D7FB5485B, 8CEDDEB44227B9A52B18A4461CDFCE5A51F9D680762163674B2F18764F312B5A PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Chinese_asp_ZH-CN.ini, Quarantined, 865, 235325, , , , , CAC354DA87D8A34384D36BA2FB43CE6D, 35E5F6480AB921A0D5232D7B61DC9F563CBA05507F1385374777B9D664433A07 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Communication.dll, Quarantined, 865, 235325, , , , , 145586B31AAB29222A10561FB0623A54, D11716FB0A173A2E304C902EF0B0F5E5CEB558A13AC0EAD6A248C36C79BD9F97 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\danish_asp_DA.ini, Quarantined, 865, 235325, , , , , BEC591D5B7AB929A285ED7412A595927, 8FECD4F0CC44378D7ACD734A0EEE60428E3AF4B32C9987E328202866BADC1A88 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\dutch_asp_NL.ini, Quarantined, 865, 235325, , , , , AE9D7A8FEB40CEA24C9F8AC1705995BF, 697B7BD93184E970C95030DE462C848DED1204DB94797B14377324D0999B0B6F PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\eng_asp_en.ini, Quarantined, 865, 235325, , , , , B2CBE6E3164E32ABE1272014E8F34969, 4BEE5F6FC0AE67118CCA1C066553FA707F84AE8A9B7C698F00C39978E6394B39 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Finnish_asp_FI.ini, Quarantined, 865, 235325, , , , , 62D1BE766EFD03899EFC3A355DC6C3EE, 0CF059E0256575D9A603F15A8350521D354C6D443937A757F84B0B657AD70864 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\french_asp_FR.ini, Quarantined, 865, 235325, , , , , CA67769FA2F5662650F3C526569C2909, 2179257C7849175ECAB2E1FF68902975A21EA2A8E134788BCCCF97EA4E3F8C04 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\german_asp_DE.ini, Quarantined, 865, 235325, , , , , 800EB123017C0CB84C1694213A82E376, 6F00FF2FB1B9818500A9833E9AACC5A16A81DDDB3BF336C147009E1972B96024 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Interop.IWshRuntimeLibrary.dll, Quarantined, 865, 235325, , , , , 11B908E39457E4F19FF4EEB89DB51BE2, 9A117FD7CF104DD5C9B1EC0A8DD2BF11BA22DA24D5641CDEA3247A37A8FD50A7 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\italian_asp_IT.ini, Quarantined, 865, 235325, , , , , D004BB33606E09706D25CA0FE2701200, 4A24D0DD69042A7EEC4F58CB6D8B27F47F0F7B0B94517E37E553507728A21BC0 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\japanese_asp_JA.ini, Quarantined, 865, 235325, , , , , 65AA587AF45D39CA8C378119F003789C, 92C9132309B756E5DBD482FAB9FE90FC5B317449F844FAF1D37734577C07D2FE PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\libyara.NET.dll, Quarantined, 865, 235325, , , , , 1EA4074FFD052CD036B448EB0CD24951, AE5B261FB477DE62960435933258F31E75942709447B0083F537D834AA05A731 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Microsoft.Win32.TaskScheduler.DLL, Quarantined, 865, 235325, , , , , 18F74320E012DB698B6D0FF12DB96C41, E3172941D24CFFEF645CFA4E0FB5D853BD021D0D78FC0DC36736D2D60E21CA35 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\norwegian_asp_NO.ini, Quarantined, 865, 235325, , , , , 47D122D60187ED6EFF26CC882DEB32B2, CB9EE77640518DC11C3DE89DEDE66C2189E0514BE4C5B297338D79C2543977C0 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\portuguese_asp_PT-BR.ini, Quarantined, 865, 235325, , , , , 59BE960D7D81EA4BA8B8E57DF24AB009, F8DFEC2E48D2D28D0C3CE70EA420FBD3D5B73B38EE570AC987ACF30A9BB99660 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Restartexp.exe, Quarantined, 865, 235325, , , , , DD403EB0F9E81FF7AD8BB787EA11EB8E, BC92F67C3CB5580D8D522A65F55FE05289091E8E87953ED92D8FE5E0567283E3 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\russian_asp_ru.ini, Quarantined, 865, 235325, , , , , B5F3B789A17BD1D9E6E6715FD97D10FC, 62BC0B0400AF3080D4A0C558F741C82E668149FEBB4AAF9B2E30E0EEA179AD4A PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\scandll.dll, Quarantined, 865, 235325, , , , , 1CDA43B5860D5FC397DAD63057184235, 1DCCD26F968E6B7E98F1EDAC2644C6E22E02EAEEF943E888073E19DD04D941E1 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\spanish_asp_ES.ini, Quarantined, 865, 235325, , , , , D5A8640DD83F9A9D39C2C205BD225B6C, 6D301A4081B44BA66632448A02E2467DF40F9EDAC23A887086F82240848A9DE5 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll, Quarantined, 865, 235325, , , , , 410EF665AD9D5D5FC9F4F26294CD250C, 79C6B707652656FF61AE6256B95165ECB93B172C5CBF4DF1D0B7AECD0FBC4189 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\swedish_asp_SV.ini, Quarantined, 865, 235325, , , , , 5D2699E30E1D8CD5E89BFA2994C2BF7B, 171599D8C968FB5FFA8A7FBA754DBBAB8D1D4C62C0B622CE16BB384D6FCFF959 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll, Quarantined, 865, 235325, , , , , 4F41CA179DBFA86BD4F69AC884D4FE53, BA7821C8BE881793B63A0BBE2B7E557EA0CC26ECACC1A307F92785BC0D6A7666 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\unins000.dat, Quarantined, 865, 235325, , , , , 4BD7EC1601FDD47F30A363320A3A12B5, 2E6B82F244E7DF0B04A03CF0E8202E3D5219331C99720560993DA101BEA0AC57 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\unins000.exe, Quarantined, 865, 235325, , , , , 8F6AEAB86B9741C15A39CBBDDE3387CF, DA05C7762C04FF6A5F7EBC3EB6BAF0647F33AD9731E2416239BD8C690DA9F379 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\unins000.msg, Quarantined, 865, 235325, , , , , 5F38274FC51EC35B61E925153E26EF1C, 946195C199C2F798ED0AB3DC8AE4511BE30AD70E5FB994D677BEEE0AE249DEC8 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\unrar.dll, Quarantined, 865, 235325, , , , , FB9C090B1BCE9AD6A5E4A560DDD70AB9, 88D76D52423FC7F18CB5B3B87D3576540BBF4D8BD3A90A144AF3244FC6F09128 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll, Quarantined, 865, 235325, , , , , 2EC3E039C7E6BF0BB6B61C07B73E53B5, 18B5DAD4147D10688297DB79E886039F848AAA01DC6EF9215EE826653C947953 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.Formats.dll, Quarantined, 865, 235325, , , , , B241BCF74E2CD9728B9E17323A2646BA, FC96BEACBA9E4677C794C8B97CBABBAC6F4E54C0D08E14DC43E06F77E129F49F PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Xceed.FileSystem.dll, Quarantined, 865, 235325, , , , , 5AD9E53D3F71B34678FD9AE3C950A23E, 213FAFAE548A0CBE74CBC2ACA6706C7724FF42BA327627C59800D92606A4FD15 PUP.Optional.AdvancedSystemProtector, C:\Program Files (x86)\Advanced System Protector\Xceed.Zip.dll, Quarantined, 865, 235325, , , , , 7DF3B1E40FBE285D3E4BD99F904DD337, F1544A24C4F6134D38C2801411D67FED6C7EF21D7606D5406EEEC387E08C1216 PUP.Optional.AdvancedSystemProtector, C:\WINDOWS\SYSTEM32\TASKS\Advanced System Protector, Quarantined, 865, 235325, , , , , 219120A1C11FBF47D91141BC68AF05EC, 4DAE5E5B07BD2ED31B2C6098C3C7A12FFF5D12D2856A943D965BE327EB8D441D PUP.Optional.AdvancedSystemProtector, C:\WINDOWS\SYSTEM32\SASNATIVE64.EXE, Quarantined, 865, 364690, 1.0.37897, , ame, , 37A084D01376937989821A79174FEAC4, 4C77F19E08E13A3D4C0856F7139CF029B5EF65559111CBC18917B7D493769E83 PUP.Optional.AdvancedSystemProtector, C:\USERS\{username}\DESKTOP\ASPSETUP_SYSTWEAK-DEFAULT.EXE, Quarantined, 865, 326624, 1.0.37897, , ame, , 45D8F4B77FED6E930DEAE0BE48308EFE, 4C3FD3D5DDF24240AD6CE214F2FE779B76BC6B36858B8390F69B99DD3461C91D Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this potentially unwanted program. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is AllMusicSearches? The Malwarebytes research team has determined that AllMusicSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AllMusicSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AllMusicSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllMusicSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllMusicSearches? No, Malwarebytes removes AllMusicSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the AllMusicSearches hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allmusicsearches.com CHR DefaultSearchURL: Default -> hxxps://feed.allmusicsearches.com/?q={searchTerms}&publisher=allmusicsearches&barcodeid=577260000000000 CHR DefaultSearchKeyword: Default -> AllMusicSearches CHR DefaultSuggestURL: Default -> hxxps://api.allmusicsearches.com/suggest/get?q={searchTerms} CHR Extension: (AllMusicSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj [2021-03-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0 Adds the file manifest.json"="3/8/2021 10:18 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/8/2021 10:18 AM, 6255 bytes, A Adds the file verified_contents.json"="8/24/2020 10:44 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images Adds the file logo-white-text.png"="8/24/2020 10:44 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images\icons Adds the file 128x128.png"="3/8/2021 10:18 AM, 4637 bytes, A Adds the file 16x16.png"="3/8/2021 10:18 AM, 520 bytes, A Adds the file 64x64.png"="3/8/2021 10:18 AM, 2321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\scripts Adds the file background.js"="8/24/2020 10:44 AM, 514529 bytes, A Adds the file sitecontent.js"="8/24/2020 10:44 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj Adds the file 000003.log"="3/8/2021 10:18 AM, 0 bytes, A Adds the file CURRENT"="3/8/2021 10:18 AM, 16 bytes, A Adds the file LOCK"="3/8/2021 10:18 AM, 0 bytes, A Adds the file LOG"="3/8/2021 10:18 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/8/2021 10:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ljkniknmacmhdnefmnadabodljhilooj Adds the file AllMusicSearches.ico"="3/8/2021 10:18 AM, 181707 bytes, A Adds the file AllMusicSearches.ico.md5"="3/8/2021 10:18 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ljkniknmacmhdnefmnadabodljhilooj"="REG_SZ", "B908D13B0EEA82D134E21FF89BEB5DAC1C8C4177B4B181F6585A3539DAF29138" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/8/21 Scan Time: 10:25 AM Log File: 443572f2-7ff0-11eb-bceb-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37877 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233367 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ, Quarantined, 16150, 799722, 1.0.37877, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16150, 799722, , , , , 96FECE9926463CBD0B08B3FB5BC753BE, C3F52BFF541292B2004F2DFEBADD2E42FE4B66B5707D8C1C14DF5B5942E4A098 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16150, 799722, , , , , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\000003.log, Quarantined, 16150, 799722, , , , , 1336BECEF15014988CE71F9B84C76B63, 8457B0EF1CE375E0B331E8D9115228D3D22FDEF73905F184BE32FF422C202B94 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\CURRENT, Quarantined, 16150, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOCK, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOG, Quarantined, 16150, 799722, , , , , 4CDECD7BDFAF7DCD3202A901445E0EFA, 5EA2ACAD3FF62049F45EED93C438C61FE34BA519342CE3EC4A362E7E87B9850C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\MANIFEST-000001, Quarantined, 16150, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16150, 799722, 1.0.37877, , ame, , F571C4062C2C546E57D7C120801A6355, 0CD8A873E269F4E43B066A63433B8D300AA333A34BF4EB71CB0371BBCA1393BE PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 856479, 1.0.37877, , ame, , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Big Linker? The Malwarebytes research team has determined that Big Linker is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one closes your search tab and opens a new one with their own search engine. How do I know if my computer is affected by Big Linker? You may see this entry in your list of installed Chrome extensions: You may have noticed these warnings during install: How did Big Linker get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Big Linker? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Big Linker? No, Malwarebytes removes Big Linker completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Big Linker hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Big Linker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akilfngnjmjeoklhmglkpaielnffmaoj [2021-03-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akilfngnjmjeoklhmglkpaielnffmaoj\6.3.61_0 Adds the file manifest.json"="3/5/2021 8:44 AM, 1112 bytes, A Adds the file sr.js"="11/21/2020 11:15 AM, 7674 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akilfngnjmjeoklhmglkpaielnffmaoj\6.3.61_0\_metadata Adds the file computed_hashes.json"="3/5/2021 8:44 AM, 396 bytes, A Adds the file verified_contents.json"="11/21/2020 11:15 AM, 1639 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akilfngnjmjeoklhmglkpaielnffmaoj\6.3.61_0\icons Adds the file icon128.png"="3/5/2021 8:44 AM, 2188 bytes, A Adds the file icon48.png"="3/5/2021 8:44 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj Adds the file 000003.log"="3/5/2021 8:46 AM, 225 bytes, A Adds the file CURRENT"="3/5/2021 8:44 AM, 16 bytes, A Adds the file LOCK"="3/5/2021 8:44 AM, 0 bytes, A Adds the file LOG"="3/5/2021 8:44 AM, 183 bytes, A Adds the file MANIFEST-000001"="3/5/2021 8:44 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "akilfngnjmjeoklhmglkpaielnffmaoj"="REG_SZ", "1BB6EEFCE89EAA3721D0F0C372FAF310DA656E69D47B32FF92C7C139AFEE6BE9" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/5/21 Scan Time: 8:54 AM Log File: 0b93eea2-7d88-11eb-a7fd-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37813 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233337 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|akilfngnjmjeoklhmglkpaielnffmaoj, Quarantined, 9553, 836150, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj, Quarantined, 9553, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKILFNGNJMJEOKLHMGLKPAIELNFFMAOJ, Quarantined, 9553, 836150, 1.0.37813, , ame, , , File: 8 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 9553, 836150, , , , , 22EDFCAB97A335BF4E6DD4E9CB81AF2A, 519E3EA305EB0D461D2FAF632CFA56D48CB76EBD0C7A3DA7C659533BA3CBA1D6 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 9553, 836150, , , , , EF61E67731D1BCC8AC92EE8CC70BDA02, 5F2F8C19DCB3A6B1D3027AC8BCD6DDC33C9DED2F56E2B2005663973DBBD77ECC PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj\000003.log, Quarantined, 9553, 836150, , , , , 436C45805302A33BEF2BB7AF273CF024, B123ABB5CB3C46039C4F5CC4097638A8CA03DBE43DA22167563E2C3FAF7074EA PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj\CURRENT, Quarantined, 9553, 836150, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj\LOCK, Quarantined, 9553, 836150, , , , , , PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj\LOG, Quarantined, 9553, 836150, , , , , E4481AA5EAC3196464A965134E326DEB, D3ECFB43E3A607893D7A687DC81B9EBC364CBDE5C95722C852F96FB1BCDBE6FC PUP.Optional.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akilfngnjmjeoklhmglkpaielnffmaoj\MANIFEST-000001, Quarantined, 9553, 836150, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKILFNGNJMJEOKLHMGLKPAIELNFFMAOJ\6.3.61_0\MANIFEST.JSON, Quarantined, 9553, 836150, 1.0.37813, , ame, , 50B72509D2EB1D083A6A2478222B5B53, 5CA539E2A474B249388B5937E4F0FED155AB3F881FF112996693C5A370C0FCB1 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is PDFSearchWeb? The Malwarebytes research team has determined that PDFSearchWeb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFSearchWeb? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFSearchWeb get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearchWeb? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearchWeb? No, Malwarebytes removes PDFSearchWeb completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFSearchWeb hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfsearchweb.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfsearchweb.com/?q={searchTerms}&publisher=pdfsearchweb&barcodeid=586480000000000 CHR DefaultSearchKeyword: Default -> PDFSearchWeb CHR DefaultSuggestURL: Default -> hxxps://api.pdfsearchweb.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearchWeb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi [2021-03-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0 Adds the file manifest.json"="3/4/2021 8:46 AM, 2084 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/4/2021 8:46 AM, 6725 bytes, A Adds the file verified_contents.json"="11/16/2020 11:09 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images Adds the file logo-white-text.png"="11/16/2020 11:09 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images\icons Adds the file 128x128.png"="3/4/2021 8:46 AM, 2578 bytes, A Adds the file 16x16.png"="3/4/2021 8:46 AM, 416 bytes, A Adds the file 64x64.png"="3/4/2021 8:46 AM, 1436 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\scripts Adds the file background.js"="11/16/2020 11:09 AM, 553439 bytes, A Adds the file sitecontent.js"="11/16/2020 11:09 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi Adds the file 000003.log"="3/4/2021 8:46 AM, 0 bytes, A Adds the file CURRENT"="3/4/2021 8:46 AM, 16 bytes, A Adds the file LOCK"="3/4/2021 8:46 AM, 0 bytes, A Adds the file LOG"="3/4/2021 8:46 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/4/2021 8:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blmcjacaocadbkaoippfdhjknablobgi Adds the file PDFSearchWeb.ico"="3/4/2021 8:46 AM, 165020 bytes, A Adds the file PDFSearchWeb.ico.md5"="3/4/2021 8:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blmcjacaocadbkaoippfdhjknablobgi"="REG_SZ", "21383C3BCEED4E28CE353D35F37AB55C383F3D6E796A18124C0DE8CF0A38C218" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/4/21 Scan Time: 9:04 AM Log File: 4d2527fa-7cc0-11eb-9e7c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37767 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233343 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI, Quarantined, 15230, 799722, 1.0.37767, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 01C6FDC1C96A97A38133B535F53D0D30, E920A84318FD5E518AED4F1856CBF931668DF6EB4D234B3D19A58C99CC4C3232 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\000003.log, Quarantined, 15230, 799722, , , , , E1DE9B412C0C30CDEE59F9E4E63F56DB, 86A2A508B75E0F5CEE3DE285AA84735D8F1ECEB37D333BBFE5232263B612BF3D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOG, Quarantined, 15230, 799722, , , , , A4549DEA968C4980471BA79B2504416B, 3A609EA567AF426E9CD1C3DF641EE9F298A276437D70FC238AF6AE2175357C36 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.37767, , ame, , 8E1EDD9316806E38160CE820BA112006, D6F16F705C44BA34A629512B96F7950673D3E0CA8CCA07495ED8765BFE66E2FE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.37767, , ame, , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Search Manager? The Malwarebytes research team has determined that Search Manager is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by Search Manager? You may see this entry in your list of installed Edge extensions: this icon in the browser menu-bar: and this changed setting: You may have noticed these warnings during install: How did Search Manager get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: How do I remove Search Manager? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Manager? No, Malwarebytes removes Search Manager completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. Technical details for experts Possible signs in FRST logs: Edge DefaultSearchURL: Default -> hxxps://manageyoursearch.com/?q={searchTerms} Edge DefaultSearchKeyword: Default -> sm Edge DefaultSuggestURL: Default -> hxxps://manageyoursearch.com/suggest?q={searchTerms} Edge Extension: (Search Manager) - C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh [2021-03-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0 Adds the file background.html"="2/3/2020 6:42 AM, 145 bytes, A Adds the file e_.json"="2/3/2020 6:42 AM, 112 bytes, A Adds the file index.html"="2/3/2020 6:42 AM, 627 bytes, A Adds the file manifest.json"="3/3/2021 9:06 AM, 2186 bytes, A Adds the file responseConfig.json"="2/3/2020 6:42 AM, 79757 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_locales\en Adds the file messages.json"="3/3/2021 9:06 AM, 2087 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_locales\fr Adds the file messages.json"="3/3/2021 9:06 AM, 2301 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_locales\hi Adds the file messages.json"="3/3/2021 9:06 AM, 3046 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_locales\pt_BR Adds the file messages.json"="3/3/2021 9:06 AM, 2262 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_locales\vi Adds the file messages.json"="3/3/2021 9:06 AM, 2460 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\_metadata Adds the file computed_hashes.json"="3/3/2021 9:07 AM, 52230 bytes, A Adds the file verified_contents.json"="2/3/2020 6:47 AM, 16109 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\addons Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\content Adds the file bundle.v0.0.1.min.css"="2/3/2020 6:42 AM, 5092 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\content\fonts Adds the file HelveticaNeueLT-Roman.woff"="2/3/2020 6:42 AM, 16320 bytes, A Adds the file HelveticaNeue-Thin.otf"="2/3/2020 6:42 AM, 24888 bytes, A Adds the file neue.woff"="2/3/2020 6:42 AM, 14492 bytes, A Adds the file neue-bold.woff"="2/3/2020 6:42 AM, 48112 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\content\images Adds the file angle-arrow-down.png"="2/3/2020 6:42 AM, 897 bytes, A Adds the file bing.png"="2/3/2020 6:42 AM, 1815 bytes, A Adds the file bing_large.png"="2/3/2020 6:42 AM, 8153 bytes, A Adds the file bluesky-bg.jpg"="2/3/2020 6:42 AM, 107893 bytes, A Adds the file blue-triangle.svg"="2/3/2020 6:42 AM, 153 bytes, A Adds the file brush.png"="2/3/2020 6:42 AM, 673 bytes, A Adds the file bt.png"="2/3/2020 6:42 AM, 2424 bytes, A Adds the file clock.png"="2/3/2020 6:42 AM, 587 bytes, A Adds the file cloud.png"="2/3/2020 6:42 AM, 575 bytes, A Adds the file cupcake-bg.jpg"="2/3/2020 6:42 AM, 233021 bytes, A Adds the file desk-bg.jpg"="2/3/2020 6:42 AM, 187119 bytes, A Adds the file doodle.png"="2/3/2020 6:42 AM, 4704 bytes, A Adds the file down.png"="2/3/2020 6:42 AM, 199 bytes, A Adds the file eyeglass.png"="2/3/2020 6:42 AM, 499 bytes, A Adds the file eyeglass_transparent.png"="2/3/2020 6:42 AM, 7421 bytes, A Adds the file gmail-circle.svg"="2/3/2020 6:42 AM, 7282 bytes, A Adds the file google.png"="2/3/2020 6:42 AM, 1670 bytes, A Adds the file google_large.png"="2/3/2020 6:42 AM, 11759 bytes, A Adds the file grid-world.png"="2/3/2020 6:42 AM, 1508 bytes, A Adds the file group.svg"="2/3/2020 6:42 AM, 268 bytes, A Adds the file hero-bg.jpg"="2/3/2020 6:42 AM, 89726 bytes, A Adds the file just-the-box.png"="2/3/2020 6:42 AM, 3677 bytes, A Adds the file just-the-box-empty.png"="2/3/2020 6:42 AM, 2077 bytes, A Adds the file magnifier.svg"="2/3/2020 6:42 AM, 501 bytes, A Adds the file mail-black-envelope-symbol.svg"="2/3/2020 6:42 AM, 538 bytes, A Adds the file mailru.svg"="2/3/2020 6:42 AM, 8467 bytes, A Adds the file mountain-bg.jpg"="2/3/2020 6:42 AM, 202970 bytes, A Adds the file outlook-circle.svg"="2/3/2020 6:42 AM, 1585 bytes, A Adds the file pointer2.png"="2/3/2020 6:42 AM, 5559 bytes, A Adds the file radio-selected.svg"="2/3/2020 6:42 AM, 504 bytes, A Adds the file radio-unselected.svg"="2/3/2020 6:42 AM, 832 bytes, A Adds the file sea-bg.jpg"="2/3/2020 6:42 AM, 116122 bytes, A Adds the file search-D7D7D7.svg"="2/3/2020 6:42 AM, 438 bytes, A Adds the file search-FFFFFF.svg"="2/3/2020 6:42 AM, 404 bytes, A Adds the file settings.png"="2/3/2020 6:42 AM, 3493 bytes, A Adds the file smallMagnifier.png"="2/3/2020 6:42 AM, 464 bytes, A Adds the file star.svg"="2/3/2020 6:42 AM, 666 bytes, A Adds the file star-unselected.svg"="2/3/2020 6:42 AM, 786 bytes, A Adds the file toggle-off.svg"="2/3/2020 6:42 AM, 784 bytes, A Adds the file toggle-on.svg"="2/3/2020 6:42 AM, 785 bytes, A Adds the file translate.svg"="2/3/2020 6:42 AM, 562 bytes, A Adds the file transparent_img.png"="2/3/2020 6:42 AM, 142 bytes, A Adds the file triangle.svg"="2/3/2020 6:42 AM, 153 bytes, A Adds the file yahoo.png"="2/3/2020 6:42 AM, 1717 bytes, A Adds the file yahoo.svg"="2/3/2020 6:42 AM, 15560 bytes, A Adds the file yahoo_large.png"="2/3/2020 6:42 AM, 25029 bytes, A Adds the file yahoo-circle.svg"="2/3/2020 6:42 AM, 1493 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\content\images\icons Adds the file 128.png"="3/3/2021 9:06 AM, 3527 bytes, A Adds the file 16.png"="3/3/2021 9:06 AM, 615 bytes, A Adds the file 48.png"="3/3/2021 9:06 AM, 2042 bytes, A Adds the file close.png"="2/3/2020 6:42 AM, 1937 bytes, A Adds the file favicon.ico"="2/3/2020 6:42 AM, 2043 bytes, A Adds the file trends.svg"="2/3/2020 6:42 AM, 1975 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\content\images\sitesThumbnails Adds the file aliexpress.png"="2/3/2020 6:42 AM, 1460 bytes, A Adds the file aliexpress_tile_v2.png"="2/3/2020 6:42 AM, 5780 bytes, A Adds the file amazon.png"="2/3/2020 6:42 AM, 26342 bytes, A Adds the file amazon_tile_v2.png"="2/3/2020 6:42 AM, 5574 bytes, A Adds the file booking.png"="2/3/2020 6:42 AM, 973 bytes, A Adds the file booking_tile_v2.png"="2/3/2020 6:42 AM, 4261 bytes, A Adds the file ebay.png"="2/3/2020 6:42 AM, 1188 bytes, A Adds the file ebay_tile_v2.png"="2/3/2020 6:42 AM, 5930 bytes, A Adds the file expedia.png"="2/3/2020 6:42 AM, 914 bytes, A Adds the file expedia_tile_v2.png"="2/3/2020 6:42 AM, 8875 bytes, A Adds the file facebook.png"="2/3/2020 6:42 AM, 23517 bytes, A Adds the file facebook_tile_v2.png"="2/3/2020 6:42 AM, 4013 bytes, A Adds the file gmail.png"="2/3/2020 6:42 AM, 26970 bytes, A Adds the file gmail_new.png"="2/3/2020 6:42 AM, 805 bytes, A Adds the file gmail_tile_v2.png"="2/3/2020 6:42 AM, 5430 bytes, A Adds the file google-translate-icon-FFFFFF.svg"="2/3/2020 6:42 AM, 1495 bytes, A Adds the file gtranslte.png"="2/3/2020 6:42 AM, 796 bytes, A Adds the file outlook-mail.png"="2/3/2020 6:42 AM, 628 bytes, A Adds the file pinterest.png"="2/3/2020 6:42 AM, 1285 bytes, A Adds the file pinterest_tile_v2.png"="2/3/2020 6:42 AM, 4957 bytes, A Adds the file twitter.png"="2/3/2020 6:42 AM, 30240 bytes, A Adds the file twitter_tile_v2.png"="2/3/2020 6:42 AM, 3979 bytes, A Adds the file wix.png"="2/3/2020 6:42 AM, 905 bytes, A Adds the file wix_tile_v2.png"="2/3/2020 6:42 AM, 5615 bytes, A Adds the file yahoo.png"="2/3/2020 6:42 AM, 29810 bytes, A Adds the file yahoo_tile_v2.png"="2/3/2020 6:42 AM, 6758 bytes, A Adds the file yahoo-mail.png"="2/3/2020 6:42 AM, 754 bytes, A Adds the file youtube.png"="2/3/2020 6:42 AM, 24403 bytes, A Adds the file youtube_tile_v2.png"="2/3/2020 6:42 AM, 3650 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\css Adds the file style.css"="2/3/2020 6:42 AM, 4815 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\fonts Adds the file HelveticaNeueLT-Roman.woff"="2/3/2020 6:42 AM, 16320 bytes, A Adds the file HelveticaNeue-Thin.otf"="2/3/2020 6:42 AM, 24888 bytes, A Adds the file neue.woff"="2/3/2020 6:42 AM, 14492 bytes, A Adds the file neue-bold.woff"="2/3/2020 6:42 AM, 48112 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\js Adds the file background.min.js"="2/3/2020 6:42 AM, 9610 bytes, A Adds the file common.min.js"="2/3/2020 6:42 AM, 1792865 bytes, A Adds the file common.min.js.LICENSE"="2/3/2020 6:42 AM, 3757 bytes, A Adds the file index.min.js"="2/3/2020 6:42 AM, 163850 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\skin\icons Adds the file 16.png"="2/3/2020 6:42 AM, 615 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh\10.1.4.70_0\vendor Adds the file react-with-addons.min.js"="2/3/2020 6:42 AM, 38232 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings] "meckckfjnfnimlomkemnhcoonjfpbcoh"="REG_SZ", "B79D2CF2CF7236CABD886F4AAE84A1431EFAFCD4DDBCEE83235AFA82A320F736" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/3/21 Scan Time: 9:34 AM Log File: 3594ce44-7bfb-11eb-8a57-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37719 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233302 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchHijacker, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\MECKCKFJNFNIMLOMKEMNHCOONJFPBCOH, Quarantined, 2158, 912314, 1.0.37719, , ame, , , File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is SearchConverterPro? The Malwarebytes research team has determined that SearchConverterPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SearchConverterPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterPro? No, Malwarebytes removes SearchConverterPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterpro.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterpro.com/?q={searchTerms}&publisher=searchconverterpro&barcodeid=585410000000000 CHR DefaultSearchKeyword: Default -> SearchConverterPro CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterpro.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0 Adds the file manifest.json"="3/1/2021 1:35 PM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 1:35 PM, 6725 bytes, A Adds the file verified_contents.json"="10/25/2020 10:34 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images Adds the file logo-white-text.png"="10/25/2020 10:34 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 1:35 PM, 6306 bytes, A Adds the file 16x16.png"="3/1/2021 1:35 PM, 694 bytes, A Adds the file 64x64.png"="3/1/2021 1:35 PM, 3071 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\scripts Adds the file background.js"="10/25/2020 10:34 AM, 553493 bytes, A Adds the file sitecontent.js"="10/25/2020 10:34 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file 000003.log"="3/1/2021 1:35 PM, 0 bytes, A Adds the file CURRENT"="3/1/2021 1:35 PM, 16 bytes, A Adds the file LOCK"="3/1/2021 1:35 PM, 0 bytes, A Adds the file LOG"="3/1/2021 1:35 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 1:35 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file SearchConverterPro.ico"="3/1/2021 1:35 PM, 186748 bytes, A Adds the file SearchConverterPro.ico.md5"="3/1/2021 1:35 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hjnfhgckomdbflopemgjbncbkdeihhlb"="REG_SZ", "33F8C3B2409F6D8AB5CCF20B368B4AD040AFD46DC8E5F6C5A4E67A3D54DE4719" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 1:48 PM Log File: 7a1b9b80-7a8c-11eb-8099-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37625 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233311 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB, Quarantined, 15231, 799722, 1.0.37625, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D8067A2FAD4A6447366B1C2089342374, 5248CCAAC27A4EE68520DF16E1DFD948FECEF89F796C46537ABEF0097EF388B1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\000003.log, Quarantined, 15231, 799722, , , , , 321094FBF6F04AFE2CB330470130272F, 352C9EFEA042CB951214F10CD67DB634D225D38BE2F4EB3F5F54564D51616C2E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOG, Quarantined, 15231, 799722, , , , , 86F8B6040268BC3304FF41A99C321ECD, A59E09D12C0EDCB7DF337D13DFCF6E3734732E5C7F74BD456A69E8FDB42C43D3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37625, , ame, , 4A1FC792FD3BD8E05EA6771ED67CE48B, D41AA25AB279D43F6393B93025EA5E2DEF3C5E44B4B5F52A83A4DDE62FDFD4C6 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37625, , ame, , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is MovieSearchTool? The Malwarebytes research team has determined that MovieSearchTool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by MovieSearchTool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did MovieSearchTool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MovieSearchTool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MovieSearchTool? No, Malwarebytes removes MovieSearchTool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MovieSearchTool hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.moviesearchtool.com CHR DefaultSearchURL: Default -> hxxps://feed.moviesearchtool.com/?q={searchTerms}&publisher=moviesearchtool&barcodeid=584280000000000 CHR DefaultSearchKeyword: Default -> MovieSearchTool CHR DefaultSuggestURL: Default -> hxxps://api.moviesearchtool.com/suggest/get?q={searchTerms} CHR Extension: (MovieSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0 Adds the file manifest.json"="3/1/2021 9:02 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 9:02 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 11:06 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 11:06 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 9:02 AM, 9798 bytes, A Adds the file 16x16.png"="3/1/2021 9:02 AM, 702 bytes, A Adds the file 64x64.png"="3/1/2021 9:02 AM, 4198 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\scripts Adds the file background.js"="10/6/2020 11:06 AM, 514520 bytes, A Adds the file sitecontent.js"="10/6/2020 11:06 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb Adds the file 000003.log"="3/1/2021 9:02 AM, 0 bytes, A Adds the file CURRENT"="3/1/2021 9:02 AM, 16 bytes, A Adds the file LOCK"="3/1/2021 9:02 AM, 0 bytes, A Adds the file LOG"="3/1/2021 9:02 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pnmnfklndbilokgddplokhdlmlkhaphb Adds the file MovieSearchTool.ico"="3/1/2021 9:02 AM, 196949 bytes, A Adds the file MovieSearchTool.ico.md5"="3/1/2021 9:02 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pnmnfklndbilokgddplokhdlmlkhaphb"="REG_SZ", "78A3D07F2CD2E616A9587AE07ADE3797D4E397353C1A18B1268042C6C75C9686" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 9:11 AM Log File: c14d54d4-7a65-11eb-82c1-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37613 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233298 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB, Quarantined, 15231, 799722, 1.0.37613, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 1D56C00ACDEF2146FD214881F0949EE2, ADA00ED18C8CE7BE41C0BF66EBA9918AFC3CF7C9869C80563A2834C293FF67C7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\000003.log, Quarantined, 15231, 799722, , , , , 0D630FDD3FEB10765D0F43DDDFBDEDF7, E4AF3D1899051070A1EB6C1FB8D820636D92C7757D76BBBD7D46C38E08C70A49 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOG, Quarantined, 15231, 799722, , , , , FEA63FEC66680EB8AD70324E253DFEDB, 79E07DE941D8BA28ED959075399ECF8239A4EB40414B4CD73B6AC54FF818903F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37613, , ame, , 90D19280D957DCE6CE3126439DEA6758, 74BBCFB5642BB975FE4DB6B1EB0F1DE0873B04F7366EC39F7A2C60E38FA41F97 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 858871, 1.0.37613, , ame, , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is HDMovieSearch? The Malwarebytes research team has determined that HDMovieSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by HDMovieSearch? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did HDMovieSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove HDMovieSearch? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of HDMovieSearch? No, Malwarebytes removes HDMovieSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the HDMovieSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.hdmoviesearch.com/?q={searchTerms}&publisher=hdmoviesearch&barcodeid=577180000000000 CHR DefaultSearchKeyword: Default -> HDMovieSearch CHR DefaultSuggestURL: Default -> hxxps://api.hdmoviesearch.com/suggest/get?q={searchTerms} CHR Extension: (HDMovieSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac [2021-02-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0 Adds the file manifest.json"="2/26/2021 8:44 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/26/2021 8:44 AM, 6255 bytes, A Adds the file verified_contents.json"="8/30/2020 1:44 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images Adds the file logo-white-text.png"="8/30/2020 1:44 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images\icons Adds the file 128x128.png"="2/26/2021 8:44 AM, 3700 bytes, A Adds the file 16x16.png"="2/26/2021 8:44 AM, 371 bytes, A Adds the file 64x64.png"="2/26/2021 8:44 AM, 1934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\scripts Adds the file background.js"="8/30/2020 1:44 PM, 514502 bytes, A Adds the file sitecontent.js"="8/30/2020 1:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac Adds the file 000003.log"="2/26/2021 8:48 AM, 507 bytes, A Adds the file CURRENT"="2/26/2021 8:44 AM, 16 bytes, A Adds the file LOCK"="2/26/2021 8:44 AM, 0 bytes, A Adds the file LOG"="2/26/2021 8:44 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/26/2021 8:44 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ciemldlbecaohelcffdkcnbdkfakdcac Adds the file HDMovieSearch.ico"="2/26/2021 8:44 AM, 172794 bytes, A Adds the file HDMovieSearch.ico.md5"="2/26/2021 8:44 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ciemldlbecaohelcffdkcnbdkfakdcac"="REG_SZ", "5C01EE9A6CFF6EE4D76D055E6EF5AB4772AE0E0CB3462DCC5BEB3B6447DA6266" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/26/21 Scan Time: 8:58 AM Log File: 6db9651a-7808-11eb-b7dc-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37507 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233260 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC, Quarantined, 15231, 799722, 1.0.37507, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E4D5A7E047AE4042E345C28F63F88434, DD1314E9E4BEEBD33FFA0B0010F98E6D18D1636FA25A6333CD808A1A7AD548A8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A4DE2582714B3F02322EAAA0BF800B66, 173276BFA2922117F894768B8E5ECBF72CF3F1FE677CA62FB6729728EBEB7EB8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\000003.log, Quarantined, 15231, 799722, , , , , 89B3923A7B3AAA46E6BFB31464B9662E, 20977C5EAE6D2816A943804C9C8D264930802BE1B25A2FE5C1289DC8C1B333E5 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOG, Quarantined, 15231, 799722, , , , , EE7E390A9569E59848CB0032C6C7DD41, 7B79610B95006B4BD8F1E8757DB386FE8C861CAF00E1478A68A5C818C4D695F2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37507, , ame, , 47FDB93F6CF303861648712F82731253, 4439C5376D9C3D1D0D40221D3B98CB0E4613D89F841DE895436D616AC7CE94C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.