Jump to content

Search the Community

Showing results for tags 'adware.searchenginehijack.generic'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 16 results

  1. What is SportStreamSearch? The Malwarebytes research team has determined that SportStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SportStreamSearch? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SportStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SportStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SportStreamSearch? No, Malwarebytes removes SportStreamSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SportStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.sportstream-search.com/?q={searchTerms}&publisher=sportstreamsearch&barcodeid=573450000000000 CHR DefaultSearchKeyword: Default -> SportStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.sportstream-search.com/suggest/get?q={searchTerms} CHR Extension: (SportStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec [2020-06-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0 Adds the file manifest.json"="6/29/2020 9:09 AM, 2150 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/29/2020 9:09 AM, 6255 bytes, A Adds the file verified_contents.json"="5/26/2020 11:26 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\images Adds the file logo-white-text.png"="5/26/2020 11:26 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\images\icons Adds the file 128x128.png"="6/29/2020 9:09 AM, 12561 bytes, A Adds the file 16x16.png"="6/29/2020 9:09 AM, 787 bytes, A Adds the file 64x64.png"="6/29/2020 9:09 AM, 5203 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbabcdmajmpfkohmeemhchocmnfakeec\1.1.0_0\scripts Adds the file background.js"="5/26/2020 11:26 AM, 514659 bytes, A Adds the file sitecontent.js"="5/26/2020 11:26 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec Adds the file 000003.log"="6/29/2020 9:14 AM, 810 bytes, A Adds the file CURRENT"="6/29/2020 9:09 AM, 16 bytes, A Adds the file LOCK"="6/29/2020 9:09 AM, 0 bytes, A Adds the file LOG"="6/29/2020 9:14 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/29/2020 9:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dbabcdmajmpfkohmeemhchocmnfakeec Adds the file SportStreamSearch.ico"="6/29/2020 9:09 AM, 207021 bytes, A Adds the file SportStreamSearch.ico.md5"="6/29/2020 9:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dbabcdmajmpfkohmeemhchocmnfakeec"="REG_SZ", "CFA503536A97EB96F62C8989F6354811CE8CEB4926A5434D566CAC49C6027F1B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/29/20 Scan Time: 9:23 AM Log File: 6063713c-b9d9-11ea-b35c-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26141 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232059 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dbabcdmajmpfkohmeemhchocmnfakeec, Quarantined, 15189, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DBABCDMAJMPFKOHMEEMHCHOCMNFAKEEC, Quarantined, 15189, 799722, 1.0.26141, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\000003.log, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\CURRENT, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\LOCK, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\LOG, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dbabcdmajmpfkohmeemhchocmnfakeec\MANIFEST-000001, Quarantined, 15189, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DBABCDMAJMPFKOHMEEMHCHOCMNFAKEEC\1.1.0_0\MANIFEST.JSON, Quarantined, 15189, 799722, 1.0.26141, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is UpdateSearch? The Malwarebytes research team has determined that UpdateSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by UpdateSearch? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did UpdateSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove UpdateSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of UpdateSearch? No, Malwarebytes removes UpdateSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Malwarebytes Browser Guard would have protected you against the UpdateSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.update-search.com/?q={searchTerms}&publisher=updatesearch&barcodeid=572640000000000 CHR DefaultSearchKeyword: Default -> UpdateSearch CHR DefaultSuggestURL: Default -> hxxps://api.update-search.com/suggest/get?q={searchTerms} CHR Extension: (UpdateSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd [2020-06-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0 Adds the file manifest.json"="6/24/2020 8:52 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/24/2020 8:52 AM, 6255 bytes, A Adds the file verified_contents.json"="4/30/2020 8:38 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\images Adds the file logo-white-text.png"="4/30/2020 8:38 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\images\icons Adds the file 128x128.png"="6/24/2020 8:52 AM, 6275 bytes, A Adds the file 16x16.png"="6/24/2020 8:52 AM, 598 bytes, A Adds the file 64x64.png"="6/24/2020 8:52 AM, 2557 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipbebdplhinkhgodhhmbabjoemclmhjd\1.1.0_0\scripts Adds the file background.js"="4/30/2020 8:38 AM, 514579 bytes, A Adds the file sitecontent.js"="4/30/2020 8:38 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd Adds the file 000003.log"="6/24/2020 8:56 AM, 768 bytes, A Adds the file CURRENT"="6/24/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="6/24/2020 8:52 AM, 0 bytes, A Adds the file LOG"="6/24/2020 8:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/24/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ipbebdplhinkhgodhhmbabjoemclmhjd Adds the file UpdateSearch.ico"="6/24/2020 8:52 AM, 186152 bytes, A Adds the file UpdateSearch.ico.md5"="6/24/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipbebdplhinkhgodhhmbabjoemclmhjd"="REG_SZ", "70888CD0A83F56D1109DC3E61C67A4F37ACD2ADE4C0C39E251C96CBC0A4DCC0F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/24/20 Scan Time: 9:05 AM Log File: 1657944a-b5e9-11ea-9243-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25943 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232209 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipbebdplhinkhgodhhmbabjoemclmhjd, Quarantined, 15192, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPBEBDPLHINKHGODHHMBABJOEMCLMHJD, Quarantined, 15192, 799722, 1.0.25943, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\000003.log, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\CURRENT, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\LOCK, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\LOG, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipbebdplhinkhgodhhmbabjoemclmhjd\MANIFEST-000001, Quarantined, 15192, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPBEBDPLHINKHGODHHMBABJOEMCLMHJD\1.1.0_0\MANIFEST.JSON, Quarantined, 15192, 799722, 1.0.25943, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is PDFSearches? The Malwarebytes research team has determined that PDFSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by PDFSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did PDFSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearches? No, Malwarebytes removes PDFSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the PDFSearches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdf-searches.com/?q={searchTerms}&publisher=pdfsearches&barcodeid=573210000000000 CHR DefaultSearchKeyword: Default -> PDFSearches CHR DefaultSuggestURL: Default -> hxxps://api.pdf-searches.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga [2020-06-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0 Adds the file manifest.json"="6/22/2020 8:56 AM, 2079 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/22/2020 8:56 AM, 6255 bytes, A Adds the file verified_contents.json"="6/2/2020 12:31 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\images Adds the file logo-white-text.png"="6/2/2020 12:31 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\images\icons Adds the file 128x128.png"="6/22/2020 8:56 AM, 5636 bytes, A Adds the file 16x16.png"="6/22/2020 8:56 AM, 586 bytes, A Adds the file 64x64.png"="6/22/2020 8:56 AM, 2679 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcobomgbaidijbidjaolnbnpdkjoijga\1.1.0_0\scripts Adds the file background.js"="6/2/2020 12:31 PM, 514563 bytes, A Adds the file sitecontent.js"="6/2/2020 12:31 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga Adds the file 000003.log"="6/22/2020 9:01 AM, 811 bytes, A Adds the file CURRENT"="6/22/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="6/22/2020 8:56 AM, 0 bytes, A Adds the file LOG"="6/22/2020 9:01 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/22/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pcobomgbaidijbidjaolnbnpdkjoijga Adds the file PDFSearches.ico"="6/22/2020 8:56 AM, 183585 bytes, A Adds the file PDFSearches.ico.md5"="6/22/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pcobomgbaidijbidjaolnbnpdkjoijga"="REG_SZ", "D9DD58C67FD675514C55010336AE17D400628D7FCD4DAC5C9A30B4974C3BA554" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/22/20 Scan Time: 9:14 AM Log File: 0752051c-b458-11ea-ace4-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25853 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231500 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pcobomgbaidijbidjaolnbnpdkjoijga, Quarantined, 15193, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PCOBOMGBAIDIJBIDJAOLNBNPDKJOIJGA, Quarantined, 15193, 799722, 1.0.25853, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\000003.log, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\CURRENT, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\LOCK, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\LOG, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pcobomgbaidijbidjaolnbnpdkjoijga\MANIFEST-000001, Quarantined, 15193, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PCOBOMGBAIDIJBIDJAOLNBNPDKJOIJGA\1.1.0_0\MANIFEST.JSON, Quarantined, 15193, 799722, 1.0.25853, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is SearchConverterz? The Malwarebytes research team has determined that SearchConverterz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchConverterz? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchConverterz get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterz? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterz? No, Malwarebytes removes SearchConverterz completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterz hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterz.com/?q={searchTerms}&publisher=searchconverterz&barcodeid=574940000000000 CHR DefaultSearchKeyword: Default -> SearchConverterz CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterz.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo [2020-06-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0 Adds the file manifest.json"="6/18/2020 8:52 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/18/2020 8:52 AM, 6255 bytes, A Adds the file verified_contents.json"="6/9/2020 9:05 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images Adds the file logo-white-text.png"="6/9/2020 9:05 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images\icons Adds the file 128x128.png"="6/18/2020 8:52 AM, 9377 bytes, A Adds the file 16x16.png"="6/18/2020 8:52 AM, 593 bytes, A Adds the file 64x64.png"="6/18/2020 8:52 AM, 4016 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\scripts Adds the file background.js"="6/9/2020 9:05 AM, 514642 bytes, A Adds the file sitecontent.js"="6/9/2020 9:05 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file 000003.log"="6/18/2020 8:54 AM, 768 bytes, A Adds the file CURRENT"="6/18/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="6/18/2020 8:52 AM, 0 bytes, A Adds the file LOG"="6/18/2020 8:55 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/18/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file SearchConverterz.ico"="6/18/2020 8:52 AM, 194854 bytes, A Adds the file SearchConverterz.ico.md5"="6/18/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bcffpojcmpdmhnaeolghbpcebkaccbmo"="REG_SZ", "366D152B09925B61272A21CDD0F80F94D56309BDB27FBF014556C136D97779C1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/18/20 Scan Time: 9:00 AM Log File: 71bea88a-b131-11ea-8e15-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25676 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231803 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO, Quarantined, 15202, 799722, 1.0.25676, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\000003.log, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\CURRENT, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOCK, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOG, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\MANIFEST-000001, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO\1.1.0_0\MANIFEST.JSON, Quarantined, 15202, 799722, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is SearchZone? The Malwarebytes research team has determined that SearchZone is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchZone? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchZone get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchZone? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchZone? No, Malwarebytes removes SearchZone completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchZone hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-zone.com/?q={searchTerms}&publisher=searchzone&barcodeid=571400000000000 CHR DefaultSearchKeyword: Default -> SearchZone CHR DefaultSuggestURL: Default -> hxxps://api.search-zone.com/suggest/get?q={searchTerms} CHR Extension: (SearchZone) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca [2020-06-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0 Adds the file manifest.json"="6/11/2020 8:55 AM, 2066 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/11/2020 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 10:59 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 10:59 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images\icons Adds the file 128x128.png"="6/11/2020 8:55 AM, 9964 bytes, A Adds the file 16x16.png"="6/11/2020 8:55 AM, 638 bytes, A Adds the file 64x64.png"="6/11/2020 8:55 AM, 3951 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\scripts Adds the file background.js"="3/30/2020 10:59 AM, 514547 bytes, A Adds the file sitecontent.js"="3/30/2020 10:59 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca Adds the file 000003.log"="6/11/2020 8:58 AM, 507 bytes, A Adds the file CURRENT"="6/11/2020 8:55 AM, 16 bytes, A Adds the file LOCK"="6/11/2020 8:55 AM, 0 bytes, A Adds the file LOG"="6/11/2020 8:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/11/2020 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pffnooppclkbdcgfimcnlejkomocahca Adds the file SearchZone.ico"="6/11/2020 8:55 AM, 194220 bytes, A Adds the file SearchZone.ico.md5"="6/11/2020 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pffnooppclkbdcgfimcnlejkomocahca"="REG_SZ", "BC732C83AA4E5896DA1D1719B9C521E69C1839D4E0674486609F0E6F99DEEF1B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/11/20 Scan Time: 9:12 AM Log File: f2e8fb74-abb2-11ea-aee9-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25354 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232127 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 2 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA, Quarantined, 15185, 799722, 1.0.25354, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\000003.log, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\CURRENT, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOCK, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG.old, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\MANIFEST-000001, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA\1.1.0_0\MANIFEST.JSON, Quarantined, 15185, 799722, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Searchaize? The Malwarebytes research team has determined that Searchaize is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Searchaize? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Searchaize get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Searchaize? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Searchaize? No, Malwarebytes removes Searchaize completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Searchaize hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchaize.com CHR DefaultSearchURL: Default -> hxxps://feed.searchaize.com/?q={searchTerms}&publisher=searchaize&barcodeid=569950000000000 CHR DefaultSearchKeyword: Default -> Searchaize CHR DefaultSuggestURL: Default -> hxxps://api.searchaize.com/suggest/get?q={searchTerms} CHR Extension: (Searchaize) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd [2020-05-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0 Adds the file manifest.json"="5/29/2020 10:09 AM, 2060 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/29/2020 10:09 AM, 6255 bytes, A Adds the file verified_contents.json"="3/3/2020 10:20 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\images Adds the file logo-white-text.png"="3/3/2020 10:20 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\images\icons Adds the file 128x128.png"="5/29/2020 10:09 AM, 4531 bytes, A Adds the file 16x16.png"="5/29/2020 10:09 AM, 465 bytes, A Adds the file 64x64.png"="5/29/2020 10:09 AM, 2222 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\scripts Adds the file background.js"="3/3/2020 10:20 AM, 514539 bytes, A Adds the file sitecontent.js"="3/3/2020 10:20 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd Adds the file 000003.log"="5/29/2020 10:12 AM, 800 bytes, A Adds the file CURRENT"="5/29/2020 10:09 AM, 16 bytes, A Adds the file LOCK"="5/29/2020 10:09 AM, 0 bytes, A Adds the file LOG"="5/29/2020 10:13 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/29/2020 10:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gkifhjaeoboadpienekpppidodbakmfd Adds the file Searchaize.ico"="5/29/2020 10:09 AM, 179004 bytes, A Adds the file Searchaize.ico.md5"="5/29/2020 10:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gkifhjaeoboadpienekpppidodbakmfd"="REG_SZ", "4D5B5DD614F445830EF314DE7347FD27CEBC8456D647D0091E208E435E4C09CE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/29/20 Scan Time: 10:20 AM Log File: 48de9b98-a185-11ea-b4d5-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24646 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232440 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 2 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gkifhjaeoboadpienekpppidodbakmfd, Quarantined, 15183, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GKIFHJAEOBOADPIENEKPPPIDODBAKMFD, Quarantined, 15183, 799722, 1.0.24646, , ame, File: 12 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\000003.log, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\CURRENT, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOCK, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOG, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOG.old, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\MANIFEST-000001, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GKIFHJAEOBOADPIENEKPPPIDODBAKMFD\1.1.0_0\MANIFEST.JSON, Quarantined, 15183, 799722, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 803876, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 803876, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 803876, 1.0.24646, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Sealoid?The Malwarebytes research team has determined that Sealoid is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Sealoid?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:You may have noticed these warnings during install:How did Sealoid get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Sealoid?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Sealoid? No, Malwarebytes removes Sealoid completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Sealoid hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.sealoid.com/?q={searchTerms}&publisher=sealoid&barcodeid=571460000000000 CHR DefaultSearchKeyword: Default -> Sealoid CHR DefaultSuggestURL: Default -> hxxps://api.sealoid.com/suggest/get?q={searchTerms} CHR Extension: (Sealoid) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp [2020-05-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0 Adds the file manifest.json"="5/25/2020 8:37 AM, 2024 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/25/2020 8:37 AM, 11801 bytes, A Adds the file verified_contents.json"="3/31/2020 2:36 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\images Adds the file logo-white-text.png"="3/31/2020 2:36 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\images\icons Adds the file 128x128.png"="5/25/2020 8:37 AM, 4281 bytes, A Adds the file 16x16.png"="5/25/2020 8:37 AM, 566 bytes, A Adds the file 64x64.png"="5/25/2020 8:37 AM, 2100 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\scripts Adds the file background.js"="3/31/2020 2:36 PM, 998710 bytes, A Adds the file sitecontent.js"="3/31/2020 2:36 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp Adds the file 000003.log"="5/25/2020 8:40 AM, 786 bytes, A Adds the file CURRENT"="5/25/2020 8:37 AM, 16 bytes, A Adds the file LOCK"="5/25/2020 8:37 AM, 0 bytes, A Adds the file LOG"="5/25/2020 8:40 AM, 184 bytes, A Adds the file MANIFEST-000001"="5/25/2020 8:37 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ipicdjgcbnamkkpmhakmcmgfkkfkebmp Adds the file Sealoid.ico"="5/25/2020 8:37 AM, 180445 bytes, A Adds the file Sealoid.ico.md5"="5/25/2020 8:37 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipicdjgcbnamkkpmhakmcmgfkkfkebmp"="REG_SZ", "19CB838E148C5EC1E0712E431ABC869C6E4087578FC029F7D996B45CB143C68F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/25/20 Scan Time: 8:58 AM Log File: 2ad565b0-9e55-11ea-8507-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24404 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232611 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 7 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipicdjgcbnamkkpmhakmcmgfkkfkebmp, Quarantined, 15166, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPICDJGCBNAMKKPMHAKMCMGFKKFKEBMP, Quarantined, 15166, 799722, 1.0.24404, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\000003.log, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\CURRENT, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOCK, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOG, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOG.old, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\MANIFEST-000001, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPICDJGCBNAMKKPMHAKMCMGFKKFKEBMP\1.1.0_0\MANIFEST.JSON, Quarantined, 15166, 799722, 1.0.24404, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813369, 1.0.24404, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813369, 1.0.24404, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is GalaxySpin? The Malwarebytes research team has determined that GalaxySpin is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by GalaxySpin? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did GalaxySpin get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GalaxySpin? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GalaxySpin? No, Malwarebytes removes GalaxySpin completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard would have protected you against the GalaxySpin hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.galaxyspin.com/?q={searchTerms}&publisher=galaxyspin&barcodeid=571480000000000 CHR DefaultSearchKeyword: Default -> GalaxySpin CHR DefaultSuggestURL: Default -> hxxps://api.galaxyspin.com/suggest/get?q={searchTerms} CHR Extension: (GalaxySpin) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm [2020-05-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0 Adds the file manifest.json"="5/18/2020 8:45 AM, 2060 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/18/2020 8:45 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:44 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:44 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\images\icons Adds the file 128x128.png"="5/18/2020 8:45 AM, 5609 bytes, A Adds the file 16x16.png"="5/18/2020 8:45 AM, 643 bytes, A Adds the file 64x64.png"="5/18/2020 8:45 AM, 2753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:44 PM, 514546 bytes, A Adds the file sitecontent.js"="3/30/2020 1:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm Adds the file 000003.log"="5/18/2020 8:48 AM, 789 bytes, A Adds the file CURRENT"="5/18/2020 8:45 AM, 16 bytes, A Adds the file LOCK"="5/18/2020 8:45 AM, 0 bytes, A Adds the file LOG"="5/18/2020 8:48 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/18/2020 8:45 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_epomcijmabolmbnhceelaahjnnophfbm Adds the file GalaxySpin.ico"="5/18/2020 8:45 AM, 186720 bytes, A Adds the file GalaxySpin.ico.md5"="5/18/2020 8:45 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "epomcijmabolmbnhceelaahjnnophfbm"="REG_SZ", "3AE518037D3F55F3D0DF51AC0D04BF85804199DDF8D5115B9B214491DB19E2B9" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/18/20 Scan Time: 8:55 AM Log File: 941516dc-98d4-11ea-92b1-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.24028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233001 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|epomcijmabolmbnhceelaahjnnophfbm, Quarantined, 15170, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPOMCIJMABOLMBNHCEELAAHJNNOPHFBM, Quarantined, 15170, 799722, 1.0.24028, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\000003.log, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\CURRENT, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\LOCK, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\LOG, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\MANIFEST-000001, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPOMCIJMABOLMBNHCEELAAHJNNOPHFBM\1.1.0_0\MANIFEST.JSON, Quarantined, 15170, 799722, 1.0.24028, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813371, 1.0.24028, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813371, 1.0.24028, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is SearchAholic? The Malwarebytes research team has determined that SearchAholic is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchAholic? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did SearchAholic get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchAholic? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchAholic? No, Malwarebytes removes SearchAholic completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the SearchAholic hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-aholic.com/?q={searchTerms}&publisher=searchaholic&barcodeid=571450000000000 CHR DefaultSearchKeyword: Default -> SearchAholic CHR DefaultSuggestURL: Default -> hxxps://api.search-aholic.com/suggest/get?q={searchTerms} CHR Extension: (SearchAholic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg [2020-05-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0 Adds the file manifest.json"="5/13/2020 10:20 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/13/2020 10:20 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:19 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:19 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\images\icons Adds the file 128x128.png"="5/13/2020 10:20 AM, 6568 bytes, A Adds the file 16x16.png"="5/13/2020 10:20 AM, 694 bytes, A Adds the file 64x64.png"="5/13/2020 10:20 AM, 3361 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:19 PM, 514579 bytes, A Adds the file sitecontent.js"="3/30/2020 1:19 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg Adds the file 000003.log"="5/13/2020 10:25 AM, 526 bytes, A Adds the file CURRENT"="5/13/2020 10:21 AM, 16 bytes, A Adds the file LOCK"="5/13/2020 10:21 AM, 0 bytes, A Adds the file LOG"="5/13/2020 10:25 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/13/2020 10:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_offhihkplcdcegfhcmoiicdfoplmoafg Adds the file SearchAholic.ico"="5/13/2020 10:21 AM, 192874 bytes, A Adds the file SearchAholic.ico.md5"="5/13/2020 10:21 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "offhihkplcdcegfhcmoiicdfoplmoafg"="REG_SZ", "DD9AD30F50AC2BB70A60B63C120AAC8A2BD2C18B29026BB598DFBB75CEF7F1DC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/13/20 Scan Time: 10:45 AM Log File: 2152e610-94f6-11ea-b338-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23752 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233222 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|offhihkplcdcegfhcmoiicdfoplmoafg, Quarantined, 15159, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFFHIHKPLCDCEGFHCMOIICDFOPLMOAFG, Quarantined, 15159, 799722, 1.0.23752, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\000003.log, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\CURRENT, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\LOCK, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\LOG, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\MANIFEST-000001, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFFHIHKPLCDCEGFHCMOIICDFOPLMOAFG\1.1.0_0\MANIFEST.JSON, Quarantined, 15159, 799722, 1.0.23752, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813374, 1.0.23752, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813374, 1.0.23752, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is SearchOpedia?The Malwarebytes research team has determined that SearchOpedia is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SearchOpedia?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:You may have noticed these warnings during install:How did SearchOpedia get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SearchOpedia?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchOpedia? No, Malwarebytes removes SearchOpedia completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchOpedia hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-opedia.com/?q={searchTerms}&publisher=searchopedia&barcodeid=571440000000000 CHR DefaultSearchKeyword: Default -> SearchOpedia CHR DefaultSuggestURL: Default -> hxxps://api.search-opedia.com/suggest/get?q={searchTerms} CHR Extension: (SearchOpedia) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio [2020-05-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0 Adds the file manifest.json"="5/12/2020 8:44 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/12/2020 8:44 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:16 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:16 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\images\icons Adds the file 128x128.png"="5/12/2020 8:44 AM, 5062 bytes, A Adds the file 16x16.png"="5/12/2020 8:44 AM, 573 bytes, A Adds the file 64x64.png"="5/12/2020 8:44 AM, 2443 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:16 PM, 514579 bytes, A Adds the file sitecontent.js"="3/30/2020 1:16 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio Adds the file 000003.log"="5/12/2020 8:48 AM, 772 bytes, A Adds the file CURRENT"="5/12/2020 8:45 AM, 16 bytes, A Adds the file LOCK"="5/12/2020 8:45 AM, 0 bytes, A Adds the file LOG"="5/12/2020 8:49 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/12/2020 8:45 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cjbhmaipbpjlechbpeifgjhojnhohiio Adds the file SearchOpedia.ico"="5/12/2020 8:45 AM, 183529 bytes, A Adds the file SearchOpedia.ico.md5"="5/12/2020 8:45 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cjbhmaipbpjlechbpeifgjhojnhohiio"="REG_SZ", "77240CA4183E456BDE3648CBBFA07614C9AF34C7412F52A67DFE15F26D8CEBAB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/12/20 Scan Time: 8:55 AM Log File: 8a1f91e0-941d-11ea-b5c0-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23702 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233238 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cjbhmaipbpjlechbpeifgjhojnhohiio, Quarantined, 15158, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJBHMAIPBPJLECHBPEIFGJHOJNHOHIIO, Quarantined, 15158, 799722, 1.0.23702, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\000003.log, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\CURRENT, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\LOCK, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\LOG, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\MANIFEST-000001, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJBHMAIPBPJLECHBPEIFGJHOJNHOHIIO\1.1.0_0\MANIFEST.JSON, Quarantined, 15158, 799722, 1.0.23702, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813372, 1.0.23702, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813372, 1.0.23702, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Spinyon? The Malwarebytes research team has determined that Spinyon is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Spinyon? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did Spinyon get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Spinyon? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Spinyon? No, Malwarebytes removes Spinyon completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Spinyon hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.spinyon.com/?q={searchTerms}&publisher=spinyon&barcodeid=571470000000000 CHR DefaultSearchKeyword: Default -> Spinyon CHR DefaultSuggestURL: Default -> hxxps://api.spinyon.com/suggest/get?q={searchTerms} CHR Extension: (Spinyon) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll [2020-05-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0 Adds the file manifest.json"="5/8/2020 9:53 AM, 2024 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/8/2020 9:53 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:40 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:40 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\images\icons Adds the file 128x128.png"="5/8/2020 9:53 AM, 12069 bytes, A Adds the file 16x16.png"="5/8/2020 9:53 AM, 690 bytes, A Adds the file 64x64.png"="5/8/2020 9:53 AM, 4993 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:40 PM, 514498 bytes, A Adds the file sitecontent.js"="3/30/2020 1:40 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll Adds the file 000003.log"="5/8/2020 9:57 AM, 526 bytes, A Adds the file CURRENT"="5/8/2020 9:53 AM, 16 bytes, A Adds the file LOCK"="5/8/2020 9:53 AM, 0 bytes, A Adds the file LOG"="5/8/2020 9:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/8/2020 9:53 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ckcmjkakmgfccahbhniegnfaefljbpll Adds the file Spinyon.ico"="5/8/2020 9:53 AM, 214187 bytes, A Adds the file Spinyon.ico.md5"="5/8/2020 9:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ckcmjkakmgfccahbhniegnfaefljbpll"="REG_SZ", "2789FDADB5CBB246CED2D2C9D48AD0675E4077C5B1797F5921AC33519F680C8F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/8/20 Scan Time: 10:02 AM Log File: 4fc618de-9102-11ea-91f3-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23612 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233265 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ckcmjkakmgfccahbhniegnfaefljbpll, Quarantined, 15155, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CKCMJKAKMGFCCAHBHNIEGNFAEFLJBPLL, Quarantined, 15155, 799722, 1.0.23612, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\000003.log, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\CURRENT, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\LOCK, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\LOG, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\MANIFEST-000001, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CKCMJKAKMGFCCAHBHNIEGNFAEFLJBPLL\1.1.0_0\MANIFEST.JSON, Quarantined, 15155, 799722, 1.0.23612, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813367, 1.0.23612, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813367, 1.0.23612, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is SearchWizard? The Malwarebytes research team has determined that SearchWizard is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchWizard? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: and this changed setting: You may see these warnings during install: How did SearchWizard get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchWizard? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchWizard? No, Malwarebytes removes SearchWizard completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the SearchWizard adware. It would have blocked their domain before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-wizard.com/?q={searchTerms}&publisher=searchwizard&barcodeid=571430000000000 CHR DefaultSearchKeyword: Default -> SearchWizard CHR DefaultSuggestURL: Default -> hxxps://api.search-wizard.com/suggest/get?q={searchTerms} CHR Extension: (SearchWizard) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo [2020-05-06] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo\1.1.0_0 Adds the file manifest.json"="5/6/2020 8:48 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/6/2020 8:48 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 12:35 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 12:35 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo\1.1.0_0\images\icons Adds the file 128x128.png"="5/6/2020 8:48 AM, 4194 bytes, A Adds the file 16x16.png"="5/6/2020 8:48 AM, 430 bytes, A Adds the file 64x64.png"="5/6/2020 8:48 AM, 2093 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlpialhddhdkffnfijnkbdgmpnbmepo\1.1.0_0\scripts Adds the file background.js"="3/30/2020 12:35 PM, 514579 bytes, A Adds the file sitecontent.js"="3/30/2020 12:35 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo Adds the file 000003.log"="5/6/2020 8:52 AM, 792 bytes, A Adds the file CURRENT"="5/6/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="5/6/2020 8:48 AM, 0 bytes, A Adds the file LOG"="5/6/2020 8:52 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/6/2020 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_omlpialhddhdkffnfijnkbdgmpnbmepo Adds the file SearchWizard.ico"="5/6/2020 8:48 AM, 176826 bytes, A Adds the file SearchWizard.ico.md5"="5/6/2020 8:48 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "omlpialhddhdkffnfijnkbdgmpnbmepo"="REG_SZ", "43900CB20010DD5586BB0762CB51E61158CB040ED4743FBF316704E82D9FC0AC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/6/20 Scan Time: 9:42 AM Log File: 1b21669c-8f6d-11ea-a706-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.23500 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233333 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|omlpialhddhdkffnfijnkbdgmpnbmepo, Quarantined, 15156, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OMLPIALHDDHDKFFNFIJNKBDGMPNBMEPO, Quarantined, 15156, 799722, 1.0.23500, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo\000003.log, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo\CURRENT, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo\LOCK, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo\LOG, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omlpialhddhdkffnfijnkbdgmpnbmepo\MANIFEST-000001, Quarantined, 15156, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OMLPIALHDDHDKFFNFIJNKBDGMPNBMEPO\1.1.0_0\MANIFEST.JSON, Quarantined, 15156, 799722, 1.0.23500, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Twisted Search? The Malwarebytes research team has determined that Twisted Search is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Twisted Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Twisted Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Twisted Search? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Twisted Search? No, Malwarebytes removes Twisted Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Twisted Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.twistedsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.twistedsearch.com/?q={searchTerms}&publisher=twistedsearch&barcodeid=569880000000000 CHR DefaultSearchKeyword: Default -> TwistedSearch CHR DefaultSuggestURL: Default -> hxxps://api.twistedsearch.com/suggest/get?q={searchTerms} CHR Extension: (TwistedSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb [2020-04-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0 Adds the file manifest.json"="4/17/2020 8:53 AM, 2098 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/17/2020 8:53 AM, 6255 bytes, A Adds the file verified_contents.json"="2/27/2020 2:12 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\images Adds the file logo-white-text.png"="2/27/2020 2:12 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\images\icons Adds the file 128x128.png"="4/17/2020 8:53 AM, 5623 bytes, A Adds the file 16x16.png"="4/17/2020 8:53 AM, 484 bytes, A Adds the file 64x64.png"="4/17/2020 8:53 AM, 2597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\scripts Adds the file background.js"="2/27/2020 2:12 PM, 514587 bytes, A Adds the file sitecontent.js"="2/27/2020 2:12 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb Adds the file 000003.log"="4/17/2020 8:58 AM, 854 bytes, A Adds the file CURRENT"="4/17/2020 8:53 AM, 16 bytes, A Adds the file LOCK"="4/17/2020 8:53 AM, 0 bytes, A Adds the file LOG"="4/17/2020 8:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/17/2020 8:53 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_lbbljakmmigjklochficjpgfcmhcdekb Adds the file Twisted Search.ico"="4/17/2020 8:53 AM, 184125 bytes, A Adds the file Twisted Search.ico.md5"="4/17/2020 8:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lbbljakmmigjklochficjpgfcmhcdekb"="REG_SZ", "0EEDED1358DC3F5A1830A6A27C191032BEBE34F00A22D47AB0AD76DB6ABD53E4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/20 Scan Time: 9:06 AM Log File: ebcbece8-8079-11ea-8599-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.867 Update Package Version: 1.0.22566 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233727 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 18 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lbbljakmmigjklochficjpgfcmhcdekb, Quarantined, 15116, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBBLJAKMMIGJKLOCHFICJPGFCMHCDEKB, Quarantined, 15116, 799722, 1.0.22566, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\000003.log, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\CURRENT, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\LOCK, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\LOG, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\MANIFEST-000001, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBBLJAKMMIGJKLOCHFICJPGFCMHCDEKB\1.1.0_0\MANIFEST.JSON, Quarantined, 15116, 799722, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 213, 806228, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 213, 806228, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 213, 806228, 1.0.22566, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Rolling Search? The Malwarebytes research team has determined that Rolling Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Rolling Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Rolling Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Rolling Search? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Rolling Search? No, Malwarebytes removes Rolling Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Rolling Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.rollingsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.rollingsearch.com/?q={searchTerms}&publisher=rollingsearch&barcodeid=569890000000000 CHR DefaultSearchKeyword: Default -> RollingSearch CHR DefaultSuggestURL: Default -> hxxps://api.rollingsearch.com/suggest/get?q={searchTerms} CHR Extension: (RollingSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij [2020-04-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0 Adds the file manifest.json"="4/6/2020 8:47 AM, 2098 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/6/2020 8:47 AM, 6255 bytes, A Adds the file verified_contents.json"="3/1/2020 10:21 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\images Adds the file logo-white-text.png"="3/1/2020 10:21 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\images\icons Adds the file 128x128.png"="4/6/2020 8:47 AM, 4055 bytes, A Adds the file 16x16.png"="4/6/2020 8:47 AM, 470 bytes, A Adds the file 64x64.png"="4/6/2020 8:47 AM, 2105 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\scripts Adds the file background.js"="3/1/2020 10:21 AM, 514587 bytes, A Adds the file sitecontent.js"="3/1/2020 10:21 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij Adds the file 000003.log"="4/6/2020 8:51 AM, 835 bytes, A Adds the file CURRENT"="4/6/2020 8:47 AM, 16 bytes, A Adds the file LOCK"="4/6/2020 8:47 AM, 0 bytes, A Adds the file LOG"="4/6/2020 8:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/6/2020 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dcncoofdjajjmofplbdieeoieapjhgij Adds the file Rolling Search.ico"="4/6/2020 8:47 AM, 177147 bytes, A Adds the file Rolling Search.ico.md5"="4/6/2020 8:47 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dcncoofdjajjmofplbdieeoieapjhgij"="REG_SZ", "6159505CD847AE8099AE07E9DB4B4D7E0629A29A665857442A9D4EDDD1FC8597" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/6/20 Scan Time: 8:56 AM Log File: b2604f3e-77d3-11ea-a56d-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.859 Update Package Version: 1.0.21998 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233786 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 12 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dcncoofdjajjmofplbdieeoieapjhgij, Quarantined, 15116, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DCNCOOFDJAJJMOFPLBDIEEOIEAPJHGIJ, Quarantined, 15116, 799722, 1.0.21998, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\000003.log, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\CURRENT, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\LOCK, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\LOG, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\MANIFEST-000001, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DCNCOOFDJAJJMOFPLBDIEEOIEAPJHGIJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15116, 799722, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 802211, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 802211, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 214, 802211, 1.0.21998, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is SearchZilla? The Malwarebytes research team has determined that SearchZilla is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchZilla? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did SearchZilla get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchZilla? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchZilla? No, Malwarebytes removes SearchZilla completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.search-zilla.com CHR DefaultSearchURL: Default -> hxxps://feed.search-zilla.com/?q={searchTerms}&publisher=searchzilla&barcodeid=569860000000000 CHR DefaultSearchKeyword: Default -> SearchZilla CHR DefaultSuggestURL: Default -> hxxps://api.search-zilla.com/suggest/get?q={searchTerms} CHR Extension: (SearchZilla) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc [2020-03-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc\1.1.0_0 Adds the file manifest.json"="3/31/2020 10:43 AM, 2078 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/31/2020 10:43 AM, 6255 bytes, A Adds the file verified_contents.json"="2/27/2020 10:32 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc\1.1.0_0\images Adds the file logo-white-text.png"="2/27/2020 10:32 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc\1.1.0_0\images\icons Adds the file 128x128.png"="3/31/2020 10:43 AM, 5636 bytes, A Adds the file 16x16.png"="3/31/2020 10:43 AM, 608 bytes, A Adds the file 64x64.png"="3/31/2020 10:43 AM, 2649 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgolgjbhgjpihecbbbhggkaggkmnbffc\1.1.0_0\scripts Adds the file background.js"="2/27/2020 10:32 AM, 514556 bytes, A Adds the file sitecontent.js"="2/27/2020 10:32 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc Adds the file 000003.log"="3/31/2020 10:46 AM, 816 bytes, A Adds the file CURRENT"="3/31/2020 10:43 AM, 16 bytes, A Adds the file LOCK"="3/31/2020 10:43 AM, 0 bytes, A Adds the file LOG"="3/31/2020 10:46 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/31/2020 10:43 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_lgolgjbhgjpihecbbbhggkaggkmnbffc Adds the file SearchZilla.ico"="3/31/2020 10:43 AM, 182073 bytes, A Adds the file SearchZilla.ico.md5"="3/31/2020 10:43 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lgolgjbhgjpihecbbbhggkaggkmnbffc"="REG_SZ", "07E3803BC2A903329DCC2C29C4CE4B4C9CC6896F5F116AB6FEB985D4A100ACF4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/31/20 Scan Time: 10:52 AM Log File: e9d81dda-732c-11ea-b2d8-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.859 Update Package Version: 1.0.21666 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234057 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 14 min, 14 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lgolgjbhgjpihecbbbhggkaggkmnbffc, Quarantined, 15096, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LGOLGJBHGJPIHECBBBHGGKAGGKMNBFFC, Quarantined, 15096, 799722, 1.0.21666, , ame, File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc\000003.log, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc\CURRENT, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc\LOCK, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc\LOG, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lgolgjbhgjpihecbbbhggkaggkmnbffc\MANIFEST-000001, Quarantined, 15096, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LGOLGJBHGJPIHECBBBHGGKAGGKMNBFFC\1.1.0_0\MANIFEST.JSON, Quarantined, 15096, 799722, 1.0.21666, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is SearchStreams? The Malwarebytes research team has determined that SearchStreams is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one hijacks your search results. How do I know if my computer is affected by SearchStreams? You may see these warnings during install: This entry in your list of installed Chrome extensions: this icon in your browsers' menu bar: and this changed setting: How did SearchStreams get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchStreams? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchStreams? No, Malwarebytes removes SearchStreams completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the SearchStreams adware. It would have blocked their domain. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchstreams.com/?q={searchTerms}&publisher=searchstreams&barcodeid=569870000000000 CHR DefaultSearchKeyword: Default -> SearchStreams CHR DefaultSuggestURL: Default -> hxxps://api.searchstreams.com/suggest/get?q={searchTerms} CHR Extension: (SearchStreams) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj [2020-03-23] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0 Adds the file manifest.json"="3/23/2020 8:52 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/23/2020 8:52 AM, 11801 bytes, A Adds the file verified_contents.json"="2/25/2020 3:11 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\images Adds the file logo-white-text.png"="2/25/2020 3:11 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\images\icons Adds the file 128x128.png"="3/23/2020 8:52 AM, 7212 bytes, A Adds the file 16x16.png"="3/23/2020 8:52 AM, 585 bytes, A Adds the file 64x64.png"="3/23/2020 8:52 AM, 3354 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:11 PM, 998868 bytes, A Adds the file sitecontent.js"="2/25/2020 3:11 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj Adds the file 000003.log"="3/23/2020 8:54 AM, 778 bytes, A Adds the file CURRENT"="3/23/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="3/23/2020 8:52 AM, 0 bytes, A Adds the file LOG"="3/23/2020 8:54 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/23/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pdgmalcknocffegnfogakhfakkhgjkdj Adds the file SearchStreams.ico"="3/23/2020 8:52 AM, 189195 bytes, A Adds the file SearchStreams.ico.md5"="3/23/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pdgmalcknocffegnfogakhfakkhgjkdj"="REG_SZ", "825763FF885576CF8E3FA2AD12F43E1F5983C44D4945208DA2F8BE13EBF6055B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/23/20 Scan Time: 9:02 AM Log File: 9b785a34-6cdc-11ea-93cc-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.835 Update Package Version: 1.0.21216 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234587 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 9 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pdgmalcknocffegnfogakhfakkhgjkdj, Quarantined, 15078, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PDGMALCKNOCFFEGNFOGAKHFAKKHGJKDJ, Quarantined, 15078, 799722, 1.0.21216, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\000003.log, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\CURRENT, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOCK, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOG, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOG.old, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\MANIFEST-000001, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PDGMALCKNOCFFEGNFOGAKHFAKKHGJKDJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15078, 799722, 1.0.21216, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 216, 802150, 1.0.21216, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 216, 802150, 1.0.21216, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.