Jump to content

Search the Community

Showing results for tags 'adware.searchenginehijack.generic'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

  1. What is VideoSearchz?The Malwarebytes research team has determined that VideoSearchz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and adds advertisements to your search results in the form of recommended searches.How do I know if my computer is affected by VideoSearchz?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did VideoSearchz get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove VideoSearchz?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of VideoSearchz? No, Malwarebytes removes VideoSearchz completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the VideoSearchz hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.video-searchz.com/?q={searchTerms}&publisher=videosearchz&barcodeid=573590000000000 CHR DefaultSearchKeyword: Default -> VideoSearchz CHR DefaultSuggestURL: Default -> hxxps://api.video-searchz.com/suggest/get?q={searchTerms} CHR Extension: (VideoSearchz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko [2021-07-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0 Adds the file manifest.json"="7/23/2021 9:23 AM, 2091 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\_metadata Adds the file computed_hashes.json"="7/23/2021 9:23 AM, 6255 bytes, A Adds the file verified_contents.json"="6/1/2020 4:30 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\images Adds the file logo-white-text.png"="6/1/2020 4:30 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\images\icons Adds the file 128x128.png"="7/23/2021 9:23 AM, 10631 bytes, A Adds the file 16x16.png"="7/23/2021 9:23 AM, 700 bytes, A Adds the file 64x64.png"="7/23/2021 9:23 AM, 4341 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\scripts Adds the file background.js"="6/1/2020 4:30 PM, 514579 bytes, A Adds the file sitecontent.js"="6/1/2020 4:30 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko Adds the file 000003.log"="7/23/2021 9:23 AM, 775 bytes, A Adds the file CURRENT"="7/23/2021 9:23 AM, 16 bytes, A Adds the file LOCK"="7/23/2021 9:23 AM, 0 bytes, A Adds the file LOG"="7/23/2021 9:23 AM, 369 bytes, A Adds the file MANIFEST-000001"="7/23/2021 9:23 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ppjglhfckoehpjofhdlfenaliamfcgko Adds the file VideoSearchz.ico"="7/23/2021 9:23 AM, 197731 bytes, A Adds the file VideoSearchz.ico.md5"="7/23/2021 9:23 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ppjglhfckoehpjofhdlfenaliamfcgko"="REG_SZ", "DBD3A96F5BFCBE18D98300C3AC5C5EFF1809BD85FB4F8C51D234AA769E126243" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/23/21 Scan Time: 9:28 AM Log File: 967edadc-eb87-11eb-8000-080027235d76.json -Software Information- Version: 4.4.3.125 Components Version: 1.0.1387 Update Package Version: 1.0.43408 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257795 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ppjglhfckoehpjofhdlfenaliamfcgko, Quarantined, 16730, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko, Quarantined, 16730, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPJGLHFCKOEHPJOFHDLFENALIAMFCGKO, Quarantined, 16730, 799722, 1.0.43408, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16730, 799722, , , , , A797D136B24D90668DD6CBE49246D598, A695F27FEDE70C117540FB91C1AC6C8F261DE1C198A40D19AFABD2CB5379F538 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16730, 799722, , , , , 70252C45986CDA678EA8E2F7E9C5E735, B5E1BA4A4BC8C1CACF03BDD47FB0666B37374A97BBA5FFD6F80BFFF9FC553B5C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\000003.log, Quarantined, 16730, 799722, , , , , 82D33F0939C04105C3C8D3BB9C58B403, A44C3EA7C60325C678075CF7C4DF070EA07C7E96874C2757F9B7178EA6A005AB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\CURRENT, Quarantined, 16730, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\LOCK, Quarantined, 16730, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\LOG, Quarantined, 16730, 799722, , , , , DDF8F3A96AB9DA36DC5CF51189A54225, FA4F1E5E05986AF37E4F13ECC88B51205CF08624BDEE6C01E03E2E5AF0464C47 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\MANIFEST-000001, Quarantined, 16730, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPJGLHFCKOEHPJOFHDLFENALIAMFCGKO\1.1.0_0\MANIFEST.JSON, Quarantined, 16730, 799722, 1.0.43408, , ame, , 433BA27035F5182912CF0CAB4B523CFC, 2598792620DB2485814D10DE3ED635CF6367508F9DB6D91DC0379D75ABAD3480 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is MyIncognitoSearch?The Malwarebytes research team has determined that MyIncognitoSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one uses browser push notifications and changes your default search provider.How do I know if my computer is affected by MyIncognitoSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did MyIncognitoSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MyIncognitoSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MyIncognitoSearch? No, Malwarebytes removes MyIncognitoSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MyIncognitoSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.myincognitosearch.com CHR DefaultSearchURL: Default -> hxxps://feed.myincognitosearch.com/?q={searchTerms}&publisher=myincognitosearch&barcodeid=590250000000000 CHR DefaultSearchKeyword: Default -> MyIncognitoSearch CHR DefaultSuggestURL: Default -> hxxps://api.myincognitosearch.com/suggest/get?q={searchTerms} CHR Extension: (MyIncognitoSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip [2021-07-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0 Adds the file manifest.json"="7/20/2021 11:09 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\_metadata Adds the file computed_hashes.json"="7/20/2021 11:09 AM, 6725 bytes, A Adds the file verified_contents.json"="2/4/2021 12:34 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images Adds the file logo-white-text.png"="2/4/2021 12:34 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images\icons Adds the file 128x128.png"="7/20/2021 11:09 AM, 8977 bytes, A Adds the file 16x16.png"="7/20/2021 11:09 AM, 600 bytes, A Adds the file 64x64.png"="7/20/2021 11:09 AM, 3775 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\scripts Adds the file background.js"="2/4/2021 12:34 PM, 553484 bytes, A Adds the file sitecontent.js"="2/4/2021 12:34 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip Adds the file 000003.log"="7/20/2021 11:13 AM, 852 bytes, A Adds the file CURRENT"="7/20/2021 11:09 AM, 16 bytes, A Adds the file LOCK"="7/20/2021 11:09 AM, 0 bytes, A Adds the file LOG"="7/20/2021 11:09 AM, 369 bytes, A Adds the file MANIFEST-000001"="7/20/2021 11:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fdebfhnlclpmgibliflaehjhbpafnlip Adds the file MyIncognitoSearch.ico"="7/20/2021 11:09 AM, 196671 bytes, A Adds the file MyIncognitoSearch.ico.md5"="7/20/2021 11:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fdebfhnlclpmgibliflaehjhbpafnlip"="REG_SZ", "3FA7951A8EB4042009B0E11401337B244491BAED9A0970A61CA068EF1FEAEFFF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/20/21 Scan Time: 11:18 AM Log File: 6106a0c2-e93b-11eb-82bf-080027235d76.json -Software Information- Version: 4.4.3.125 Components Version: 1.0.1387 Update Package Version: 1.0.43301 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257751 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP, Quarantined, 16709, 799722, 1.0.43301, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16709, 799722, , , , , 69AD7140C7DF1EE4C6534AA78A2FCB80, EC0E9B66274243FE688488898FC1F18ACC20A62896B12F2B36F6774D355274A6 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16709, 799722, , , , , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\000003.log, Quarantined, 16709, 799722, , , , , 116A89DBCBBC4B41577B07B8F7880EEE, E29B742538ED997FC197D4FD14419A2C903CEEF45B9E42AE0405B9A9842761B6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\CURRENT, Quarantined, 16709, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOCK, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOG, Quarantined, 16709, 799722, , , , , 5CA640CDA2FC46E756D74AA3B9773BBA, D5C2380726ACD29B4DB0D7EBE97BBEDB9AD468EFE286CD376F01B08744053737 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\MANIFEST-000001, Quarantined, 16709, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP\1.1.0_0\MANIFEST.JSON, Quarantined, 16709, 799722, 1.0.43301, , ame, , B18FCF6A2D7EFE1E32D4722A6C7BFF3F, 831481C9375EED98A6A9A57C3A1E4434DBE561F4455445897FCA14101898F4F9 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.43301, , ame, , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is FreeSearchConverters?The Malwarebytes research team has determined that FreeSearchConverters is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and changes your default search engine.How do I know if my computer is affected by FreeSearchConverters?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did FreeSearchConverters get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove FreeSearchConverters?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FreeSearchConverters? No, Malwarebytes removes FreeSearchConverters completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the FreeSearchConverters hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.freesearchconverters.com CHR DefaultSearchURL: Default -> hxxps://feed.freesearchconverters.com/?q={searchTerms}&publisher=freesearchconverters&barcodeid=590370000000000 CHR DefaultSearchKeyword: Default -> FreeSearchConverters CHR DefaultSuggestURL: Default -> hxxps://api.freesearchconverters.com/suggest/get?q={searchTerms} CHR Extension: (FreeSearchConverters) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk [2021-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0 Adds the file manifest.json"="6/25/2021 8:59 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/25/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="2/10/2021 1:59 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images Adds the file logo-white-text.png"="2/10/2021 1:59 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images\icons Adds the file 128x128.png"="6/25/2021 8:59 AM, 5906 bytes, A Adds the file 16x16.png"="6/25/2021 8:59 AM, 592 bytes, A Adds the file 64x64.png"="6/25/2021 8:59 AM, 2697 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\scripts Adds the file background.js"="2/10/2021 1:59 PM, 553511 bytes, A Adds the file sitecontent.js"="2/10/2021 1:59 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file 000003.log"="6/25/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="6/25/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="6/25/2021 8:59 AM, 0 bytes, A Adds the file LOG"="6/25/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="6/25/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file FreeSearchConverters.ico"="6/25/2021 8:59 AM, 183975 bytes, A Adds the file FreeSearchConverters.ico.md5"="6/25/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fglhccdpkbdibhaaedbmpgpkjkpgifhk"="REG_SZ", "BE3D71B9F6C3B955211F3D262B25CB7E3E9269622E48C60D7C08D2899C667C97" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/21 Scan Time: 9:08 AM Log File: 23d7ebc2-d584-11eb-9fc1-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1344 Update Package Version: 1.0.42213 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257554 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK, Quarantined, 16607, 799722, 1.0.42213, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16607, 799722, , , , , D678813E01E723575B12CC0FB193D4CB, 312F870E434931C4A7506C7BE083D7EDB76A3538E16B3B765DDD58031ACACEFD Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16607, 799722, , , , , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\000003.log, Quarantined, 16607, 799722, , , , , 34EC78A40E9F66051CB6EBD013BA9B83, 265C470F81CEC2E5BB7C750BCC045AAFEE2192233DC679771C6818C55E8DEAB2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\CURRENT, Quarantined, 16607, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOCK, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOG, Quarantined, 16607, 799722, , , , , 50F30416B1BE39718CBCFF38989AA045, ACAD5D6738C5D99E2398596D72361CED6108206D2E87494A982FD9E7ED120CE9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\MANIFEST-000001, Quarantined, 16607, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16607, 799722, 1.0.42213, , ame, , 071A834B8A25C588C0CC3056E16A01AE, 240B6D0A0B35A6D4A9AD79D23C7769A6305003189EA921EABB172D02B8A5E0DE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.42213, , ame, , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is YourStreamSearch? The Malwarebytes research team has determined that YourStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by YourStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed settings: How did YourStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove YourStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of YourStreamSearch? No, Malwarebytes removes YourStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the YourStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.yourstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.yourstreamsearch.com/?q={searchTerms}&publisher=yourstreamsearch&barcodeid=586300000000000 CHR DefaultSearchKeyword: Default -> YourStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.yourstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (YourStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk [2021-04-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0 Adds the file manifest.json"="4/20/2021 8:59 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/20/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="11/17/2020 2:14 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images Adds the file logo-white-text.png"="11/17/2020 2:14 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images\icons Adds the file 128x128.png"="4/20/2021 8:59 AM, 6594 bytes, A Adds the file 16x16.png"="4/20/2021 8:59 AM, 618 bytes, A Adds the file 64x64.png"="4/20/2021 8:59 AM, 2969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\scripts Adds the file background.js"="11/17/2020 2:14 PM, 553475 bytes, A Adds the file sitecontent.js"="11/17/2020 2:14 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk Adds the file 000003.log"="4/20/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/20/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/20/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/20/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/20/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kicamljljoimnnikabbhokfefoknlkhk Adds the file YourStreamSearch.ico"="4/20/2021 8:59 AM, 185986 bytes, A Adds the file YourStreamSearch.ico.md5"="4/20/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kicamljljoimnnikabbhokfefoknlkhk"="REG_SZ", "1FBDB4D8EB8F99BD39FBEFF5B7B467AD535B75CCC565A1BB3C5CB2327BE6B999" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/20/21 Scan Time: 9:10 AM Log File: 74874f24-a1a7-11eb-9d50-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39611 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233909 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK, Quarantined, 16336, 799722, 1.0.39611, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16336, 799722, , , , , 1F66C49CA2F4F7650F83A631DDD3D233, DE021F4FCC437BC8C081B67275FC01A6AE4BE2B71D74B120FDBED8E0863AE1FC Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16336, 799722, , , , , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\000003.log, Quarantined, 16336, 799722, , , , , B2FE20A464E93AC7013B373FB58F2085, DC3F7304E517B7E5E9F4CAE3BE403455279BD5F9B75A36A48242DA509D18CBFA Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\CURRENT, Quarantined, 16336, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOCK, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOG, Quarantined, 16336, 799722, , , , , 48B5157B52A47A26E6C92ECD01B3B42B, 9FD196126F74CED82F4E0B7684036E32D8665DB2D3603355C342CDAC2E3A750C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\MANIFEST-000001, Quarantined, 16336, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16336, 799722, 1.0.39611, , ame, , 715F51945BFEF27596E6DA52C64EFC0B, E2864F77131E285554491AADE7F27E366AFD4DC492F131ECF67C52637D84E096 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39611, , ame, , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is SearchConverterIt? The Malwarebytes research team has determined that SearchConverterIt is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterIt? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did SearchConverterIt get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterIt? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterIt? No, Malwarebytes removes SearchConverterIt completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterIt hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterit.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterit.com/?q={searchTerms}&publisher=searchconverterit&barcodeid=588640000000000 CHR DefaultSearchKeyword: Default -> SearchConverterIt CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterit.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterIt) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng [2021-04-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0 Adds the file manifest.json"="4/14/2021 8:59 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/14/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="12/23/2020 12:10 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images Adds the file logo-white-text.png"="12/23/2020 12:10 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images\icons Adds the file 128x128.png"="4/14/2021 8:59 AM, 8726 bytes, A Adds the file 16x16.png"="4/14/2021 8:59 AM, 829 bytes, A Adds the file 64x64.png"="4/14/2021 8:59 AM, 3790 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\scripts Adds the file background.js"="12/23/2020 12:10 PM, 553484 bytes, A Adds the file sitecontent.js"="12/23/2020 12:10 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng Adds the file 000003.log"="4/14/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/14/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/14/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/14/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/14/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_iineefadkfmchfkhljaggpbbnllimnng Adds the file SearchConverterIt.ico"="4/14/2021 8:59 AM, 198511 bytes, A Adds the file SearchConverterIt.ico.md5"="4/14/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iineefadkfmchfkhljaggpbbnllimnng"="REG_SZ", "52C119205FA573C4A88501553CFC0CFDC7536AC46F7F653A0406C845E5688DB0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/14/21 Scan Time: 9:12 AM Log File: c74be9f6-9cf0-11eb-8c7b-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39391 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233788 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG, Quarantined, 16302, 799722, 1.0.39391, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16302, 799722, , , , , 3532504BA85D9B1ABE75CB36C1278AFC, CC1D20EFBE57B77DD4343232C79AB3E001B216E92AD98E743D738A24A7F4D753 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16302, 799722, , , , , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\000003.log, Quarantined, 16302, 799722, , , , , 94B9F9BFA2C14735E50F191210B1A61B, BC4C7FBCC9C9EE73397714BC6AC9847FAD448DD9F72A13CF6A0C87464963C295 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\CURRENT, Quarantined, 16302, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOCK, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOG, Quarantined, 16302, 799722, , , , , 9AA2B44010154B7E04DD8D9A39A187CA, 3D7484112A5F590C6DB55F918C0716123F8D5A629397F1F58D5E39A79E5B4AEE Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\MANIFEST-000001, Quarantined, 16302, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG\1.1.0_0\MANIFEST.JSON, Quarantined, 16302, 799722, 1.0.39391, , ame, , 462F3A01F5C3B4C600C24E74E11D7EF2, EFAF315B9A699789D4CA80CA88C37C8F35F90DB927E398E01D51D67C45B221EB PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39391, , ame, , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is OnlineStreamSearch? The Malwarebytes research team has determined that OnlineStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by OnlineStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did OnlineStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove OnlineStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of OnlineStreamSearch? No, Malwarebytes removes OnlineStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the OnlineStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.onlinestreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.onlinestreamsearch.com/?q={searchTerms}&publisher=onlinestreamsearch&barcodeid=584040000000000 CHR DefaultSearchKeyword: Default -> OnlineStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.onlinestreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (OnlineStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj [2021-04-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0 Adds the file manifest.json"="4/9/2021 8:55 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/9/2021 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 9:26 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 9:26 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images\icons Adds the file 128x128.png"="4/9/2021 8:55 AM, 10427 bytes, A Adds the file 16x16.png"="4/9/2021 8:55 AM, 669 bytes, A Adds the file 64x64.png"="4/9/2021 8:55 AM, 4057 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\scripts Adds the file background.js"="10/6/2020 9:26 AM, 514547 bytes, A Adds the file sitecontent.js"="10/6/2020 9:26 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file 000003.log"="4/9/2021 8:55 AM, 0 bytes, A Adds the file CURRENT"="4/9/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="4/9/2021 8:55 AM, 0 bytes, A Adds the file LOG"="4/9/2021 8:55 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/9/2021 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file OnlineStreamSearch.ico"="4/9/2021 8:55 AM, 194804 bytes, A Adds the file OnlineStreamSearch.ico.md5"="4/9/2021 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjpkpjaepmfhndihmhdmgkfnhnmgabpj"="REG_SZ", "2F218777DD2DEE73C7805AFE50CC42603D6959F5735FD1628C6F20C663949E64" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/9/21 Scan Time: 9:03 AM Log File: bec2f72c-9901-11eb-af71-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1249 Update Package Version: 1.0.39257 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233745 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 5 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ, Quarantined, 16285, 799722, 1.0.39257, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16285, 799722, , , , , D7B7EC60A57BAAC24CB139343DC7EAA6, 67407A3B3D594CC57F242A025D6482FEE7143FDB6A564F79F1A134EDFFF6E13A Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16285, 799722, , , , , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\000003.log, Quarantined, 16285, 799722, , , , , FCD43F3CAB81A6261B9DD9E6CABB1088, 311B0AFBE31E9C6AE5D72D3589F9D47C1D6D861C89E0EA77CACC199EB1309069 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\CURRENT, Quarantined, 16285, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOCK, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG, Quarantined, 16285, 799722, , , , , 41E2F6E522E0FD88F65000D12DA25D06, 75EC7C327CCF05CC127453F933BEE1CAFBCC0FDC4A3DDB22334D80A124155B5D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG.old, Quarantined, 16285, 799722, , , , , 9D00CD778637544C4F6A4F56C1DD1014, E00505269842D1BA97D4D9C5C3D6F3B6D126349A4ACC12545C01F1C97632BE56 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\MANIFEST-000001, Quarantined, 16285, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16285, 799722, 1.0.39257, , ame, , D81AEE0DDE16C52BD2D5D15274B0EB6A, 07F02DBBD00E646AFAF2AD5C4027F4759BF1D7D3EE76C4E78A8E031E14A0C468 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.39257, , ame, , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is PDFConverterSearchPro? The Malwarebytes research team has determined that PDFConverterSearchPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFConverterSearchPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchPro? No, Malwarebytes removes PDFConverterSearchPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchpro.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchpro.com/?q={searchTerms}&publisher=pdfconvertersearchpro&barcodeid=586550000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchPro CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchpro.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb [2021-03-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0 Adds the file manifest.json"="3/15/2021 2:06 PM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/15/2021 2:06 PM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:31 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:31 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images\icons Adds the file 128x128.png"="3/15/2021 2:06 PM, 3646 bytes, A Adds the file 16x16.png"="3/15/2021 2:06 PM, 543 bytes, A Adds the file 64x64.png"="3/15/2021 2:06 PM, 1960 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:31 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb Adds the file 000003.log"="3/15/2021 2:06 PM, 0 bytes, A Adds the file CURRENT"="3/15/2021 2:06 PM, 16 bytes, A Adds the file LOCK"="3/15/2021 2:06 PM, 0 bytes, A Adds the file LOG"="3/15/2021 2:06 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/15/2021 2:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_akdcioboelamekgappfajnjfpgpimmmb Adds the file PDFConverterSearchPro.ico"="3/15/2021 2:06 PM, 172121 bytes, A Adds the file PDFConverterSearchPro.ico.md5"="3/15/2021 2:06 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "akdcioboelamekgappfajnjfpgpimmmb"="REG_SZ", "F3AE581B78A68DEC8C113BF12D95B1AB3E28ABE5AC03BE5B0B7B6664A6E24343" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/21 Scan Time: 2:15 PM Log File: 8d238472-8590-11eb-b310-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38187 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233439 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB, Quarantined, 16186, 799722, 1.0.38187, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16186, 799722, , , , , DF544FF17FCE1471E0F7FC6ABFEADA65, 61F3AF62ECF69C06A7A7BBC7CA38B72920C161EFB4D9F33D34BDB3B55A8D1DF9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16186, 799722, , , , , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\000003.log, Quarantined, 16186, 799722, , , , , D722D2A43C3A2FBE17F095BD1316ACF3, F12A197380F21674F773C3EBBEE4643EB875CD3F750371257DCFA4D79848E8EC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\CURRENT, Quarantined, 16186, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOCK, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOG, Quarantined, 16186, 799722, , , , , F44B24CA498215DC0FF0F73CF36E8652, 6C8E76DBE5234B4946CB3F860C904B7748A27B6C157FD0E8FF12DD9D5417DC22 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\MANIFEST-000001, Quarantined, 16186, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB\1.1.0_0\MANIFEST.JSON, Quarantined, 16186, 799722, 1.0.38187, , ame, , 879C7B4C7B8FC5E96F26A9C1F015F354, E62CEAE65513F9F91D63A51F8468FD9B41573A00948B3E7AACBB89EA44C0A175 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.38187, , ame, , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is AllMusicSearches? The Malwarebytes research team has determined that AllMusicSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AllMusicSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AllMusicSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllMusicSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllMusicSearches? No, Malwarebytes removes AllMusicSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the AllMusicSearches hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allmusicsearches.com CHR DefaultSearchURL: Default -> hxxps://feed.allmusicsearches.com/?q={searchTerms}&publisher=allmusicsearches&barcodeid=577260000000000 CHR DefaultSearchKeyword: Default -> AllMusicSearches CHR DefaultSuggestURL: Default -> hxxps://api.allmusicsearches.com/suggest/get?q={searchTerms} CHR Extension: (AllMusicSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj [2021-03-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0 Adds the file manifest.json"="3/8/2021 10:18 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/8/2021 10:18 AM, 6255 bytes, A Adds the file verified_contents.json"="8/24/2020 10:44 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images Adds the file logo-white-text.png"="8/24/2020 10:44 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images\icons Adds the file 128x128.png"="3/8/2021 10:18 AM, 4637 bytes, A Adds the file 16x16.png"="3/8/2021 10:18 AM, 520 bytes, A Adds the file 64x64.png"="3/8/2021 10:18 AM, 2321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\scripts Adds the file background.js"="8/24/2020 10:44 AM, 514529 bytes, A Adds the file sitecontent.js"="8/24/2020 10:44 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj Adds the file 000003.log"="3/8/2021 10:18 AM, 0 bytes, A Adds the file CURRENT"="3/8/2021 10:18 AM, 16 bytes, A Adds the file LOCK"="3/8/2021 10:18 AM, 0 bytes, A Adds the file LOG"="3/8/2021 10:18 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/8/2021 10:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ljkniknmacmhdnefmnadabodljhilooj Adds the file AllMusicSearches.ico"="3/8/2021 10:18 AM, 181707 bytes, A Adds the file AllMusicSearches.ico.md5"="3/8/2021 10:18 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ljkniknmacmhdnefmnadabodljhilooj"="REG_SZ", "B908D13B0EEA82D134E21FF89BEB5DAC1C8C4177B4B181F6585A3539DAF29138" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/8/21 Scan Time: 10:25 AM Log File: 443572f2-7ff0-11eb-bceb-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37877 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233367 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ, Quarantined, 16150, 799722, 1.0.37877, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16150, 799722, , , , , 96FECE9926463CBD0B08B3FB5BC753BE, C3F52BFF541292B2004F2DFEBADD2E42FE4B66B5707D8C1C14DF5B5942E4A098 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16150, 799722, , , , , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\000003.log, Quarantined, 16150, 799722, , , , , 1336BECEF15014988CE71F9B84C76B63, 8457B0EF1CE375E0B331E8D9115228D3D22FDEF73905F184BE32FF422C202B94 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\CURRENT, Quarantined, 16150, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOCK, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOG, Quarantined, 16150, 799722, , , , , 4CDECD7BDFAF7DCD3202A901445E0EFA, 5EA2ACAD3FF62049F45EED93C438C61FE34BA519342CE3EC4A362E7E87B9850C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\MANIFEST-000001, Quarantined, 16150, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16150, 799722, 1.0.37877, , ame, , F571C4062C2C546E57D7C120801A6355, 0CD8A873E269F4E43B066A63433B8D300AA333A34BF4EB71CB0371BBCA1393BE PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 856479, 1.0.37877, , ame, , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is PDFSearchWeb? The Malwarebytes research team has determined that PDFSearchWeb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFSearchWeb? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFSearchWeb get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearchWeb? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearchWeb? No, Malwarebytes removes PDFSearchWeb completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFSearchWeb hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfsearchweb.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfsearchweb.com/?q={searchTerms}&publisher=pdfsearchweb&barcodeid=586480000000000 CHR DefaultSearchKeyword: Default -> PDFSearchWeb CHR DefaultSuggestURL: Default -> hxxps://api.pdfsearchweb.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearchWeb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi [2021-03-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0 Adds the file manifest.json"="3/4/2021 8:46 AM, 2084 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/4/2021 8:46 AM, 6725 bytes, A Adds the file verified_contents.json"="11/16/2020 11:09 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images Adds the file logo-white-text.png"="11/16/2020 11:09 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images\icons Adds the file 128x128.png"="3/4/2021 8:46 AM, 2578 bytes, A Adds the file 16x16.png"="3/4/2021 8:46 AM, 416 bytes, A Adds the file 64x64.png"="3/4/2021 8:46 AM, 1436 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\scripts Adds the file background.js"="11/16/2020 11:09 AM, 553439 bytes, A Adds the file sitecontent.js"="11/16/2020 11:09 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi Adds the file 000003.log"="3/4/2021 8:46 AM, 0 bytes, A Adds the file CURRENT"="3/4/2021 8:46 AM, 16 bytes, A Adds the file LOCK"="3/4/2021 8:46 AM, 0 bytes, A Adds the file LOG"="3/4/2021 8:46 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/4/2021 8:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blmcjacaocadbkaoippfdhjknablobgi Adds the file PDFSearchWeb.ico"="3/4/2021 8:46 AM, 165020 bytes, A Adds the file PDFSearchWeb.ico.md5"="3/4/2021 8:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blmcjacaocadbkaoippfdhjknablobgi"="REG_SZ", "21383C3BCEED4E28CE353D35F37AB55C383F3D6E796A18124C0DE8CF0A38C218" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/4/21 Scan Time: 9:04 AM Log File: 4d2527fa-7cc0-11eb-9e7c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37767 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233343 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI, Quarantined, 15230, 799722, 1.0.37767, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 01C6FDC1C96A97A38133B535F53D0D30, E920A84318FD5E518AED4F1856CBF931668DF6EB4D234B3D19A58C99CC4C3232 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\000003.log, Quarantined, 15230, 799722, , , , , E1DE9B412C0C30CDEE59F9E4E63F56DB, 86A2A508B75E0F5CEE3DE285AA84735D8F1ECEB37D333BBFE5232263B612BF3D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOG, Quarantined, 15230, 799722, , , , , A4549DEA968C4980471BA79B2504416B, 3A609EA567AF426E9CD1C3DF641EE9F298A276437D70FC238AF6AE2175357C36 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.37767, , ame, , 8E1EDD9316806E38160CE820BA112006, D6F16F705C44BA34A629512B96F7950673D3E0CA8CCA07495ED8765BFE66E2FE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.37767, , ame, , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is SearchConverterPro? The Malwarebytes research team has determined that SearchConverterPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SearchConverterPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterPro? No, Malwarebytes removes SearchConverterPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterpro.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterpro.com/?q={searchTerms}&publisher=searchconverterpro&barcodeid=585410000000000 CHR DefaultSearchKeyword: Default -> SearchConverterPro CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterpro.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0 Adds the file manifest.json"="3/1/2021 1:35 PM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 1:35 PM, 6725 bytes, A Adds the file verified_contents.json"="10/25/2020 10:34 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images Adds the file logo-white-text.png"="10/25/2020 10:34 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 1:35 PM, 6306 bytes, A Adds the file 16x16.png"="3/1/2021 1:35 PM, 694 bytes, A Adds the file 64x64.png"="3/1/2021 1:35 PM, 3071 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\scripts Adds the file background.js"="10/25/2020 10:34 AM, 553493 bytes, A Adds the file sitecontent.js"="10/25/2020 10:34 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file 000003.log"="3/1/2021 1:35 PM, 0 bytes, A Adds the file CURRENT"="3/1/2021 1:35 PM, 16 bytes, A Adds the file LOCK"="3/1/2021 1:35 PM, 0 bytes, A Adds the file LOG"="3/1/2021 1:35 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 1:35 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file SearchConverterPro.ico"="3/1/2021 1:35 PM, 186748 bytes, A Adds the file SearchConverterPro.ico.md5"="3/1/2021 1:35 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hjnfhgckomdbflopemgjbncbkdeihhlb"="REG_SZ", "33F8C3B2409F6D8AB5CCF20B368B4AD040AFD46DC8E5F6C5A4E67A3D54DE4719" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 1:48 PM Log File: 7a1b9b80-7a8c-11eb-8099-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37625 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233311 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB, Quarantined, 15231, 799722, 1.0.37625, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D8067A2FAD4A6447366B1C2089342374, 5248CCAAC27A4EE68520DF16E1DFD948FECEF89F796C46537ABEF0097EF388B1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\000003.log, Quarantined, 15231, 799722, , , , , 321094FBF6F04AFE2CB330470130272F, 352C9EFEA042CB951214F10CD67DB634D225D38BE2F4EB3F5F54564D51616C2E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOG, Quarantined, 15231, 799722, , , , , 86F8B6040268BC3304FF41A99C321ECD, A59E09D12C0EDCB7DF337D13DFCF6E3734732E5C7F74BD456A69E8FDB42C43D3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37625, , ame, , 4A1FC792FD3BD8E05EA6771ED67CE48B, D41AA25AB279D43F6393B93025EA5E2DEF3C5E44B4B5F52A83A4DDE62FDFD4C6 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37625, , ame, , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is MovieSearchTool? The Malwarebytes research team has determined that MovieSearchTool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by MovieSearchTool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did MovieSearchTool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MovieSearchTool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MovieSearchTool? No, Malwarebytes removes MovieSearchTool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MovieSearchTool hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.moviesearchtool.com CHR DefaultSearchURL: Default -> hxxps://feed.moviesearchtool.com/?q={searchTerms}&publisher=moviesearchtool&barcodeid=584280000000000 CHR DefaultSearchKeyword: Default -> MovieSearchTool CHR DefaultSuggestURL: Default -> hxxps://api.moviesearchtool.com/suggest/get?q={searchTerms} CHR Extension: (MovieSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0 Adds the file manifest.json"="3/1/2021 9:02 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 9:02 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 11:06 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 11:06 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 9:02 AM, 9798 bytes, A Adds the file 16x16.png"="3/1/2021 9:02 AM, 702 bytes, A Adds the file 64x64.png"="3/1/2021 9:02 AM, 4198 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\scripts Adds the file background.js"="10/6/2020 11:06 AM, 514520 bytes, A Adds the file sitecontent.js"="10/6/2020 11:06 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb Adds the file 000003.log"="3/1/2021 9:02 AM, 0 bytes, A Adds the file CURRENT"="3/1/2021 9:02 AM, 16 bytes, A Adds the file LOCK"="3/1/2021 9:02 AM, 0 bytes, A Adds the file LOG"="3/1/2021 9:02 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pnmnfklndbilokgddplokhdlmlkhaphb Adds the file MovieSearchTool.ico"="3/1/2021 9:02 AM, 196949 bytes, A Adds the file MovieSearchTool.ico.md5"="3/1/2021 9:02 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pnmnfklndbilokgddplokhdlmlkhaphb"="REG_SZ", "78A3D07F2CD2E616A9587AE07ADE3797D4E397353C1A18B1268042C6C75C9686" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 9:11 AM Log File: c14d54d4-7a65-11eb-82c1-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37613 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233298 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB, Quarantined, 15231, 799722, 1.0.37613, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 1D56C00ACDEF2146FD214881F0949EE2, ADA00ED18C8CE7BE41C0BF66EBA9918AFC3CF7C9869C80563A2834C293FF67C7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\000003.log, Quarantined, 15231, 799722, , , , , 0D630FDD3FEB10765D0F43DDDFBDEDF7, E4AF3D1899051070A1EB6C1FB8D820636D92C7757D76BBBD7D46C38E08C70A49 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOG, Quarantined, 15231, 799722, , , , , FEA63FEC66680EB8AD70324E253DFEDB, 79E07DE941D8BA28ED959075399ECF8239A4EB40414B4CD73B6AC54FF818903F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37613, , ame, , 90D19280D957DCE6CE3126439DEA6758, 74BBCFB5642BB975FE4DB6B1EB0F1DE0873B04F7366EC39F7A2C60E38FA41F97 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 858871, 1.0.37613, , ame, , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is HDMovieSearch? The Malwarebytes research team has determined that HDMovieSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by HDMovieSearch? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did HDMovieSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove HDMovieSearch? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of HDMovieSearch? No, Malwarebytes removes HDMovieSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the HDMovieSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.hdmoviesearch.com/?q={searchTerms}&publisher=hdmoviesearch&barcodeid=577180000000000 CHR DefaultSearchKeyword: Default -> HDMovieSearch CHR DefaultSuggestURL: Default -> hxxps://api.hdmoviesearch.com/suggest/get?q={searchTerms} CHR Extension: (HDMovieSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac [2021-02-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0 Adds the file manifest.json"="2/26/2021 8:44 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/26/2021 8:44 AM, 6255 bytes, A Adds the file verified_contents.json"="8/30/2020 1:44 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images Adds the file logo-white-text.png"="8/30/2020 1:44 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images\icons Adds the file 128x128.png"="2/26/2021 8:44 AM, 3700 bytes, A Adds the file 16x16.png"="2/26/2021 8:44 AM, 371 bytes, A Adds the file 64x64.png"="2/26/2021 8:44 AM, 1934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\scripts Adds the file background.js"="8/30/2020 1:44 PM, 514502 bytes, A Adds the file sitecontent.js"="8/30/2020 1:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac Adds the file 000003.log"="2/26/2021 8:48 AM, 507 bytes, A Adds the file CURRENT"="2/26/2021 8:44 AM, 16 bytes, A Adds the file LOCK"="2/26/2021 8:44 AM, 0 bytes, A Adds the file LOG"="2/26/2021 8:44 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/26/2021 8:44 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ciemldlbecaohelcffdkcnbdkfakdcac Adds the file HDMovieSearch.ico"="2/26/2021 8:44 AM, 172794 bytes, A Adds the file HDMovieSearch.ico.md5"="2/26/2021 8:44 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ciemldlbecaohelcffdkcnbdkfakdcac"="REG_SZ", "5C01EE9A6CFF6EE4D76D055E6EF5AB4772AE0E0CB3462DCC5BEB3B6447DA6266" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/26/21 Scan Time: 8:58 AM Log File: 6db9651a-7808-11eb-b7dc-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37507 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233260 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC, Quarantined, 15231, 799722, 1.0.37507, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E4D5A7E047AE4042E345C28F63F88434, DD1314E9E4BEEBD33FFA0B0010F98E6D18D1636FA25A6333CD808A1A7AD548A8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A4DE2582714B3F02322EAAA0BF800B66, 173276BFA2922117F894768B8E5ECBF72CF3F1FE677CA62FB6729728EBEB7EB8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\000003.log, Quarantined, 15231, 799722, , , , , 89B3923A7B3AAA46E6BFB31464B9662E, 20977C5EAE6D2816A943804C9C8D264930802BE1B25A2FE5C1289DC8C1B333E5 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOG, Quarantined, 15231, 799722, , , , , EE7E390A9569E59848CB0032C6C7DD41, 7B79610B95006B4BD8F1E8757DB386FE8C861CAF00E1478A68A5C818C4D695F2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37507, , ame, , 47FDB93F6CF303861648712F82731253, 4439C5376D9C3D1D0D40221D3B98CB0E4613D89F841DE895436D616AC7CE94C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is PDFConverterSearchApp? The Malwarebytes research team has determined that PDFConverterSearchApp is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchApp? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did PDFConverterSearchApp get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchApp? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchApp? No, Malwarebytes removes PDFConverterSearchApp completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchApp hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchapp.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchapp.com/?q={searchTerms}&publisher=pdfconvertersearchapp&barcodeid=586540000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchApp CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchapp.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchApp) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml [2021-02-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0 Adds the file manifest.json"="2/23/2021 8:51 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/23/2021 8:51 AM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:22 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:22 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images\icons Adds the file 128x128.png"="2/23/2021 8:51 AM, 2705 bytes, A Adds the file 16x16.png"="2/23/2021 8:51 AM, 431 bytes, A Adds the file 64x64.png"="2/23/2021 8:51 AM, 1524 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:22 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:22 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml Adds the file 000003.log"="2/23/2021 8:51 AM, 772 bytes, A Adds the file CURRENT"="2/23/2021 8:51 AM, 16 bytes, A Adds the file LOCK"="2/23/2021 8:51 AM, 0 bytes, A Adds the file LOG"="2/23/2021 8:52 AM, 0 bytes, A Adds the file LOG.old"="2/23/2021 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/23/2021 8:51 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cblanbpgmlklhkagkhielejnbekfhgml Adds the file PDFConverterSearchApp.ico"="2/23/2021 8:51 AM, 167009 bytes, A Adds the file PDFConverterSearchApp.ico.md5"="2/23/2021 8:51 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cblanbpgmlklhkagkhielejnbekfhgml"="REG_SZ", "E0BB14EFCF360DCD9F079792C8C0304B764520F6BC38ACA5472CEED8CB0F4894" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/23/21 Scan Time: 9:03 AM Log File: 9fe92f14-75ad-11eb-a024-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37409 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233235 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML, Quarantined, 15231, 799722, 1.0.37409, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 08201ECD1B85FF76F1A530F7F1CD60FA, B1BC63963EDB300951864E8313D40FF11B15C2350E063C48B476887CE50CC5C1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\000003.log, Quarantined, 15231, 799722, , , , , 67FC137A21E8071A243A4E623765F366, 3C2751C90D48A69328831A9BC0DD02B786699ED3D5F584AB24BF25502636188D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG, Quarantined, 15231, 799722, , , , , B5AAD68D85A7BBE311E96DBD055809DD, BE0E99A8647036469D3CDBF8A2E20A59ACA811061A0881A3454D6446DDAAF0EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG.old, Quarantined, 15231, 799722, , , , , F5456C85FF94C78C3AEB779FB4449CD0, C03159C8CD18EA9239AA281E3A3C9456BC5D56C0998CD0E677D8A91A07BFE365 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37409, , ame, , 64D23C0EBA8E789DA30A1D1773435FD7, F2FAAD057EB6A40FCA8ACAFB0601609F54C8968A2588485B4976D8269EDA7B23 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37409, , ame, , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is GameSearcher? The Malwarebytes research team has determined that GameSearcher is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by GameSearcher? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did GameSearcher get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GameSearcher? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GameSearcher? No, Malwarebytes removes GameSearcher completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GameSearcher hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.game-searcher.com/?q={searchTerms}&publisher=gamesearcher&barcodeid=576940000000000 CHR DefaultSearchKeyword: Default -> GameSearcher CHR DefaultSuggestURL: Default -> hxxps://api.game-searcher.com/suggest/get?q={searchTerms} CHR Extension: (GameSearcher) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod [2021-02-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0 Adds the file manifest.json"="2/22/2021 8:50 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/22/2021 8:50 AM, 6255 bytes, A Adds the file verified_contents.json"="8/9/2020 9:01 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\images Adds the file logo-white-text.png"="8/9/2020 9:01 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\images\icons Adds the file 128x128.png"="2/22/2021 8:50 AM, 8631 bytes, A Adds the file 16x16.png"="2/22/2021 8:50 AM, 693 bytes, A Adds the file 64x64.png"="2/22/2021 8:50 AM, 3995 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\scripts Adds the file background.js"="8/9/2020 9:01 AM, 514494 bytes, A Adds the file sitecontent.js"="8/9/2020 9:01 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod Adds the file 000003.log"="2/22/2021 8:53 AM, 780 bytes, A Adds the file CURRENT"="2/22/2021 8:50 AM, 16 bytes, A Adds the file LOCK"="2/22/2021 8:50 AM, 0 bytes, A Adds the file LOG"="2/22/2021 8:50 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/22/2021 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bfnhoddhapmmplpkmbgehgnhdmfbkjod Adds the file GameSearcher.ico"="2/22/2021 8:50 AM, 192304 bytes, A Adds the file GameSearcher.ico.md5"="2/22/2021 8:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bfnhoddhapmmplpkmbgehgnhdmfbkjod"="REG_SZ", "1E01B86C836EC0828E96E04F9D71DCCF7FA2E1592CD433402D8281CB9BE73AE4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/22/21 Scan Time: 8:59 AM Log File: e941c2c2-74e3-11eb-90f9-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37377 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233228 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bfnhoddhapmmplpkmbgehgnhdmfbkjod, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BFNHODDHAPMMPLPKMBGEHGNHDMFBKJOD, Quarantined, 15231, 799722, 1.0.37377, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 7590B64B91E8473A5B2529594902CCE4, 111925D6413D2ABE37F373231617CE6B4347A79E9C984AA10F78413B2CE8558F Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A144BA24A1C48C43991601EC7F0F94FB, 2851C7B5AA3E3748C42D2E6D25B364CD1503787C9FAE3FA82E10EC86119466B0 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\000003.log, Quarantined, 15231, 799722, , , , , AAEED116BD123790265E48C41D02E870, 90C1DD21C30523A7A4D136260CDA934489DB4234745D251C0F10E931E78C9F45 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\LOG, Quarantined, 15231, 799722, , , , , 69D3C7CCB5E696F96046B8CFF4B93233, 4FC73D116D1C3620C07B0618E1E0619B23D539C6A6A9F27BD3BD909E1E43994C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BFNHODDHAPMMPLPKMBGEHGNHDMFBKJOD\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37377, , ame, , A1BBC8E608882BF77355B4B9A28393DD, AEC2296FA9252E8DA100867F685B0F8E72C3551A35103E3C317857901B56A7CB Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is 4KMovieSearch? The Malwarebytes research team has determined that 4KMovieSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by 4KMovieSearch? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did 4KMovieSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove 4KMovieSearch? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of 4KMovieSearch? No, Malwarebytes removes 4KMovieSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the 4KMovieSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.4kmoviesearch.com/?q={searchTerms}&publisher=4kmoviesearch&barcodeid=577170000000000 CHR DefaultSearchKeyword: Default -> 4KMovieSearch CHR DefaultSuggestURL: Default -> hxxps://api.4kmoviesearch.com/suggest/get?q={searchTerms} CHR Extension: (4KMovieSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm [2021-02-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm\1.1.0_0 Adds the file manifest.json"="2/19/2021 8:49 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/19/2021 8:49 AM, 6255 bytes, A Adds the file verified_contents.json"="8/23/2020 12:54 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm\1.1.0_0\images Adds the file logo-white-text.png"="8/23/2020 12:54 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm\1.1.0_0\images\icons Adds the file 128x128.png"="2/19/2021 8:49 AM, 4858 bytes, A Adds the file 16x16.png"="2/19/2021 8:49 AM, 569 bytes, A Adds the file 64x64.png"="2/19/2021 8:49 AM, 2618 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ollbbcnfpbgoinifoeodekhnpmjbkenm\1.1.0_0\scripts Adds the file background.js"="8/23/2020 12:54 PM, 514502 bytes, A Adds the file sitecontent.js"="8/23/2020 12:54 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm Adds the file 000003.log"="2/19/2021 8:56 AM, 545 bytes, A Adds the file CURRENT"="2/19/2021 8:49 AM, 16 bytes, A Adds the file LOCK"="2/19/2021 8:49 AM, 0 bytes, A Adds the file LOG"="2/19/2021 8:49 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/19/2021 8:49 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ollbbcnfpbgoinifoeodekhnpmjbkenm Adds the file 4KMovieSearch.ico"="2/19/2021 8:49 AM, 180241 bytes, A Adds the file 4KMovieSearch.ico.md5"="2/19/2021 8:49 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ollbbcnfpbgoinifoeodekhnpmjbkenm"="REG_SZ", "711D44E236C94CF379D75556A3C3A650E0E90A6F80F2678EBDDE6D619928A910" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/19/21 Scan Time: 9:06 AM Log File: 5897c322-7289-11eb-903a-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37287 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233232 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ollbbcnfpbgoinifoeodekhnpmjbkenm, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLLBBCNFPBGOINIFOEODEKHNPMJBKENM, Quarantined, 15231, 799722, 1.0.37287, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D5F21DDCA2BD7DC5108B50E30F059DCD, 468D4EC72A58EA6A1576CCBD2CA8B4FAA034A788E381C6E7D64764FFBFA77DD1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 28E0052F8D5BF6FCA83B056804E0C208, 131D480F10FAC6083BB9FAA661E7D548E04C07E9D41C0A699588FA67F2F105EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm\000003.log, Quarantined, 15231, 799722, , , , , 86B39EAAD7F4038ABB478AEB2659EACA, F9BEF15142E35579F31C42AA2855DF89246BA7140091A5E03AA0B7D231B696AD Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm\LOG, Quarantined, 15231, 799722, , , , , 7BB30A78AE9889D89D759F6701683126, 3D691E0986E20B5AD25EA4008E652291C0D355D7E0BA5376D52B5DE26685B5B3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ollbbcnfpbgoinifoeodekhnpmjbkenm\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLLBBCNFPBGOINIFOEODEKHNPMJBKENM\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37287, , ame, , 7162F5B611F5F7A3CEC8ABA9421BF838, 24409C42D49BDFF45B28A4D4AEB9C20AE8903CA8528B63707D86762F54F69587 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is TopSearchConverter? The Malwarebytes research team has determined that TopSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by TopSearchConverter? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did TopSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TopSearchConverter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TopSearchConverter? No, Malwarebytes removes TopSearchConverter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the TopSearchConverter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.topsearchconverter.com CHR DefaultSearchURL: Default -> hxxps://feed.topsearchconverter.com/?q={searchTerms}&publisher=topsearchconverter&barcodeid=588600000000000 CHR DefaultSearchKeyword: Default -> TopSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.topsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (TopSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo [2021-02-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0 Adds the file manifest.json"="2/17/2021 8:52 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/17/2021 8:52 AM, 6725 bytes, A Adds the file verified_contents.json"="12/16/2020 11:16 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\images Adds the file logo-white-text.png"="12/16/2020 11:16 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\images\icons Adds the file 128x128.png"="2/17/2021 8:52 AM, 6065 bytes, A Adds the file 16x16.png"="2/17/2021 8:52 AM, 654 bytes, A Adds the file 64x64.png"="2/17/2021 8:52 AM, 2957 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\scripts Adds the file background.js"="12/16/2020 11:16 AM, 553493 bytes, A Adds the file sitecontent.js"="12/16/2020 11:16 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo Adds the file 000003.log"="2/17/2021 8:52 AM, 0 bytes, A Adds the file CURRENT"="2/17/2021 8:52 AM, 16 bytes, A Adds the file LOCK"="2/17/2021 8:52 AM, 0 bytes, A Adds the file LOG"="2/17/2021 8:52 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/17/2021 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_danlpohcmjfbadhejfpmdhbfkjjndfbo Adds the file TopSearchConverter.ico"="2/17/2021 8:52 AM, 186697 bytes, A Adds the file TopSearchConverter.ico.md5"="2/17/2021 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "danlpohcmjfbadhejfpmdhbfkjjndfbo"="REG_SZ", "2D5B7FBDCCC9F65B43582271329826D2F348192E2033105E2008EA28952B9939" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/17/21 Scan Time: 9:01 AM Log File: 5f813e6e-70f6-11eb-a419-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37215 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233208 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|danlpohcmjfbadhejfpmdhbfkjjndfbo, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DANLPOHCMJFBADHEJFPMDHBFKJJNDFBO, Quarantined, 15231, 799722, 1.0.37215, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E7FDDE577CEF9905DD7D1EFAD2B45A8B, EC9CFAF0627F3969D3B31B3BB458B0F05DD86D1B8FA7E80B4545B9A446134FA0 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , D320BFA9FA2391F52560181CC15A138D, 558CA095B81C8D2664CACB7AD0D31EC46E5C4F0638EE94A8A55469588CA756FC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\000003.log, Quarantined, 15231, 799722, , , , , B7441C47CFEC225D1FDE33FAC314D967, A8E7F10F8AFD1D217F880ECE7F467263028C573D24CA41233EE830DF8F09FB32 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\LOG, Quarantined, 15231, 799722, , , , , 674E168D43C7EDF6287AC2EAE8490C55, 8282D909F75F0023350F39C48F4B3CEBDD9417389C42A1F8EFA2F6F383D17774 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DANLPOHCMJFBADHEJFPMDHBFKJJNDFBO\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37215, , ame, , 712D6751F9CFF213C0B5FE2EADC5A664, E2F1E18D4A1BBBFAB78FEFC60B4B952CC30DCF92F444CD93F5A1C06911A08C61 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37215, , ame, , D320BFA9FA2391F52560181CC15A138D, 558CA095B81C8D2664CACB7AD0D31EC46E5C4F0638EE94A8A55469588CA756FC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is PDFConverterSearchHD? The Malwarebytes research team has determined that PDFConverterSearchHD is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by PDFConverterSearchHD? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did PDFConverterSearchHD get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchHD? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchHD? No, Malwarebytes removes PDFConverterSearchHD completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchHD hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchhd.com/?q={searchTerms}&publisher=pdfconvertersearchhd&barcodeid=579850000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchHD CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchhd.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchHD) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala [2021-02-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala\1.1.0_0 Adds the file manifest.json"="2/15/2021 9:21 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/15/2021 9:21 AM, 6255 bytes, A Adds the file verified_contents.json"="9/1/2020 2:27 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala\1.1.0_0\images Adds the file logo-white-text.png"="9/1/2020 2:27 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala\1.1.0_0\images\icons Adds the file 128x128.png"="2/15/2021 9:21 AM, 3190 bytes, A Adds the file 16x16.png"="2/15/2021 9:21 AM, 423 bytes, A Adds the file 64x64.png"="2/15/2021 9:21 AM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmngnbobgmkeillicdipmlmggdkhala\1.1.0_0\scripts Adds the file background.js"="9/1/2020 2:27 PM, 514565 bytes, A Adds the file sitecontent.js"="9/1/2020 2:27 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala Adds the file 000003.log"="2/15/2021 9:23 AM, 488 bytes, A Adds the file CURRENT"="2/15/2021 9:21 AM, 16 bytes, A Adds the file LOCK"="2/15/2021 9:21 AM, 0 bytes, A Adds the file LOG"="2/15/2021 9:21 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/15/2021 9:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gcmngnbobgmkeillicdipmlmggdkhala Adds the file PDFConverterSearchHD.ico"="2/15/2021 9:21 AM, 169127 bytes, A Adds the file PDFConverterSearchHD.ico.md5"="2/15/2021 9:21 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gcmngnbobgmkeillicdipmlmggdkhala"="REG_SZ", "55897F3EBC6271E57624DC4B03365787D8C0A3BFF4CAD1A2D57305A57479E1F7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/21 Scan Time: 9:29 AM Log File: f96451fa-6f67-11eb-bb78-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.37145 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233187 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gcmngnbobgmkeillicdipmlmggdkhala, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCMNGNBOBGMKEILLICDIPMLMGGDKHALA, Quarantined, 15231, 799722, 1.0.37145, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E97627FC2E1E0EB7AA36714C0EF964B1, F657E8DEEE7FAEA3BAE94FDE8E1B1A36405FBAFAEC8ACDA08CADFD87E423FDC7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 8E6BECA97DDA3914B510B02B0A21E6B1, 947422E4E8B8C4385CBA598E0EA37A91E4BC5ADA08D118003B64C942833B6247 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala\000003.log, Quarantined, 15231, 799722, , , , , C5C69AB9944DE5C4150DC1DB17D76EFB, AB6E633C89AFB74F8C77BA86EA12F123AC2B0189E5D4F470E1E6FAB34B45C798 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala\LOG, Quarantined, 15231, 799722, , , , , 473D42E773752BDBC2B817B77C3EC07F, 58C3BEBFA7C589F5287917DDACBD646D45BC2564FC5E62DA16784A1B55B80506 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gcmngnbobgmkeillicdipmlmggdkhala\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCMNGNBOBGMKEILLICDIPMLMGGDKHALA\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37145, , ame, , CB234697A1F0AFC97838D51205CD71A6, 7942E5B5CC05F2DAE9E2C5E7BEE0EAB374B29433D32F24E81F4DEFED5D7085D9 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is ConvertItSearch? The Malwarebytes research team has determined that ConvertItSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by ConvertItSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did ConvertItSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ConvertItSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ConvertItSearch? No, Malwarebytes removes ConvertItSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the ConvertItSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.convertitsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.convertitsearch.com/?q={searchTerms}&publisher=convertitsearch&barcodeid=577290000000000 CHR DefaultSearchKeyword: Default -> ConvertItSearch CHR DefaultSuggestURL: Default -> hxxps://api.convertitsearch.com/suggest/get?q={searchTerms} CHR Extension: (ConvertItSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn [2021-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0 Adds the file manifest.json"="2/12/2021 9:03 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/12/2021 9:03 AM, 6255 bytes, A Adds the file verified_contents.json"="7/21/2020 11:16 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\images Adds the file logo-white-text.png"="7/21/2020 11:16 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\images\icons Adds the file 128x128.png"="2/12/2021 9:03 AM, 7167 bytes, A Adds the file 16x16.png"="2/12/2021 9:03 AM, 624 bytes, A Adds the file 64x64.png"="2/12/2021 9:03 AM, 3363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\scripts Adds the file background.js"="7/21/2020 11:16 AM, 514626 bytes, A Adds the file sitecontent.js"="7/21/2020 11:16 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn Adds the file 000003.log"="2/12/2021 9:03 AM, 0 bytes, A Adds the file CURRENT"="2/12/2021 9:03 AM, 16 bytes, A Adds the file LOCK"="2/12/2021 9:03 AM, 0 bytes, A Adds the file LOG"="2/12/2021 9:03 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/12/2021 9:03 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cdfbocoencgihhaeefgbikgkohjpkdbn Adds the file ConvertItSearch.ico"="2/12/2021 9:03 AM, 195478 bytes, A Adds the file ConvertItSearch.ico.md5"="2/12/2021 9:03 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cdfbocoencgihhaeefgbikgkohjpkdbn"="REG_SZ", "84EFAE078E5DD9FACEE1849459296F79590565412D49E832F159538D32F17115" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/21 Scan Time: 9:12 AM Log File: 16c177d8-6d0a-11eb-b43a-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.37005 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233156 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cdfbocoencgihhaeefgbikgkohjpkdbn, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CDFBOCOENCGIHHAEEFGBIKGKOHJPKDBN, Quarantined, 15231, 799722, 1.0.37005, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 0C96BB358CB70874D4F193D81D941AD6, DD5A48AECE783379C9EDE06A4C1D8C8A04C29E70C6FFF4D958D3592C02C439CF Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 7ACA655856B97E9BBA1A6A52AF5D11B1, 38A4B7DE6AD92ECEE090E78A4E139D2929FC81D379B4B7F7D68098D940D486A9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\000003.log, Quarantined, 15231, 799722, , , , , BFD0A630859D3BC542F078513002347A, 19E2F03537C36DF7568A66A1EF778A7009337FF98E6779EEAEC88BF6BA50778B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\LOG, Quarantined, 15231, 799722, , , , , CB2607F733082B525901A79A347044B1, AA10F771DBA4A22EA8EBC04D19CEC200CE6224BA900380B83807698A3FC8251E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CDFBOCOENCGIHHAEEFGBIKGKOHJPKDBN\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37005, , ame, , BA88184F4F4C9257A2B773EF37015D09, 957F5C779E4C8941785044DEB0F268C43077792DD844D17E3D1146B00CF0561F PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 846248, 1.0.37005, , ame, , 7ACA655856B97E9BBA1A6A52AF5D11B1, 38A4B7DE6AD92ECEE090E78A4E139D2929FC81D379B4B7F7D68098D940D486A9 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is MusicStreamSearches? The Malwarebytes research team has determined that MusicStreamSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by MusicStreamSearches? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did MusicStreamSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MusicStreamSearches? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MusicStreamSearches? No, Malwarebytes removes MusicStreamSearches completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MusicStreamSearches hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.musicstreamsearches.com/?q={searchTerms}&publisher=musicstreamsearches&barcodeid=577200000000000 CHR DefaultSearchKeyword: Default -> MusicStreamSearches CHR DefaultSuggestURL: Default -> hxxps://api.musicstreamsearches.com/suggest/get?q={searchTerms} CHR Extension: (MusicStreamSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij [2021-02-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij\1.1.0_0 Adds the file manifest.json"="2/11/2021 9:29 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/11/2021 9:29 AM, 6255 bytes, A Adds the file verified_contents.json"="7/16/2020 1:43 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij\1.1.0_0\images Adds the file logo-white-text.png"="7/16/2020 1:43 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij\1.1.0_0\images\icons Adds the file 128x128.png"="2/11/2021 9:29 AM, 4889 bytes, A Adds the file 16x16.png"="2/11/2021 9:29 AM, 560 bytes, A Adds the file 64x64.png"="2/11/2021 9:29 AM, 2571 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbdpmoholiohobjomidcjmkccmhfokij\1.1.0_0\scripts Adds the file background.js"="7/16/2020 1:43 PM, 514690 bytes, A Adds the file sitecontent.js"="7/16/2020 1:43 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij Adds the file 000003.log"="2/11/2021 9:31 AM, 488 bytes, A Adds the file CURRENT"="2/11/2021 9:29 AM, 16 bytes, A Adds the file LOCK"="2/11/2021 9:29 AM, 0 bytes, A Adds the file LOG"="2/11/2021 9:29 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/11/2021 9:29 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kbdpmoholiohobjomidcjmkccmhfokij Adds the file MusicStreamSearches.ico"="2/11/2021 9:29 AM, 179621 bytes, A Adds the file MusicStreamSearches.ico.md5"="2/11/2021 9:29 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kbdpmoholiohobjomidcjmkccmhfokij"="REG_SZ", "D6A32A06BF1951D12858BDF872BB9C3D380A1F4AD0FBAAC31137C27ABC4568B6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/11/21 Scan Time: 9:36 AM Log File: 4deca870-6c44-11eb-86ef-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36957 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233153 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kbdpmoholiohobjomidcjmkccmhfokij, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBDPMOHOLIOHOBJOMIDCJMKCCMHFOKIJ, Quarantined, 15231, 799722, 1.0.36957, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D4E5D2B806B86AA4FA5D2E2790D37274, B04AC0DF19C74B8369EBE42F7AEEFC6FD1BD7FEA0FEC1BBCC338B27C10CEC22D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 325E1EF1173E3FE633F3CADE697CA970, 19AE9413C487CA0AAD622AB352D642F98913EF73111A140DA37CC2815C8A8AD9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij\000003.log, Quarantined, 15231, 799722, , , , , 50B94AB3D7D7DD0311764C618F5E4569, 8E3634C4CAAB186F713D5FB9349E4C0F3A9888BD0F65C7A4EA437349761A65A9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij\LOG, Quarantined, 15231, 799722, , , , , D614E2DDBEA77C4A3B3DA907A68B4B58, 052CBE8E43D69407AFFD10E3057E0DAF4C28C476A534B8B3364DD44F37D7F808 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kbdpmoholiohobjomidcjmkccmhfokij\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBDPMOHOLIOHOBJOMIDCJMKCCMHFOKIJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.36957, , ame, , DEECE09B15D118F0577BDBCF6C81811E, 7DFEB161EDDFCA7EA86017DE5B3B8BBA4C9B7ACB03DD7F738DB40B201F446542 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is AnyGameSearch? The Malwarebytes research team has determined that AnyGameSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AnyGameSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AnyGameSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AnyGameSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AnyGameSearch? No, Malwarebytes removes AnyGameSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the AnyGameSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.anygamesearch.com CHR DefaultSearchURL: Default -> hxxps://feed.anygamesearch.com/?q={searchTerms}&publisher=anygamesearch&barcodeid=576890000000000 CHR DefaultSearchKeyword: Default -> AnyGameSearch CHR DefaultSuggestURL: Default -> hxxps://api.anygamesearch.com/suggest/get?q={searchTerms} CHR Extension: (AnyGameSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn [2021-02-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0 Adds the file manifest.json"="2/10/2021 7:48 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/10/2021 7:48 AM, 6255 bytes, A Adds the file verified_contents.json"="7/9/2020 2:50 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\images Adds the file logo-white-text.png"="7/9/2020 2:50 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\images\icons Adds the file 128x128.png"="2/10/2021 7:48 AM, 8772 bytes, A Adds the file 16x16.png"="2/10/2021 7:48 AM, 835 bytes, A Adds the file 64x64.png"="2/10/2021 7:48 AM, 4193 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\scripts Adds the file background.js"="7/9/2020 2:50 PM, 514594 bytes, A Adds the file sitecontent.js"="7/9/2020 2:50 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn Adds the file 000003.log"="2/10/2021 7:48 AM, 0 bytes, A Adds the file CURRENT"="2/10/2021 7:48 AM, 16 bytes, A Adds the file LOCK"="2/10/2021 7:48 AM, 0 bytes, A Adds the file LOG"="2/10/2021 7:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/10/2021 7:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cneeapnjflfgmlffolfefiehoclcmdkn Adds the file AnyGameSearch.ico"="2/10/2021 7:48 AM, 206154 bytes, A Adds the file AnyGameSearch.ico.md5"="2/10/2021 7:48 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cneeapnjflfgmlffolfefiehoclcmdkn"="REG_SZ", "4BD71F2627ED23125986AF0586F6463B5209AFE36FF267AB760814E156179BB3" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/10/21 Scan Time: 7:57 AM Log File: 444cd43e-6b6d-11eb-814c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36899 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233171 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cneeapnjflfgmlffolfefiehoclcmdkn, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNEEAPNJFLFGMLFFOLFEFIEHOCLCMDKN, Quarantined, 15232, 799722, 1.0.36899, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 0B0A79FC52E9233ECDD1C5EF4537AF0E, 934E2F5F8F19F6AC64F9250339291832B628F68781206B35238FB419C2E2CE78 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 3661F4B716BA223A0BE2E6112ECCE952, A87547EF33630902BB5E4A3E95DADDB7E842F33E31ACAAECBB93A5CA517C2860 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\000003.log, Quarantined, 15232, 799722, , , , , 1AFECC7432404BCF7E58B207A2FD50E9, C44FD1632096D4D5FEAE72C4D889462E90F50AAB8DCE7B0E2ECF6F0489789C4D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\LOG, Quarantined, 15232, 799722, , , , , ECF73745D594746614526CA7F4581CF2, F163E3767E6AD310D7A4EEE7A046C912299E3DB284EE4BBD06426BFC804A705E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNEEAPNJFLFGMLFFOLFEFIEHOCLCMDKN\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36899, , ame, , DF9415DE2BC5685B8BE0E35C4B5027D1, C390249524ED4EF3442414BB49038B34759948854BC3D2A39AFC385A6D0C2749 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14953, 846248, 1.0.36899, , ame, , 3661F4B716BA223A0BE2E6112ECCE952, A87547EF33630902BB5E4A3E95DADDB7E842F33E31ACAAECBB93A5CA517C2860 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is BestSearchConverter? The Malwarebytes research team has determined that BestSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by BestSearchConverter? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did BestSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove BestSearchConverter? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of BestSearchConverter? No, Malwarebytes removes BestSearchConverter completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the BestSearchConverter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.bestsearchconverter.com/?q={searchTerms}&publisher=bestsearchconverter&barcodeid=585400000000000 CHR DefaultSearchKeyword: Default -> BestSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.bestsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (BestSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi [2021-02-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi\1.1.0_0 Adds the file manifest.json"="2/8/2021 9:05 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/8/2021 9:05 AM, 6725 bytes, A Adds the file verified_contents.json"="10/25/2020 10:31 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi\1.1.0_0\images Adds the file logo-white-text.png"="10/25/2020 10:31 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi\1.1.0_0\images\icons Adds the file 128x128.png"="2/8/2021 9:05 AM, 4438 bytes, A Adds the file 16x16.png"="2/8/2021 9:05 AM, 478 bytes, A Adds the file 64x64.png"="2/8/2021 9:05 AM, 2054 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpgpkclmeedccjchfcebkhadnpfknnoi\1.1.0_0\scripts Adds the file background.js"="10/25/2020 10:31 AM, 553502 bytes, A Adds the file sitecontent.js"="10/25/2020 10:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi Adds the file 000003.log"="2/8/2021 9:08 AM, 488 bytes, A Adds the file CURRENT"="2/8/2021 9:05 AM, 16 bytes, A Adds the file LOCK"="2/8/2021 9:05 AM, 0 bytes, A Adds the file LOG"="2/8/2021 9:05 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/8/2021 9:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gpgpkclmeedccjchfcebkhadnpfknnoi Adds the file BestSearchConverter.ico"="2/8/2021 9:06 AM, 175551 bytes, A Adds the file BestSearchConverter.ico.md5"="2/8/2021 9:06 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gpgpkclmeedccjchfcebkhadnpfknnoi"="REG_SZ", "39926688A2E64195FAD0D87F4BF8D69729D893603E5AB83A92F980F327A64163" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/8/21 Scan Time: 9:16 AM Log File: f72fd4a4-69e5-11eb-892a-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36825 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233136 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gpgpkclmeedccjchfcebkhadnpfknnoi, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPGPKCLMEEDCCJCHFCEBKHADNPFKNNOI, Quarantined, 15232, 799722, 1.0.36825, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , C976D76C05235B2956CB28E9975F5172, A18AA97789F32063C4123222BFE13B6F9335DBC45E020FB0E7E49171AADDFF29 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 53358AE96A7BE867563F2DD7DC087831, 6D7157EF1FD6ECCFC8259913F2E6E926E6B0D8354B31A8DC1121BAB61BFA8C6C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi\000003.log, Quarantined, 15232, 799722, , , , , CC8F3BC736276C206E94FE1F21A56EE2, 39107A8A450B9FFB71E61E8F56BE8F3D423C895CA4CAB9640664D6EA896A424B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi\LOG, Quarantined, 15232, 799722, , , , , 4B3ED675EB758EBA6D68DBEFC22A3038, 5E4F55BABC2622F89EB8B6AFC7DE37522ADD9AD1B561418B0983A0797E852637 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gpgpkclmeedccjchfcebkhadnpfknnoi\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPGPKCLMEEDCCJCHFCEBKHADNPFKNNOI\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36825, , ame, , 41A897542DABDC3A2100DB68FDF222A0, FCB10A86E96B19DCEDA241B9850C1423DB2EE7FF16E41BF9CBD9E81135BF3DF9 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is GetSearchConverter? The Malwarebytes research team has determined that GetSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by GetSearchConverter? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did GetSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GetSearchConverter? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GetSearchConverter? No, Malwarebytes removes GetSearchConverter completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GetSearchConverter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.getsearchconverter.com/?q={searchTerms}&publisher=getsearchconverter&barcodeid=585360000000000 CHR DefaultSearchKeyword: Default -> GetSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.getsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (GetSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk [2021-02-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\1.1.0_0 Adds the file manifest.json"="2/5/2021 9:13 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/5/2021 9:13 AM, 6725 bytes, A Adds the file verified_contents.json"="10/21/2020 10:25 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\1.1.0_0\images Adds the file logo-white-text.png"="10/21/2020 10:25 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\1.1.0_0\images\icons Adds the file 128x128.png"="2/5/2021 9:13 AM, 5162 bytes, A Adds the file 16x16.png"="2/5/2021 9:13 AM, 570 bytes, A Adds the file 64x64.png"="2/5/2021 9:13 AM, 2560 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\1.1.0_0\scripts Adds the file background.js"="10/21/2020 10:25 AM, 553493 bytes, A Adds the file sitecontent.js"="10/21/2020 10:25 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk Adds the file 000003.log"="2/5/2021 9:16 AM, 507 bytes, A Adds the file CURRENT"="2/5/2021 9:13 AM, 16 bytes, A Adds the file LOCK"="2/5/2021 9:13 AM, 0 bytes, A Adds the file LOG"="2/5/2021 9:13 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/5/2021 9:13 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jfpaaailcogmdhdpblnkdhjgnhlkkmnk Adds the file GetSearchConverter.ico"="2/5/2021 9:13 AM, 180849 bytes, A Adds the file GetSearchConverter.ico.md5"="2/5/2021 9:13 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jfpaaailcogmdhdpblnkdhjgnhlkkmnk"="REG_SZ", "739D98E6B24218437ACDB8EC6101F1A27736CCDEC2FD2CAFAC1CE3C15C19B008" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/21 Scan Time: 9:22 AM Log File: 39bf3114-678b-11eb-a7f5-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36749 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233145 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jfpaaailcogmdhdpblnkdhjgnhlkkmnk, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFPAAAILCOGMDHDPBLNKDHJGNHLKKMNK, Quarantined, 15232, 799722, 1.0.36749, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 3CE06379B581CD90E2F463C03DF2A513, 6DE7DAB05A7D948827AF930FD4FDA9D990B97B0B89E53837F757173D33D6D20B Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 6AB11521839C41C887AE837FFF30A166, 964C92106174A2B914083FAD84DC8CFFCDE44C1B419004778DEED1ABE3728766 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\000003.log, Quarantined, 15232, 799722, , , , , 7E15B0F3D1CCD211C761105ADAA2F5EA, 534D4A5DA34A150C178DC2367816317175DBB03649EDF3CE325851D4C0379053 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\LOG, Quarantined, 15232, 799722, , , , , CF335F38CF0330CFE920FE3FAC28BEA5, F6AFF312DDB6FF889814E1CEFCD9C4C59E21B4CC117EB69872E33BCD57C586F2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfpaaailcogmdhdpblnkdhjgnhlkkmnk\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFPAAAILCOGMDHDPBLNKDHJGNHLKKMNK\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36749, , ame, , 8EFD5116E0667B8DADA9D5B1E2569BFA, F70AB1EC1365EB40DC3038575A89975EB5792DF2E59C7A399F61FFD54514F77F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is CoolStreamSearch? The Malwarebytes research team has determined that CoolStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by CoolStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did CoolStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove CoolStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of CoolStreamSearch? No, Malwarebytes removes CoolStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the CoolStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.coolstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.coolstreamsearch.com/?q={searchTerms}&publisher=coolstreamsearch&barcodeid=583980000000000 CHR DefaultSearchKeyword: Default -> CoolStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.coolstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (CoolStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni [2021-02-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0 Adds the file manifest.json"="2/4/2021 8:48 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/4/2021 8:48 AM, 6255 bytes, A Adds the file verified_contents.json"="9/16/2020 4:58 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\images Adds the file logo-white-text.png"="9/16/2020 4:58 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\images\icons Adds the file 128x128.png"="2/4/2021 8:48 AM, 13136 bytes, A Adds the file 16x16.png"="2/4/2021 8:48 AM, 748 bytes, A Adds the file 64x64.png"="2/4/2021 8:48 AM, 4994 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\scripts Adds the file background.js"="9/16/2020 4:58 PM, 514529 bytes, A Adds the file sitecontent.js"="9/16/2020 4:58 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni Adds the file 000003.log"="2/4/2021 8:48 AM, 0 bytes, A Adds the file CURRENT"="2/4/2021 8:48 AM, 16 bytes, A Adds the file LOCK"="2/4/2021 8:48 AM, 0 bytes, A Adds the file LOG"="2/4/2021 8:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/4/2021 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blijkdeookckchojnjobhgninmepigni Adds the file CoolStreamSearch.ico"="2/4/2021 8:48 AM, 203859 bytes, A Adds the file CoolStreamSearch.ico.md5"="2/4/2021 8:48 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blijkdeookckchojnjobhgninmepigni"="REG_SZ", "4DF99D9673A5EB03234513F84815E3AD4197D2A5F24102C1F2CB274E0515EBF1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/21 Scan Time: 9:30 AM Log File: 3a587824-66c3-11eb-9841-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36707 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233127 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blijkdeookckchojnjobhgninmepigni, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLIJKDEOOKCKCHOJNJOBHGNINMEPIGNI, Quarantined, 15232, 799722, 1.0.36707, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 71429604707ADCC4A53385B531B37680, FAE185739C2808B073C0754000EB40453A24D0BD0AE2B025B0714B81375C861D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 7444E667A96044ECC4138EA10CAE81C5, 92255DD4AF7D1373DB557E556EA6D78F57385B48AC7B9A847411219D32A5495E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\000003.log, Quarantined, 15232, 799722, , , , , 31D6527E5206FEDB2018923E2B8611CB, AE1F2A9C1707778B455E1A6341ED0D36653A3988D0A5913F2D6D9F2AF5F0DAEC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\LOG, Quarantined, 15232, 799722, , , , , C913D847D8309EB100E61D0A5DEBB184, 2B690EE2E2367FAFE883795B2173CDE502B6D38D69C6158F30221935F05E968B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLIJKDEOOKCKCHOJNJOBHGNINMEPIGNI\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36707, , ame, , A888534CF31EB9525F3693C1C95DB822, 500A9E8CE04D192A0E09183F62CF69D4E78B90862DDC8710F4BA76E0A1A657E6 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14953, 846248, 1.0.36707, , ame, , 7444E667A96044ECC4138EA10CAE81C5, 92255DD4AF7D1373DB557E556EA6D78F57385B48AC7B9A847411219D32A5495E Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is SportsSearchHD?The Malwarebytes research team has determined that SportsSearchHD is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one changes your default search engine and adds Search Recommendations.How do I know if my computer is affected by SportsSearchHD?You may see this entry in your list of installed Chrome extensions:and this changed setting:You may have noticed these warnings during install:How did SportsSearchHD get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SportsSearchHD?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SportsSearchHD? No, Malwarebytes removes SportsSearchHD completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SportsSearchHD hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.sportssearchhd.com/?q={searchTerms}&publisher=sportssearchhd&barcodeid=584150000000000 CHR DefaultSearchKeyword: Default -> SportsSearchHD CHR DefaultSuggestURL: Default -> hxxps://api.sportssearchhd.com/suggest/get?q={searchTerms} CHR Extension: (SportsSearchHD) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg [2021-02-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg\1.1.0_0 Adds the file manifest.json"="2/3/2021 8:50 AM, 2108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/3/2021 8:50 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 10:05 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 10:05 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg\1.1.0_0\images\icons Adds the file 128x128.png"="2/3/2021 8:50 AM, 3676 bytes, A Adds the file 16x16.png"="2/3/2021 8:50 AM, 582 bytes, A Adds the file 64x64.png"="2/3/2021 8:50 AM, 2061 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdkpfogcjbolgofplikhinpemnbcdmg\1.1.0_0\scripts Adds the file background.js"="10/6/2020 10:05 AM, 514511 bytes, A Adds the file sitecontent.js"="10/6/2020 10:05 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg Adds the file 000003.log"="2/3/2021 8:50 AM, 0 bytes, A Adds the file CURRENT"="2/3/2021 8:50 AM, 16 bytes, A Adds the file LOCK"="2/3/2021 8:50 AM, 0 bytes, A Adds the file LOG"="2/3/2021 8:50 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/3/2021 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jmdkpfogcjbolgofplikhinpemnbcdmg Adds the file SportsSearchHD.ico"="2/3/2021 8:50 AM, 172542 bytes, A Adds the file SportsSearchHD.ico.md5"="2/3/2021 8:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jmdkpfogcjbolgofplikhinpemnbcdmg"="REG_SZ", "7C9E7E953A0C6AB6F7F20F5A7EA0967408F6889E4FFEF9DD071C45E5252714DC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/3/21 Scan Time: 8:57 AM Log File: 7eaf0c1e-65f5-11eb-9b42-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36651 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233067 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jmdkpfogcjbolgofplikhinpemnbcdmg, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMDKPFOGCJBOLGOFPLIKHINPEMNBCDMG, Quarantined, 15230, 799722, 1.0.36651, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 94D0F1BB352A5EF46B8F1F9120932D7A, 3E1ED2B64A3B482B00E779BDF06A34D43ACC8DBD26DDD1325B3EBEA5AA1752D5 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 60BFDDF912A1F455953536D985A4DF03, 1044A6C91C11CB96CC7BFA88C30298E224CA3B134F091DA81C4F4CE9A534AB18 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg\000003.log, Quarantined, 15230, 799722, , , , , 1C6D94973B6230D83FDF4EEAC7302B71, 745AA0C4F3AFF6C29A253F782DA0BD19ED3EF5ECCB347C1FEFBEE50DFE8D455C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg\LOG, Quarantined, 15230, 799722, , , , , F2ED61624D44E1918DACB42E59EB7692, 3F34BD3E46F831D47A5855A36D779FBA8F75F1590CB573BF6DC940A2492BB60B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmdkpfogcjbolgofplikhinpemnbcdmg\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMDKPFOGCJBOLGOFPLIKHINPEMNBCDMG\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.36651, , ame, , 2D738124F9DBF72E9CBB49F9BB6594FF, 1DA47D6BE5FE5C50EE947F0BFD0164D166A3C5D34F5697B194992296E376B488 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is CoVideoSearch? The Malwarebytes research team has determined that CoVideoSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by CoVideoSearch? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did CoVideoSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove CoVideoSearch? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of CoVideoSearch? No, Malwarebytes removes CoVideoSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the CoVideoSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.covideosearch.com/?q={searchTerms}&publisher=covideosearch&barcodeid=585440000000000 CHR DefaultSearchKeyword: Default -> CoVideoSearch CHR DefaultSuggestURL: Default -> hxxps://api.covideosearch.com/suggest/get?q={searchTerms} CHR Extension: (CoVideoSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk [2021-02-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk\1.1.0_0 Adds the file manifest.json"="2/1/2021 8:47 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/1/2021 8:47 AM, 6725 bytes, A Adds the file verified_contents.json"="10/29/2020 9:16 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk\1.1.0_0\images Adds the file logo-white-text.png"="10/29/2020 9:16 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk\1.1.0_0\images\icons Adds the file 128x128.png"="2/1/2021 8:47 AM, 9469 bytes, A Adds the file 16x16.png"="2/1/2021 8:47 AM, 819 bytes, A Adds the file 64x64.png"="2/1/2021 8:47 AM, 4206 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipgchnmfoongbhkkjiealodmfoempfkk\1.1.0_0\scripts Adds the file background.js"="10/29/2020 9:16 AM, 553448 bytes, A Adds the file sitecontent.js"="10/29/2020 9:16 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk Adds the file 000003.log"="2/1/2021 8:50 AM, 771 bytes, A Adds the file CURRENT"="2/1/2021 8:47 AM, 16 bytes, A Adds the file LOCK"="2/1/2021 8:47 AM, 0 bytes, A Adds the file LOG"="2/1/2021 8:47 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/1/2021 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ipgchnmfoongbhkkjiealodmfoempfkk Adds the file CoVideoSearch.ico"="2/1/2021 8:47 AM, 196338 bytes, A Adds the file CoVideoSearch.ico.md5"="2/1/2021 8:47 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipgchnmfoongbhkkjiealodmfoempfkk"="REG_SZ", "FDBCD2AF125F02095A89C7C5887E9FA2886B06A95E09888EEE2548D7AD524DE8" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/1/21 Scan Time: 8:55 AM Log File: e2d25c4e-6462-11eb-a375-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1146 Update Package Version: 1.0.36557 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232972 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipgchnmfoongbhkkjiealodmfoempfkk, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPGCHNMFOONGBHKKJIEALODMFOEMPFKK, Quarantined, 15230, 799722, 1.0.36557, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , BF583EEEDB8EC96EC33979C08F4EF264, E2407BBBD4EB1EC3E20473D15DBEF7FE5C7D5F0712E1BF0D48289FFB0F3EA228 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 8CF4C716D6B4E80B7E3FC7056BD63026, B0758BFE4F226D2085E5748AEECCA211EBCB8206E0BAABB5CE7B5AF2BE5EA8AE Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk\000003.log, Quarantined, 15230, 799722, , , , , 57CA47E5E8323EA9D3EFC76BF6C6848D, 330B0CBF9E3105FF522EE4E41A4075690075B21A6B90FD951DD935C39EADB1FF Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk\LOG, Quarantined, 15230, 799722, , , , , 5C71BF2069F76909DDAC72141F21B91C, 205233DC77138BCF9F194D91F5B0E108DD3B18EF15F5E74777468D7986724C3F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipgchnmfoongbhkkjiealodmfoempfkk\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPGCHNMFOONGBHKKJIEALODMFOEMPFKK\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.36557, , ame, , A8D96EE8FF233093614D8A32A96B620F, B96F5A5049C5DFEDA7549972A334E17FA6981CB67F4478EC2366D575EDBC3B99 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.