Jump to content

Search the Community

Showing results for tags 'adware.searchenginehijack.generic'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

  1. What is Key Tag? The Malwarebytes research team has determined that Key Tag is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search provider. How do I know if my computer is affected by Key Tag? You may see this entry in your list of installed Chrome extensions: and this setting: You may have noticed these warnings during install: How did Key Tag get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Key Tag? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Key Tag? No, Malwarebytes removes Key Tag completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Key Tag hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.keysearchs.com/search.php?src=ktgg&type=ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> key CHR DefaultSuggestURL: Default -> hxxps://www.keysearchs.com/suggest.php?q={searchTerms} CHR Extension: (Key Tag) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb [2022-02-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0 Adds the file bg.js"="12/15/2021 11:07 PM, 1183 bytes, A Adds the file manifest.json"="2/11/2022 1:02 PM, 1441 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0\_metadata Adds the file computed_hashes.json"="2/11/2022 1:02 PM, 128 bytes, A Adds the file verified_contents.json"="1/19/2022 10:14 PM, 1640 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoddhgjaoadhpdlfaepfnbalbhbkicpb\1.3.1_0\icons Adds the file image128.png"="2/11/2022 1:02 PM, 3469 bytes, A Adds the file image16.png"="2/11/2022 1:02 PM, 412 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eoddhgjaoadhpdlfaepfnbalbhbkicpb"="REG_SZ", "EF49889A4BFF3398968D680355469D4E81AC2A4983DC42E680C88E777C1EDB4D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/22 Scan Time: 9:23 AM Log File: 82493662-8e38-11ec-b9bb-080027235d76.json -Software Information- Version: 4.5.4.168 Components Version: 1.0.1599 Update Package Version: 1.0.51145 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 239409 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eoddhgjaoadhpdlfaepfnbalbhbkicpb, Quarantined, 15734, 1018877, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EODDHGJAOADHPDLFAEPFNBALBHBKICPB, Quarantined, 15734, 1018877, 1.0.51145, , ame, , , File: 3 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15734, 1018877, , , , , 3C22B844FC36E83CF36B1C2881FFC294, F6F0FE2E7BD98A83709A893BE476C634863C47F9A6BD638C190CFA156830F268 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15734, 1018877, , , , , DFC8FEBDE62600979DBD07571ACDD08A, 610680AFDA4DAF317A1066F704427FF4DEE88F215D073A5D846FCC604D5219EC Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EODDHGJAOADHPDLFAEPFNBALBHBKICPB\1.3.1_0\BG.JS, Quarantined, 15734, 1018877, 1.0.51145, , ame, , 694DC1146BF786367CBAB261D684BF35, A57D0D213B1B4A960E06C98379E6558BD006B151D37EDB1C280FEF18867FA7B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is GoCouponSearch? The Malwarebytes research team has determined that GoCouponSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and also uses browser push notifications. How do I know if my computer is affected by GoCouponSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did GoCouponSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GoCouponSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GoCouponSearch? No, Malwarebytes removes GoCouponSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GoCouponSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.gocouponsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.gocouponsearch.com/?q={searchTerms}&publisher=gocouponsearch&barcodeid=598040000000000 CHR DefaultSearchKeyword: Default -> GoCouponSearch CHR DefaultSuggestURL: Default -> hxxps://api.gocouponsearch.com/suggest/get?q={searchTerms} CHR Extension: (GoCouponSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek [2021-11-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0 Adds the file background.js"="11/2/2021 10:13 AM, 9855 bytes, A Adds the file content-script.js"="7/19/2021 2:11 PM, 77 bytes, A Adds the file manifest.json"="11/10/2021 3:33 PM, 1844 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\_metadata Adds the file computed_hashes.json"="11/10/2021 3:33 PM, 461 bytes, A Adds the file verified_contents.json"="11/2/2021 10:13 AM, 2032 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\images Adds the file logo-white-text.png"="11/2/2021 10:13 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bidpobjoffokopphiihehcdnbkgnhcek\1.0.0_0\images\icons Adds the file 128x128.png"="11/10/2021 3:33 PM, 3547 bytes, A Adds the file 16x16.png"="11/10/2021 3:33 PM, 658 bytes, A Adds the file 64x64.png"="11/10/2021 3:33 PM, 1934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek Adds the file 000003.log"="11/10/2021 3:33 PM, 1183 bytes, A Adds the file CURRENT"="11/10/2021 3:33 PM, 16 bytes, A Adds the file LOCK"="11/10/2021 3:33 PM, 0 bytes, A Adds the file LOG"="11/10/2021 3:33 PM, 369 bytes, A Adds the file MANIFEST-000001"="11/10/2021 3:33 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bidpobjoffokopphiihehcdnbkgnhcek"="REG_SZ", "E43FE9FF9178C51B17B4E21C8DEB26A9E9122203DE321B8449916E684B8E3508" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/10/21 Scan Time: 3:43 PM Log File: 969b04ec-4234-11ec-9765-080027235d76.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.47046 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 247044 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bidpobjoffokopphiihehcdnbkgnhcek, Quarantined, 16027, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek, Quarantined, 16027, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BIDPOBJOFFOKOPPHIIHEHCDNBKGNHCEK, Quarantined, 16027, 799722, 1.0.47046, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16027, 799722, , , , , 32449F51B81CFF1B7D736C3917F219BE, 9AD86B9D378C3F96E8D6729D7DBA4FCF2D9315CB1944D4DF99F41278316C21D7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16027, 799722, , , , , 7DBC88CE3AB2D33ADCA9CD338EA82551, C07DE02416B82045EFE3CFDD79375A8E32B53CF2394201DBCDEEE247BC4E8D02 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\000003.log, Quarantined, 16027, 799722, , , , , CDB167F2FC2ABF221A10AF4980B4797B, 63D51C1DE6174655DB46F8740AD931DDE6F5B2FE1C3224C1C543E0AE719B3E71 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\CURRENT, Quarantined, 16027, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\LOCK, Quarantined, 16027, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\LOG, Quarantined, 16027, 799722, , , , , 343A04C118092FC11253CFFD269896F0, B3F6E8181E4FE14A6F074F013AE8381DDFE8EDF72FE04A516440B68AC181EA84 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bidpobjoffokopphiihehcdnbkgnhcek\MANIFEST-000001, Quarantined, 16027, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BIDPOBJOFFOKOPPHIIHEHCDNBKGNHCEK\1.0.0_0\MANIFEST.JSON, Quarantined, 16027, 799722, 1.0.47046, , ame, , 3D033C530C0968CEE232BBFDD81E96B7, 35A2B69A80A96D6A350F2E604EDDA49CF89E0BA4D81D8505BFC9A72A6A7948F8 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 197, 832955, 1.0.47046, , ame, , 7DBC88CE3AB2D33ADCA9CD338EA82551, C07DE02416B82045EFE3CFDD79375A8E32B53CF2394201DBCDEEE247BC4E8D02 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Search-Streamly? The Malwarebytes research team has determined that Search-Streamly is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular changes the default search engine to their own and pushes notifications. How do I know if my computer is affected by Search-Streamly? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Search-Streamly get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Search-Streamly? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search-Streamly? No, Malwarebytes removes Search-Streamly completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search-Streamly hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps//feed.search-streamly.com/?q={searchTerms}&publisher=search-streamly&barcodeid=579280000000000 CHR DefaultSearchKeyword: Default -> Search-Streamly CHR DefaultSuggestURL: Default -> hxxps//api.search-streamly.com/suggest/get?q={searchTerms} CHR Extension: (Search-Streamly) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid [2021-10-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0 Adds the file manifest.json"="10/26/2021 2:36 PM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/26/2021 2:36 PM, 6255 bytes, A Adds the file verified_contents.json"="8/6/2020 1:56 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\images Adds the file logo-white-text.png"="8/6/2020 1:56 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\images\icons Adds the file 128x128.png"="10/26/2021 2:36 PM, 4496 bytes, A Adds the file 16x16.png"="10/26/2021 2:36 PM, 515 bytes, A Adds the file 64x64.png"="10/26/2021 2:36 PM, 2196 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkgimecfbbbcgaalhpfgjappihanfid\1.1.0_0\scripts Adds the file background.js"="8/6/2020 1:56 PM, 514520 bytes, A Adds the file sitecontent.js"="8/6/2020 1:56 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid Adds the file 000003.log"="10/26/2021 2:38 PM, 788 bytes, A Adds the file CURRENT"="10/26/2021 2:36 PM, 16 bytes, A Adds the file LOCK"="10/26/2021 2:36 PM, 0 bytes, A Adds the file LOG"="10/26/2021 2:36 PM, 367 bytes, A Adds the file MANIFEST-000001"="10/26/2021 2:36 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bkkgimecfbbbcgaalhpfgjappihanfid Adds the file Search-Streamly.ico"="10/26/2021 2:36 PM, 176434 bytes, A Adds the file Search-Streamly.ico.md5"="10/26/2021 2:36 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bkkgimecfbbbcgaalhpfgjappihanfid"="REG_SZ", "48773173CF76D75BA80335A7D39E1210203D388CB68F8431F250307D2EE43071" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/26/21 Scan Time: 4:12 PM Log File: b214b8aa-3666-11ec-819a-080027235d76.json -Software Information- Version: 4.4.9.142 Components Version: 1.0.1486 Update Package Version: 1.0.46402 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259583 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bkkgimecfbbbcgaalhpfgjappihanfid, Quarantined, 17004, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid, Quarantined, 17004, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKKGIMECFBBBCGAALHPFGJAPPIHANFID, Quarantined, 17004, 799722, 1.0.46402, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 17004, 799722, , , , , 9F2FFA09BD1B52ABDC2908FB887D15FB, 5014C31E43414FE0B273660B2FF27F4634EAF592B2182C16A26CD6713EEB1E9D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 17004, 799722, , , , , 9957C864E6F6D49863794ED9847FDDB3, 940E2DC3C43819E1A7B20D95C590B8405656ED352DAEF6DA3AA35359B2FB5F20 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\000003.log, Quarantined, 17004, 799722, , , , , 3304073DFEF2BCD3F98519F129E5386D, 46ED7ED6B8CB0E8ABB6F44C279505D0C5A893C1A5F68C4E16A9101BFD68EA5D2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\CURRENT, Quarantined, 17004, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\LOCK, Quarantined, 17004, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\LOG, Quarantined, 17004, 799722, , , , , 95E1CD941E558255782414987CA9D9D8, D2E630676E4C121D2F0003F1CE9F7D4F682D928505841DF5E6E7B466EF5B5E58 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bkkgimecfbbbcgaalhpfgjappihanfid\MANIFEST-000001, Quarantined, 17004, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKKGIMECFBBBCGAALHPFGJAPPIHANFID\1.1.0_0\MANIFEST.JSON, Quarantined, 17004, 799722, 1.0.46402, , ame, , B40D207A04049A901B1EF9CC3358A407, B257CAB973493C61D5BFACBB27D209208E6D1E4632061137F1E89465668BC0E7 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 839078, 1.0.46402, , ame, , 9957C864E6F6D49863794ED9847FDDB3, 940E2DC3C43819E1A7B20D95C590B8405656ED352DAEF6DA3AA35359B2FB5F20 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Key Omni?The Malwarebytes research team has determined that Key Omni is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one changes your default search engine.How do I know if my computer is affected by Key Omni?You may see this entry in your list of installed Chrome extensions:You may have noticed these warnings during install:and this changed setting:How did Key Omni get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Key Omni?Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Key Omni? No, Malwarebytes removes Key Omni completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Key Omni hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.keysearchs.com/search.php?src=kyom&type=ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> Key CHR DefaultSuggestURL: Default -> hxxps://www.keysearchs.com/suggest.php?q={searchTerms} CHR Extension: (Key Omni) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgbbekaglmmmfjghmkafebboajchblj [2021-10-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgbbekaglmmmfjghmkafebboajchblj\1.0.6_0 Adds the file bg.js"="9/17/2021 6:49 PM, 2392 bytes, A Adds the file manifest.json"="10/11/2021 12:17 PM, 1388 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgbbekaglmmmfjghmkafebboajchblj\1.0.6_0\_metadata Adds the file computed_hashes.json"="10/11/2021 12:17 PM, 128 bytes, A Adds the file verified_contents.json"="9/14/2021 11:57 PM, 1640 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgbbekaglmmmfjghmkafebboajchblj\1.0.6_0\icons Adds the file image128.png"="10/11/2021 12:17 PM, 3469 bytes, A Adds the file image16.png"="10/11/2021 12:17 PM, 412 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hdgbbekaglmmmfjghmkafebboajchblj"="REG_SZ", "B693E44580BC1A531F8061BEFAFCA9B13947E89B46D702D363A53B022361E42F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/12/21 Scan Time: 10:11 AM Log File: 11754b36-2b34-11ec-9f78-080027235d76.json -Software Information- Version: 4.4.8.137 Components Version: 1.0.1474 Update Package Version: 1.0.45812 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259310 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hdgbbekaglmmmfjghmkafebboajchblj, Quarantined, 16932, 987269, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HDGBBEKAGLMMMFJGHMKAFEBBOAJCHBLJ, Quarantined, 16932, 987269, 1.0.45812, , ame, , , File: 3 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16932, 987269, , , , , 759A5846EADA308E933BFC4502BD0CEE, D67AB3B8C764195EF7990D9EFB1C340C926EEB6F88930F913BF81A2D46B01069 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16932, 987269, , , , , BDF36708C13A5DBC766EE7D9AE15C607, A4EE5AEDDB41FCCD603E3F99F52172B4A289AC9226235516337C2DBC53D12DB1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HDGBBEKAGLMMMFJGHMKAFEBBOAJCHBLJ\1.0.6_0\BG.JS, Quarantined, 16932, 987269, 1.0.45812, , ame, , C22F4312B6FDF96E3A3D3D198DC129D6, 541D4B42382133DF08CD8888B0E19D8244F2844D82CB14B4A021F12D56553C0A Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is PDFConverterSearchOnline? The Malwarebytes research team has determined that PDFConverterSearchOnline is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by PDFConverterSearchOnline? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did PDFConverterSearchOnline get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchOnline? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchOnline? No, Malwarebytes removes PDFConverterSearchOnline completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchOnline hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchonline.com/?q={searchTerms}&publisher=pdfconvertersearchonline&barcodeid=590490000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchOnline CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchonline.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchOnline) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd [2021-09-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd\1.1.0_0 Adds the file manifest.json"="9/8/2021 12:58 PM, 2228 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd\1.1.0_0\_metadata Adds the file computed_hashes.json"="9/8/2021 12:58 PM, 6725 bytes, A Adds the file verified_contents.json"="2/10/2021 3:27 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd\1.1.0_0\images Adds the file logo-white-text.png"="2/10/2021 3:27 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd\1.1.0_0\images\icons Adds the file 128x128.png"="9/8/2021 12:58 PM, 2289 bytes, A Adds the file 16x16.png"="9/8/2021 12:58 PM, 418 bytes, A Adds the file 64x64.png"="9/8/2021 12:58 PM, 1202 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmcpfkfangfafgammpgkhbiogchfegd\1.1.0_0\scripts Adds the file background.js"="2/10/2021 3:27 PM, 553547 bytes, A Adds the file sitecontent.js"="2/10/2021 3:27 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd Adds the file 000003.log"="9/8/2021 1:01 PM, 507 bytes, A Adds the file CURRENT"="9/8/2021 12:58 PM, 16 bytes, A Adds the file LOCK"="9/8/2021 12:58 PM, 0 bytes, A Adds the file LOG"="9/8/2021 12:58 PM, 369 bytes, A Adds the file MANIFEST-000001"="9/8/2021 12:58 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hcmcpfkfangfafgammpgkhbiogchfegd Adds the file PDFConverterSearchOnline.ico"="9/8/2021 12:58 PM, 165607 bytes, A Adds the file PDFConverterSearchOnline.ico.md5"="9/8/2021 12:58 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hcmcpfkfangfafgammpgkhbiogchfegd"="REG_SZ", "E16CAB2C4450E57C2B5666D3830FE5EBE10A60858113219B868925EC8CAC5428" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/8/21 Scan Time: 1:04 PM Log File: 980d4c58-1094-11ec-b450-080027235d76.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.44750 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 259060 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 21 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hcmcpfkfangfafgammpgkhbiogchfegd, Quarantined, 16899, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd, Quarantined, 16899, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HCMCPFKFANGFAFGAMMPGKHBIOGCHFEGD, Quarantined, 16899, 799722, 1.0.44750, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16899, 799722, , , , , E4C9E3ADEEF6EA16E55E4DEEE539029C, 963FEF36AB93DFA4707757D1D07E8F9CB80200A1E0F22C0A884CDB22E91B0108 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16899, 799722, , , , , 225CF683484EFA82ABBCF43173FC3C60, 9A41E446E47999F972A902CA76B8B42473F00317CBCF69CF9DF1E4F7A83FD9B8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd\000003.log, Quarantined, 16899, 799722, , , , , A5B672FC1DCAD9AAEA77DA00492295DF, 9C5B1D058484CC233ED04A9B0EBC070C086802BCB4310987615245564D5F8F59 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd\CURRENT, Quarantined, 16899, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd\LOCK, Quarantined, 16899, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd\LOG, Quarantined, 16899, 799722, , , , , 266A18F4AB3BC632C5EA58F9226042D6, 1A412839B580209D7F55600A1677603F026ABF8FBADF981EB2C69AC92954EE8D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hcmcpfkfangfafgammpgkhbiogchfegd\MANIFEST-000001, Quarantined, 16899, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HCMCPFKFANGFAFGAMMPGKHBIOGCHFEGD\1.1.0_0\MANIFEST.JSON, Quarantined, 16899, 799722, 1.0.44750, , ame, , B631F44B28FED52C4F7BCC29D1903019, D6B296187432CF661E1114E8CEF787C75790D44C2FF354D95A2D7ED1D061A268 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is StreamingSearch? The Malwarebytes research team has determined that StreamingSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one also uses browser push notifications and adds advertisements to your search results in the form of Search Recommendations. How do I know if my computer is affected by StreamingSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did StreamingSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove StreamingSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of StreamingSearch? No, Malwarebytes removes StreamingSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the StreamingSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.streaming-search.com CHR DefaultSearchURL: Default -> hxxps://feed.streaming-search.com/?q={searchTerms}&publisher=streamingsearch&barcodeid=573420000000000 CHR DefaultSearchKeyword: Default -> StreamingSearch CHR DefaultSuggestURL: Default -> hxxps://api.streaming-search.com/suggest/get?q={searchTerms} CHR Extension: (StreamingSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam [2021-09-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam\1.1.0_0 Adds the file manifest.json"="9/6/2021 1:00 PM, 2126 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam\1.1.0_0\_metadata Adds the file computed_hashes.json"="9/6/2021 1:00 PM, 6255 bytes, A Adds the file verified_contents.json"="5/25/2020 4:45 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam\1.1.0_0\images Adds the file logo-white-text.png"="5/25/2020 4:45 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam\1.1.0_0\images\icons Adds the file 128x128.png"="9/6/2021 1:00 PM, 11193 bytes, A Adds the file 16x16.png"="9/6/2021 1:00 PM, 734 bytes, A Adds the file 64x64.png"="9/6/2021 1:00 PM, 4913 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\padhfaokfofocbnmcfpfcffbbklbijam\1.1.0_0\scripts Adds the file background.js"="5/25/2020 4:45 PM, 514627 bytes, A Adds the file sitecontent.js"="5/25/2020 4:45 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam Adds the file 000003.log"="9/6/2021 1:05 PM, 127 bytes, A Adds the file CURRENT"="9/6/2021 1:00 PM, 16 bytes, A Adds the file LOCK"="9/6/2021 1:00 PM, 0 bytes, A Adds the file LOG"="9/6/2021 1:05 PM, 410 bytes, A Adds the file LOG.old"="9/6/2021 1:04 PM, 410 bytes, A Adds the file MANIFEST-000001"="9/6/2021 1:00 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "padhfaokfofocbnmcfpfcffbbklbijam"="REG_SZ", "19F3A6DEF73B6B8777EE012D93D444178BD40340C4034B3CFB623F2D6244341F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/6/21 Scan Time: 12:51 PM Log File: 567acabc-0f00-11ec-aa4c-080027235d76.json -Software Information- Version: 4.4.5.130 Components Version: 1.0.1430 Update Package Version: 1.0.44692 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258463 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|padhfaokfofocbnmcfpfcffbbklbijam, Quarantined, 16894, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam, Quarantined, 16894, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PADHFAOKFOFOCBNMCFPFCFFBBKLBIJAM, Quarantined, 16894, 799722, 1.0.44692, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16894, 799722, , , , , 91BBC73D5E6E230DEB9B28F177BA9D2D, EC54C2D9453F9C68575318B4A2A143E381855F0B5AB07402782337C5378B5E8B Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16894, 799722, , , , , F3947B9E7697D861F0B2A8B88E183821, 387EC9E3000E76BEDC18E64C24725D65182974AF2378909FDA5336A2D4FBC0A6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam\000003.log, Quarantined, 16894, 799722, , , , , BA3269F98BFAD8DA631A9FD695906019, E73A67671CE078449855AA39ACF5ED2C3C69524F39A980A53F6A17A22D5F008E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam\CURRENT, Quarantined, 16894, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam\LOCK, Quarantined, 16894, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam\LOG, Quarantined, 16894, 799722, , , , , 14F7290833E2C65FE84E3C6A502437DB, 2BEE29AB97656ACD370D4909FE7A2FA0DEE4301FB634819B4E0AC324F32DBD92 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\padhfaokfofocbnmcfpfcffbbklbijam\MANIFEST-000001, Quarantined, 16894, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PADHFAOKFOFOCBNMCFPFCFFBBKLBIJAM\1.1.0_0\MANIFEST.JSON, Quarantined, 16894, 799722, 1.0.44692, , ame, , F58BB45A52CE4F0B754EFF96D911879E, 841A0BD46F063DED0E3DF1E51F02F659EEE12E08F7886357C42EC572E08DD013 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832182, 1.0.44692, , ame, , F3947B9E7697D861F0B2A8B88E183821, 387EC9E3000E76BEDC18E64C24725D65182974AF2378909FDA5336A2D4FBC0A6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is SocialSearchConverter? The Malwarebytes research team has determined that SocialSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one also uses browser push notifications and adds advertisements to your search results in the form of Search Recommendations. How do I know if my computer is affected by SocialSearchConverter? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SocialSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SocialSearchConverter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SocialSearchConverter? No, Malwarebytes removes SocialSearchConverter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SocialSearchConverter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.socialsearchconverter.com CHR DefaultSearchURL: Default -> hxxps://feed.socialsearchconverter.com/?q={searchTerms}&publisher=socialsearchconverter&barcodeid=588650000000000 CHR DefaultSearchKeyword: Default -> SocialSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.socialsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (SocialSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf [2021-08-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf\1.1.0_0 Adds the file manifest.json"="8/30/2021 12:08 PM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf\1.1.0_0\_metadata Adds the file computed_hashes.json"="8/30/2021 12:08 PM, 6725 bytes, A Adds the file verified_contents.json"="12/23/2020 12:12 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf\1.1.0_0\images Adds the file logo-white-text.png"="12/23/2020 12:12 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf\1.1.0_0\images\icons Adds the file 128x128.png"="8/30/2021 12:08 PM, 7644 bytes, A Adds the file 16x16.png"="8/30/2021 12:08 PM, 700 bytes, A Adds the file 64x64.png"="8/30/2021 12:08 PM, 3504 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcndmofmdngdkicgmpeajdjeidcenkbf\1.1.0_0\scripts Adds the file background.js"="12/23/2020 12:12 PM, 553520 bytes, A Adds the file sitecontent.js"="12/23/2020 12:12 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf Adds the file 000003.log"="8/30/2021 12:11 PM, 804 bytes, A Adds the file CURRENT"="8/30/2021 12:08 PM, 16 bytes, A Adds the file LOCK"="8/30/2021 12:08 PM, 0 bytes, A Adds the file LOG"="8/30/2021 12:08 PM, 367 bytes, A Adds the file MANIFEST-000001"="8/30/2021 12:08 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mcndmofmdngdkicgmpeajdjeidcenkbf Adds the file SocialSearchConverter.ico"="8/30/2021 12:08 PM, 192392 bytes, A Adds the file SocialSearchConverter.ico.md5"="8/30/2021 12:08 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mcndmofmdngdkicgmpeajdjeidcenkbf"="REG_SZ", "FEFE8F3BC7AAE8C6DB11D3F940E4ACB977997781432A712B3B74F630F1F8C75A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/30/21 Scan Time: 12:18 PM Log File: a4161324-097b-11ec-b7f9-080027235d76.json -Software Information- Version: 4.4.5.130 Components Version: 1.0.1430 Update Package Version: 1.0.44475 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258400 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mcndmofmdngdkicgmpeajdjeidcenkbf, Quarantined, 16862, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf, Quarantined, 16862, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MCNDMOFMDNGDKICGMPEAJDJEIDCENKBF, Quarantined, 16862, 799722, 1.0.44475, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16862, 799722, , , , , 2C0F6DB8586C8713CA8F4A29B6A717D2, 8198F70092B10636F9878D60036F1E766DAE958367E211EAE369A18FA34189EA Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16862, 799722, , , , , D9FF4B1B523EB23834FCE661EC8A4A0A, 9B77F994288701BA6FBB6C4374E6F5F1312407D808A796FC1EB546685565DE4D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf\000003.log, Quarantined, 16862, 799722, , , , , C2A11A894597EC39C5D922F5555CD06F, 691A736FBC3FA5D81BCA1866889BE5A0147C9F823B36F4ED63061D944F74455F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf\CURRENT, Quarantined, 16862, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf\LOCK, Quarantined, 16862, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf\LOG, Quarantined, 16862, 799722, , , , , 1DE1FF15E220DF1F36ED6C6015374DC5, 762F3A96EB5497C55065A6894F8B6FA91ABC1EE436CDBC94F70C86C532E61753 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mcndmofmdngdkicgmpeajdjeidcenkbf\MANIFEST-000001, Quarantined, 16862, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MCNDMOFMDNGDKICGMPEAJDJEIDCENKBF\1.1.0_0\MANIFEST.JSON, Quarantined, 16862, 799722, 1.0.44475, , ame, , 7181724A7E0DD015F5604A3473FEFA26, EC6D261ADAAA8CDFEB5B8D0F850196F25AF5164014C26D20B90EFF3F7AF5209C PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.44475, , ame, , D9FF4B1B523EB23834FCE661EC8A4A0A, 9B77F994288701BA6FBB6C4374E6F5F1312407D808A796FC1EB546685565DE4D Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is BestPDFConverterSearch? The Malwarebytes research team has determined that BestPDFConverterSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one also uses browser push notifications and adds advertisements to your search results in the form of Search Recommendations. How do I know if my computer is affected by BestPDFConverterSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did BestPDFConverterSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove BestPDFConverterSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of BestPDFConverterSearch? No, Malwarebytes removes BestPDFConverterSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the BestPDFConverterSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.bestpdfconvertersearch.com CHR DefaultSearchURL: Default -> hxxps://feed.bestpdfconvertersearch.com/?q={searchTerms}&publisher=bestpdfconvertersearch&barcodeid=579810000000000 CHR DefaultSearchKeyword: Default -> BestPDFConverterSearch CHR DefaultSuggestURL: Default -> hxxps://api.bestpdfconvertersearch.com/suggest/get?q={searchTerms} CHR Extension: (BestPDFConverterSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc [2021-08-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc\1.1.0_0 Adds the file manifest.json"="8/18/2021 2:45 PM, 2204 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc\1.1.0_0\_metadata Adds the file computed_hashes.json"="8/18/2021 2:45 PM, 6255 bytes, A Adds the file verified_contents.json"="9/1/2020 2:07 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc\1.1.0_0\images Adds the file logo-white-text.png"="9/1/2020 2:07 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc\1.1.0_0\images\icons Adds the file 128x128.png"="8/18/2021 2:45 PM, 1856 bytes, A Adds the file 16x16.png"="8/18/2021 2:45 PM, 487 bytes, A Adds the file 64x64.png"="8/18/2021 2:45 PM, 1201 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdmpgbeiehohaedpciidhmddfljmgjc\1.1.0_0\scripts Adds the file background.js"="9/1/2020 2:07 PM, 514583 bytes, A Adds the file sitecontent.js"="9/1/2020 2:07 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc Adds the file 000003.log"="8/18/2021 2:47 PM, 793 bytes, A Adds the file CURRENT"="8/18/2021 2:45 PM, 16 bytes, A Adds the file LOCK"="8/18/2021 2:45 PM, 0 bytes, A Adds the file LOG"="8/18/2021 2:45 PM, 369 bytes, A Adds the file MANIFEST-000001"="8/18/2021 2:45 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdmpgbeiehohaedpciidhmddfljmgjc Adds the file BestPDFConverterSearch.ico"="8/18/2021 2:45 PM, 164866 bytes, A Adds the file BestPDFConverterSearch.ico.md5"="8/18/2021 2:45 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "apdmpgbeiehohaedpciidhmddfljmgjc"="REG_SZ", "D043FBD54F45DC89DEDCDB9D83E354CF262B7674022751B748A73330CDE3C0E1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/18/21 Scan Time: 2:52 PM Log File: 30e3169c-0023-11ec-af72-080027235d76.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44224 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258271 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|apdmpgbeiehohaedpciidhmddfljmgjc, Quarantined, 16824, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc, Quarantined, 16824, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\APDMPGBEIEHOHAEDPCIIDHMDDFLJMGJC, Quarantined, 16824, 799722, 1.0.44224, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16824, 799722, , , , , 287740AF308D8E663C94C52FFA5C2E1D, A7C2A9BF561917D038A8C500FB9A81795A2F41FE616461569615D8942F5AF244 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16824, 799722, , , , , 1572923CEE052BA8A75A72CF2AB95094, ACEF409C04F7F9833212EA623D440A44DB3A9C708885616CF127777CCC6A2B41 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\000003.log, Quarantined, 16824, 799722, , , , , 875A8725B3C528B5B50D84613EF14749, 0CC46CC4894F1664246C2AEEFE1B32E1DC82F5374AFB4D0811625B46CF81573E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\CURRENT, Quarantined, 16824, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\LOCK, Quarantined, 16824, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\LOG, Quarantined, 16824, 799722, , , , , CE377CE47ED42C254D299CC9D8DAABA5, D223C4C09C932777D7B47587F4570DDEE7E0E0A3E0C5FE33CAF33D5E5D952789 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\LOG.old, Quarantined, 16824, 799722, , , , , 9503E5E31A028BD6A7BC81547CEBE476, 17555C5C2B89ED81A83C972071CCCEF744CD6CBDAB77D190664839D3FF41AD6E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\apdmpgbeiehohaedpciidhmddfljmgjc\MANIFEST-000001, Quarantined, 16824, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\APDMPGBEIEHOHAEDPCIIDHMDDFLJMGJC\1.1.0_0\MANIFEST.JSON, Quarantined, 16824, 799722, 1.0.44224, , ame, , 9CBDDF33BD7D2118D8FBCF389DE48401, 12E00EFBEFE140F6ADA2E6D71DD2DCE14C68DD17D957C4BDB9906D4022251851 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.44224, , ame, , 1572923CEE052BA8A75A72CF2AB95094, ACEF409C04F7F9833212EA623D440A44DB3A9C708885616CF127777CCC6A2B41 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is BestADSBlock? The Malwarebytes research team has determined that BestADSBlock is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search provider and adds Search Recommendations. How do I know if my computer is affected by BestADSBlock? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did BestADSBlock get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove BestADSBlock? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of BestADSBlock? No, Malwarebytes removes BestADSBlock completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the BestADSBlock hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.bestadsblock.com/?q={searchTerms}&publisher=bestadsblock&barcodeid=595990000000000 CHR DefaultSearchKeyword: Default -> BestADSBlock CHR DefaultSuggestURL: Default -> hxxps://api.bestadsblock.com/suggest/get?q={searchTerms} CHR Extension: (BestADSBlock) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba [2021-08-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba\1.2.0_0 Adds the file manifest.json"="8/17/2021 3:42 PM, 2084 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba\1.2.0_0\_metadata Adds the file computed_hashes.json"="8/17/2021 3:42 PM, 6255 bytes, A Adds the file verified_contents.json"="8/10/2021 2:00 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba\1.2.0_0\images Adds the file logo-white-text.png"="8/10/2021 2:00 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba\1.2.0_0\images\icons Adds the file 128x128.png"="8/17/2021 3:42 PM, 6727 bytes, A Adds the file 16x16.png"="8/17/2021 3:42 PM, 787 bytes, A Adds the file 64x64.png"="8/17/2021 3:42 PM, 3436 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cojdgfmlgmihnhcfegneogolkmcfieba\1.2.0_0\scripts Adds the file background.js"="8/10/2021 2:00 PM, 516062 bytes, A Adds the file sitecontent.js"="8/10/2021 2:00 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cojdgfmlgmihnhcfegneogolkmcfieba Adds the file 000003.log"="8/17/2021 3:45 PM, 798 bytes, A Adds the file CURRENT"="8/17/2021 3:42 PM, 16 bytes, A Adds the file LOCK"="8/17/2021 3:42 PM, 0 bytes, A Adds the file LOG"="8/17/2021 3:42 PM, 367 bytes, A Adds the file MANIFEST-000001"="8/17/2021 3:42 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cojdgfmlgmihnhcfegneogolkmcfieba Adds the file BestADSBlock.ico"="8/17/2021 3:42 PM, 194904 bytes, A Adds the file BestADSBlock.ico.md5"="8/17/2021 3:42 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cojdgfmlgmihnhcfegneogolkmcfieba"="REG_SZ", "040350B6D10F39823EDF4E746EE0E282AE47D9972F9809A7D294FFAE150ADDBB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/17/21 Scan Time: 3:38 PM Log File: 774c51e8-ff60-11eb-b061-080027235d76.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44204 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258237 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 1 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cojdgfmlgmihnhcfegneogolkmcfieba, Quarantined, 16817, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\COJDGFMLGMIHNHCFEGNEOGOLKMCFIEBA, Quarantined, 16817, 799722, 1.0.44204, , ame, , , File: 3 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16817, 799722, , , , , 1C538A302C0FE6A5C90286B266C1B577, C9B773C496D1EA74FB14588B5A824CF0E53C62FBAACC2F88FE7F9057B35C103B Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16817, 799722, , , , , 0B8659B848229CFA5C147BC1224FBFDF, DB07BA40DDD4A2C93D8BF638CCBFE56CEB692D912CE85F7EE0B94383D897E49F Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\COJDGFMLGMIHNHCFEGNEOGOLKMCFIEBA\1.2.0_0\MANIFEST.JSON, Quarantined, 16817, 799722, 1.0.44204, , ame, , B22B9AE4045EAC3242E9A2DEB685E325, A2E2E23F2A687D4C519F281767E70F2F8F76726990BD6819F115DE66034BAC18 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is CheckAMap?The Malwarebytes research team has determined that CheckAMap is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and adds advertisements to your search results in the form of recommended searches.How do I know if my computer is affected by CheckAMap?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did CheckAMap get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove CheckAMap?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of CheckAMap? No, Malwarebytes removes CheckAMap completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the CheckAMap hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.checkamap.com CHR DefaultSearchURL: Default -> hxxps://feed.checkamap.com/?q={searchTerms}&publisher=checkamap&barcodeid=596000000000000 CHR DefaultSearchKeyword: Default -> CheckAMap CHR DefaultSuggestURL: Default -> hxxps://api.checkamap.com/suggest/get?q={searchTerms} CHR Extension: (CheckAMap) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc [2021-08-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc\1.2.0_0 Adds the file manifest.json"="8/16/2021 2:07 PM, 2048 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc\1.2.0_0\_metadata Adds the file computed_hashes.json"="8/16/2021 2:07 PM, 6255 bytes, A Adds the file verified_contents.json"="8/10/2021 1:56 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc\1.2.0_0\images Adds the file logo-white-text.png"="8/10/2021 1:56 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc\1.2.0_0\images\icons Adds the file 128x128.png"="8/16/2021 2:07 PM, 5756 bytes, A Adds the file 16x16.png"="8/16/2021 2:07 PM, 610 bytes, A Adds the file 64x64.png"="8/16/2021 2:07 PM, 2919 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibibokccpmjgmmddominkgedodocijc\1.2.0_0\scripts Adds the file background.js"="8/10/2021 1:56 PM, 516035 bytes, A Adds the file sitecontent.js"="8/10/2021 1:56 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc Adds the file 000003.log"="8/16/2021 2:07 PM, 0 bytes, A Adds the file CURRENT"="8/16/2021 2:07 PM, 16 bytes, A Adds the file LOCK"="8/16/2021 2:07 PM, 0 bytes, A Adds the file LOG"="8/16/2021 2:07 PM, 0 bytes, A Adds the file MANIFEST-000001"="8/16/2021 2:07 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nibibokccpmjgmmddominkgedodocijc"="REG_SZ", "F5C51F79DD4451D51A12E982DA59BEC30FF728A6CE5E0EA87E087EDF20DB4E13" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/16/21 Scan Time: 2:14 PM Log File: 88b32a4a-fe8b-11eb-bf77-080027235d76.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44194 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258291 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nibibokccpmjgmmddominkgedodocijc, Quarantined, 16814, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc, Quarantined, 16814, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NIBIBOKCCPMJGMMDDOMINKGEDODOCIJC, Quarantined, 16814, 799722, 1.0.44194, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16814, 799722, , , , , E3E38B508D509BA2EE1B6113C850AE9F, 78C7A6B6A64CAB8D37979FAB021F2A2767E0C286A56B01195A8D5C7BBADB9B4A Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16814, 799722, , , , , C443D1162F84A4F83C5EB4DC3B9E26E3, AC808B536018A2AB045E726BC37CB17FA40DA1F1E9E8FE07BCEBCE72416AE111 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc\000003.log, Quarantined, 16814, 799722, , , , , 56381E5EEC424DCE3C7C51EC909C31E0, B7A9E29CE576C3BC44B67FDECE18A7FD09F7A386BF23F06D30FE8A8D4C0768EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc\CURRENT, Quarantined, 16814, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc\LOCK, Quarantined, 16814, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc\LOG, Quarantined, 16814, 799722, , , , , 622E8A6D9348DA29894CF561EAC98485, DDCF977A5AA520579C1F950A6AECA51225F0A76ABF2DF0362B8810AA562EB2B1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nibibokccpmjgmmddominkgedodocijc\MANIFEST-000001, Quarantined, 16814, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NIBIBOKCCPMJGMMDDOMINKGEDODOCIJC\1.2.0_0\MANIFEST.JSON, Quarantined, 16814, 799722, 1.0.44194, , ame, , 6ED92B0A9CEB12743235420E358B5B3B, 3E3A552577B5BA0A8BEBA79DCFCEA16CD4AB101CB3B9A5E670933335480BD19D PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.44194, , ame, , F74E7EC3161D9640C11AE0459F005189, B471CBB763B2330A6F3F7DA04BC8ED03E0E16EBE812FF29260A46A4EC55D9612 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is ThePDFConverterSearch? The Malwarebytes research team has determined that ThePDFConverterSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one uses browser push notifications and changes your default search engine. How do I know if my computer is affected by ThePDFConverterSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did ThePDFConverterSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ThePDFConverterSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ThePDFConverterSearch? No, Malwarebytes removes ThePDFConverterSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the ThePDFConverterSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.thepdfconvertersearch.com CHR DefaultSearchURL: Default -> hxxps://feed.thepdfconvertersearch.com/?q={searchTerms}&publisher=thepdfconvertersearch&barcodeid=579790000000000 CHR DefaultSearchKeyword: Default -> ThePDFConverterSearch CHR DefaultSuggestURL: Default -> hxxps://api.thepdfconvertersearch.com/suggest/get?q={searchTerms} CHR Extension: (ThePDFConverterSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd [2021-08-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd\1.1.0_0 Adds the file manifest.json"="8/10/2021 11:24 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd\1.1.0_0\_metadata Adds the file computed_hashes.json"="8/10/2021 11:24 AM, 6255 bytes, A Adds the file verified_contents.json"="9/1/2020 2:20 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd\1.1.0_0\images Adds the file logo-white-text.png"="9/1/2020 2:20 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd\1.1.0_0\images\icons Adds the file 128x128.png"="8/10/2021 11:24 AM, 5213 bytes, A Adds the file 16x16.png"="8/10/2021 11:24 AM, 572 bytes, A Adds the file 64x64.png"="8/10/2021 11:24 AM, 2547 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibbbcnoecfibifdclgbdaoohdjpjhahd\1.1.0_0\scripts Adds the file background.js"="9/1/2020 2:20 PM, 514574 bytes, A Adds the file sitecontent.js"="9/1/2020 2:20 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd Adds the file 000003.log"="8/10/2021 11:27 AM, 843 bytes, A Adds the file CURRENT"="8/10/2021 11:24 AM, 16 bytes, A Adds the file LOCK"="8/10/2021 11:24 AM, 0 bytes, A Adds the file LOG"="8/10/2021 11:24 AM, 367 bytes, A Adds the file MANIFEST-000001"="8/10/2021 11:24 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ibbbcnoecfibifdclgbdaoohdjpjhahd Adds the file ThePDFConverterSearch.ico"="8/10/2021 11:24 AM, 177705 bytes, A Adds the file ThePDFConverterSearch.ico.md5"="8/10/2021 11:24 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ibbbcnoecfibifdclgbdaoohdjpjhahd"="REG_SZ", "9F911D03CFEB4C14805BE58A0584659B1502834BDC1E088090373F01A1415F89" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/10/21 Scan Time: 11:33 AM Log File: 00976526-f9be-11eb-9588-080027235d76.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44002 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 258186 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ibbbcnoecfibifdclgbdaoohdjpjhahd, Quarantined, 16786, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd, Quarantined, 16786, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IBBBCNOECFIBIFDCLGBDAOOHDJPJHAHD, Quarantined, 16786, 799722, 1.0.44002, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16786, 799722, , , , , AC867AA1DDFA0FE48A9754A84FBEAA60, BBFD3800CC2D32AB4360A6FFE3DF65557C26F39023D3556AE9FFE4EF46845435 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16786, 799722, , , , , 0809B71D09614A804B1854BCD6F3A85E, 4C20B8DA32E8E14C300230A8FB0CF70EE16AD311E180D127A694F090F4807B7A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd\000003.log, Quarantined, 16786, 799722, , , , , 2C48A673529225DC6FC6A6294DA5BDE5, 891DA07943C426BE32A405CBF6025149705083557FCFDFA0AAB7C2D2329F571E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd\CURRENT, Quarantined, 16786, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd\LOCK, Quarantined, 16786, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd\LOG, Quarantined, 16786, 799722, , , , , 131B88EA292B0BA7A8B9825B74C30B6C, D80228C7C0A993732526F5CEB10E9456284EBD1AB36F228125E3C3AB348D6E68 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ibbbcnoecfibifdclgbdaoohdjpjhahd\MANIFEST-000001, Quarantined, 16786, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IBBBCNOECFIBIFDCLGBDAOOHDJPJHAHD\1.1.0_0\MANIFEST.JSON, Quarantined, 16786, 799722, 1.0.44002, , ame, , 01BAFE136CCA181304CC4C6B9345A696, A323813A7E81EC2CE4073DBAC6C048B7226ADECAF40403780AAFCA7A406E508C PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.44002, , ame, , 0809B71D09614A804B1854BCD6F3A85E, 4C20B8DA32E8E14C300230A8FB0CF70EE16AD311E180D127A694F090F4807B7A Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is VideoSearchz?The Malwarebytes research team has determined that VideoSearchz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and adds advertisements to your search results in the form of recommended searches.How do I know if my computer is affected by VideoSearchz?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did VideoSearchz get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove VideoSearchz?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of VideoSearchz? No, Malwarebytes removes VideoSearchz completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the VideoSearchz hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.video-searchz.com/?q={searchTerms}&publisher=videosearchz&barcodeid=573590000000000 CHR DefaultSearchKeyword: Default -> VideoSearchz CHR DefaultSuggestURL: Default -> hxxps://api.video-searchz.com/suggest/get?q={searchTerms} CHR Extension: (VideoSearchz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko [2021-07-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0 Adds the file manifest.json"="7/23/2021 9:23 AM, 2091 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\_metadata Adds the file computed_hashes.json"="7/23/2021 9:23 AM, 6255 bytes, A Adds the file verified_contents.json"="6/1/2020 4:30 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\images Adds the file logo-white-text.png"="6/1/2020 4:30 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\images\icons Adds the file 128x128.png"="7/23/2021 9:23 AM, 10631 bytes, A Adds the file 16x16.png"="7/23/2021 9:23 AM, 700 bytes, A Adds the file 64x64.png"="7/23/2021 9:23 AM, 4341 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppjglhfckoehpjofhdlfenaliamfcgko\1.1.0_0\scripts Adds the file background.js"="6/1/2020 4:30 PM, 514579 bytes, A Adds the file sitecontent.js"="6/1/2020 4:30 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko Adds the file 000003.log"="7/23/2021 9:23 AM, 775 bytes, A Adds the file CURRENT"="7/23/2021 9:23 AM, 16 bytes, A Adds the file LOCK"="7/23/2021 9:23 AM, 0 bytes, A Adds the file LOG"="7/23/2021 9:23 AM, 369 bytes, A Adds the file MANIFEST-000001"="7/23/2021 9:23 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ppjglhfckoehpjofhdlfenaliamfcgko Adds the file VideoSearchz.ico"="7/23/2021 9:23 AM, 197731 bytes, A Adds the file VideoSearchz.ico.md5"="7/23/2021 9:23 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ppjglhfckoehpjofhdlfenaliamfcgko"="REG_SZ", "DBD3A96F5BFCBE18D98300C3AC5C5EFF1809BD85FB4F8C51D234AA769E126243" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/23/21 Scan Time: 9:28 AM Log File: 967edadc-eb87-11eb-8000-080027235d76.json -Software Information- Version: 4.4.3.125 Components Version: 1.0.1387 Update Package Version: 1.0.43408 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257795 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ppjglhfckoehpjofhdlfenaliamfcgko, Quarantined, 16730, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko, Quarantined, 16730, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPJGLHFCKOEHPJOFHDLFENALIAMFCGKO, Quarantined, 16730, 799722, 1.0.43408, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16730, 799722, , , , , A797D136B24D90668DD6CBE49246D598, A695F27FEDE70C117540FB91C1AC6C8F261DE1C198A40D19AFABD2CB5379F538 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16730, 799722, , , , , 70252C45986CDA678EA8E2F7E9C5E735, B5E1BA4A4BC8C1CACF03BDD47FB0666B37374A97BBA5FFD6F80BFFF9FC553B5C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\000003.log, Quarantined, 16730, 799722, , , , , 82D33F0939C04105C3C8D3BB9C58B403, A44C3EA7C60325C678075CF7C4DF070EA07C7E96874C2757F9B7178EA6A005AB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\CURRENT, Quarantined, 16730, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\LOCK, Quarantined, 16730, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\LOG, Quarantined, 16730, 799722, , , , , DDF8F3A96AB9DA36DC5CF51189A54225, FA4F1E5E05986AF37E4F13ECC88B51205CF08624BDEE6C01E03E2E5AF0464C47 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ppjglhfckoehpjofhdlfenaliamfcgko\MANIFEST-000001, Quarantined, 16730, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPJGLHFCKOEHPJOFHDLFENALIAMFCGKO\1.1.0_0\MANIFEST.JSON, Quarantined, 16730, 799722, 1.0.43408, , ame, , 433BA27035F5182912CF0CAB4B523CFC, 2598792620DB2485814D10DE3ED635CF6367508F9DB6D91DC0379D75ABAD3480 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is MyIncognitoSearch?The Malwarebytes research team has determined that MyIncognitoSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one uses browser push notifications and changes your default search provider.How do I know if my computer is affected by MyIncognitoSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did MyIncognitoSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MyIncognitoSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MyIncognitoSearch? No, Malwarebytes removes MyIncognitoSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MyIncognitoSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.myincognitosearch.com CHR DefaultSearchURL: Default -> hxxps://feed.myincognitosearch.com/?q={searchTerms}&publisher=myincognitosearch&barcodeid=590250000000000 CHR DefaultSearchKeyword: Default -> MyIncognitoSearch CHR DefaultSuggestURL: Default -> hxxps://api.myincognitosearch.com/suggest/get?q={searchTerms} CHR Extension: (MyIncognitoSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip [2021-07-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0 Adds the file manifest.json"="7/20/2021 11:09 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\_metadata Adds the file computed_hashes.json"="7/20/2021 11:09 AM, 6725 bytes, A Adds the file verified_contents.json"="2/4/2021 12:34 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images Adds the file logo-white-text.png"="2/4/2021 12:34 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images\icons Adds the file 128x128.png"="7/20/2021 11:09 AM, 8977 bytes, A Adds the file 16x16.png"="7/20/2021 11:09 AM, 600 bytes, A Adds the file 64x64.png"="7/20/2021 11:09 AM, 3775 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\scripts Adds the file background.js"="2/4/2021 12:34 PM, 553484 bytes, A Adds the file sitecontent.js"="2/4/2021 12:34 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip Adds the file 000003.log"="7/20/2021 11:13 AM, 852 bytes, A Adds the file CURRENT"="7/20/2021 11:09 AM, 16 bytes, A Adds the file LOCK"="7/20/2021 11:09 AM, 0 bytes, A Adds the file LOG"="7/20/2021 11:09 AM, 369 bytes, A Adds the file MANIFEST-000001"="7/20/2021 11:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fdebfhnlclpmgibliflaehjhbpafnlip Adds the file MyIncognitoSearch.ico"="7/20/2021 11:09 AM, 196671 bytes, A Adds the file MyIncognitoSearch.ico.md5"="7/20/2021 11:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fdebfhnlclpmgibliflaehjhbpafnlip"="REG_SZ", "3FA7951A8EB4042009B0E11401337B244491BAED9A0970A61CA068EF1FEAEFFF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/20/21 Scan Time: 11:18 AM Log File: 6106a0c2-e93b-11eb-82bf-080027235d76.json -Software Information- Version: 4.4.3.125 Components Version: 1.0.1387 Update Package Version: 1.0.43301 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257751 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP, Quarantined, 16709, 799722, 1.0.43301, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16709, 799722, , , , , 69AD7140C7DF1EE4C6534AA78A2FCB80, EC0E9B66274243FE688488898FC1F18ACC20A62896B12F2B36F6774D355274A6 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16709, 799722, , , , , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\000003.log, Quarantined, 16709, 799722, , , , , 116A89DBCBBC4B41577B07B8F7880EEE, E29B742538ED997FC197D4FD14419A2C903CEEF45B9E42AE0405B9A9842761B6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\CURRENT, Quarantined, 16709, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOCK, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOG, Quarantined, 16709, 799722, , , , , 5CA640CDA2FC46E756D74AA3B9773BBA, D5C2380726ACD29B4DB0D7EBE97BBEDB9AD468EFE286CD376F01B08744053737 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\MANIFEST-000001, Quarantined, 16709, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP\1.1.0_0\MANIFEST.JSON, Quarantined, 16709, 799722, 1.0.43301, , ame, , B18FCF6A2D7EFE1E32D4722A6C7BFF3F, 831481C9375EED98A6A9A57C3A1E4434DBE561F4455445897FCA14101898F4F9 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.43301, , ame, , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is FreeSearchConverters?The Malwarebytes research team has determined that FreeSearchConverters is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and changes your default search engine.How do I know if my computer is affected by FreeSearchConverters?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did FreeSearchConverters get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove FreeSearchConverters?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FreeSearchConverters? No, Malwarebytes removes FreeSearchConverters completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the FreeSearchConverters hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.freesearchconverters.com CHR DefaultSearchURL: Default -> hxxps://feed.freesearchconverters.com/?q={searchTerms}&publisher=freesearchconverters&barcodeid=590370000000000 CHR DefaultSearchKeyword: Default -> FreeSearchConverters CHR DefaultSuggestURL: Default -> hxxps://api.freesearchconverters.com/suggest/get?q={searchTerms} CHR Extension: (FreeSearchConverters) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk [2021-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0 Adds the file manifest.json"="6/25/2021 8:59 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/25/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="2/10/2021 1:59 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images Adds the file logo-white-text.png"="2/10/2021 1:59 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images\icons Adds the file 128x128.png"="6/25/2021 8:59 AM, 5906 bytes, A Adds the file 16x16.png"="6/25/2021 8:59 AM, 592 bytes, A Adds the file 64x64.png"="6/25/2021 8:59 AM, 2697 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\scripts Adds the file background.js"="2/10/2021 1:59 PM, 553511 bytes, A Adds the file sitecontent.js"="2/10/2021 1:59 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file 000003.log"="6/25/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="6/25/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="6/25/2021 8:59 AM, 0 bytes, A Adds the file LOG"="6/25/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="6/25/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file FreeSearchConverters.ico"="6/25/2021 8:59 AM, 183975 bytes, A Adds the file FreeSearchConverters.ico.md5"="6/25/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fglhccdpkbdibhaaedbmpgpkjkpgifhk"="REG_SZ", "BE3D71B9F6C3B955211F3D262B25CB7E3E9269622E48C60D7C08D2899C667C97" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/21 Scan Time: 9:08 AM Log File: 23d7ebc2-d584-11eb-9fc1-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1344 Update Package Version: 1.0.42213 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257554 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK, Quarantined, 16607, 799722, 1.0.42213, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16607, 799722, , , , , D678813E01E723575B12CC0FB193D4CB, 312F870E434931C4A7506C7BE083D7EDB76A3538E16B3B765DDD58031ACACEFD Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16607, 799722, , , , , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\000003.log, Quarantined, 16607, 799722, , , , , 34EC78A40E9F66051CB6EBD013BA9B83, 265C470F81CEC2E5BB7C750BCC045AAFEE2192233DC679771C6818C55E8DEAB2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\CURRENT, Quarantined, 16607, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOCK, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOG, Quarantined, 16607, 799722, , , , , 50F30416B1BE39718CBCFF38989AA045, ACAD5D6738C5D99E2398596D72361CED6108206D2E87494A982FD9E7ED120CE9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\MANIFEST-000001, Quarantined, 16607, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16607, 799722, 1.0.42213, , ame, , 071A834B8A25C588C0CC3056E16A01AE, 240B6D0A0B35A6D4A9AD79D23C7769A6305003189EA921EABB172D02B8A5E0DE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.42213, , ame, , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is YourStreamSearch? The Malwarebytes research team has determined that YourStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by YourStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed settings: How did YourStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove YourStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of YourStreamSearch? No, Malwarebytes removes YourStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the YourStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.yourstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.yourstreamsearch.com/?q={searchTerms}&publisher=yourstreamsearch&barcodeid=586300000000000 CHR DefaultSearchKeyword: Default -> YourStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.yourstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (YourStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk [2021-04-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0 Adds the file manifest.json"="4/20/2021 8:59 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/20/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="11/17/2020 2:14 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images Adds the file logo-white-text.png"="11/17/2020 2:14 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images\icons Adds the file 128x128.png"="4/20/2021 8:59 AM, 6594 bytes, A Adds the file 16x16.png"="4/20/2021 8:59 AM, 618 bytes, A Adds the file 64x64.png"="4/20/2021 8:59 AM, 2969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\scripts Adds the file background.js"="11/17/2020 2:14 PM, 553475 bytes, A Adds the file sitecontent.js"="11/17/2020 2:14 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk Adds the file 000003.log"="4/20/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/20/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/20/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/20/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/20/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kicamljljoimnnikabbhokfefoknlkhk Adds the file YourStreamSearch.ico"="4/20/2021 8:59 AM, 185986 bytes, A Adds the file YourStreamSearch.ico.md5"="4/20/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kicamljljoimnnikabbhokfefoknlkhk"="REG_SZ", "1FBDB4D8EB8F99BD39FBEFF5B7B467AD535B75CCC565A1BB3C5CB2327BE6B999" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/20/21 Scan Time: 9:10 AM Log File: 74874f24-a1a7-11eb-9d50-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39611 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233909 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK, Quarantined, 16336, 799722, 1.0.39611, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16336, 799722, , , , , 1F66C49CA2F4F7650F83A631DDD3D233, DE021F4FCC437BC8C081B67275FC01A6AE4BE2B71D74B120FDBED8E0863AE1FC Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16336, 799722, , , , , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\000003.log, Quarantined, 16336, 799722, , , , , B2FE20A464E93AC7013B373FB58F2085, DC3F7304E517B7E5E9F4CAE3BE403455279BD5F9B75A36A48242DA509D18CBFA Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\CURRENT, Quarantined, 16336, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOCK, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOG, Quarantined, 16336, 799722, , , , , 48B5157B52A47A26E6C92ECD01B3B42B, 9FD196126F74CED82F4E0B7684036E32D8665DB2D3603355C342CDAC2E3A750C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\MANIFEST-000001, Quarantined, 16336, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16336, 799722, 1.0.39611, , ame, , 715F51945BFEF27596E6DA52C64EFC0B, E2864F77131E285554491AADE7F27E366AFD4DC492F131ECF67C52637D84E096 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39611, , ame, , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is SearchConverterIt? The Malwarebytes research team has determined that SearchConverterIt is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterIt? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did SearchConverterIt get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterIt? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterIt? No, Malwarebytes removes SearchConverterIt completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterIt hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterit.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterit.com/?q={searchTerms}&publisher=searchconverterit&barcodeid=588640000000000 CHR DefaultSearchKeyword: Default -> SearchConverterIt CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterit.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterIt) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng [2021-04-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0 Adds the file manifest.json"="4/14/2021 8:59 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/14/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="12/23/2020 12:10 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images Adds the file logo-white-text.png"="12/23/2020 12:10 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images\icons Adds the file 128x128.png"="4/14/2021 8:59 AM, 8726 bytes, A Adds the file 16x16.png"="4/14/2021 8:59 AM, 829 bytes, A Adds the file 64x64.png"="4/14/2021 8:59 AM, 3790 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\scripts Adds the file background.js"="12/23/2020 12:10 PM, 553484 bytes, A Adds the file sitecontent.js"="12/23/2020 12:10 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng Adds the file 000003.log"="4/14/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/14/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/14/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/14/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/14/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_iineefadkfmchfkhljaggpbbnllimnng Adds the file SearchConverterIt.ico"="4/14/2021 8:59 AM, 198511 bytes, A Adds the file SearchConverterIt.ico.md5"="4/14/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iineefadkfmchfkhljaggpbbnllimnng"="REG_SZ", "52C119205FA573C4A88501553CFC0CFDC7536AC46F7F653A0406C845E5688DB0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/14/21 Scan Time: 9:12 AM Log File: c74be9f6-9cf0-11eb-8c7b-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39391 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233788 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG, Quarantined, 16302, 799722, 1.0.39391, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16302, 799722, , , , , 3532504BA85D9B1ABE75CB36C1278AFC, CC1D20EFBE57B77DD4343232C79AB3E001B216E92AD98E743D738A24A7F4D753 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16302, 799722, , , , , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\000003.log, Quarantined, 16302, 799722, , , , , 94B9F9BFA2C14735E50F191210B1A61B, BC4C7FBCC9C9EE73397714BC6AC9847FAD448DD9F72A13CF6A0C87464963C295 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\CURRENT, Quarantined, 16302, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOCK, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOG, Quarantined, 16302, 799722, , , , , 9AA2B44010154B7E04DD8D9A39A187CA, 3D7484112A5F590C6DB55F918C0716123F8D5A629397F1F58D5E39A79E5B4AEE Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\MANIFEST-000001, Quarantined, 16302, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG\1.1.0_0\MANIFEST.JSON, Quarantined, 16302, 799722, 1.0.39391, , ame, , 462F3A01F5C3B4C600C24E74E11D7EF2, EFAF315B9A699789D4CA80CA88C37C8F35F90DB927E398E01D51D67C45B221EB PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39391, , ame, , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is OnlineStreamSearch? The Malwarebytes research team has determined that OnlineStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by OnlineStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did OnlineStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove OnlineStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of OnlineStreamSearch? No, Malwarebytes removes OnlineStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the OnlineStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.onlinestreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.onlinestreamsearch.com/?q={searchTerms}&publisher=onlinestreamsearch&barcodeid=584040000000000 CHR DefaultSearchKeyword: Default -> OnlineStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.onlinestreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (OnlineStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj [2021-04-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0 Adds the file manifest.json"="4/9/2021 8:55 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/9/2021 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 9:26 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 9:26 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images\icons Adds the file 128x128.png"="4/9/2021 8:55 AM, 10427 bytes, A Adds the file 16x16.png"="4/9/2021 8:55 AM, 669 bytes, A Adds the file 64x64.png"="4/9/2021 8:55 AM, 4057 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\scripts Adds the file background.js"="10/6/2020 9:26 AM, 514547 bytes, A Adds the file sitecontent.js"="10/6/2020 9:26 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file 000003.log"="4/9/2021 8:55 AM, 0 bytes, A Adds the file CURRENT"="4/9/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="4/9/2021 8:55 AM, 0 bytes, A Adds the file LOG"="4/9/2021 8:55 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/9/2021 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file OnlineStreamSearch.ico"="4/9/2021 8:55 AM, 194804 bytes, A Adds the file OnlineStreamSearch.ico.md5"="4/9/2021 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjpkpjaepmfhndihmhdmgkfnhnmgabpj"="REG_SZ", "2F218777DD2DEE73C7805AFE50CC42603D6959F5735FD1628C6F20C663949E64" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/9/21 Scan Time: 9:03 AM Log File: bec2f72c-9901-11eb-af71-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1249 Update Package Version: 1.0.39257 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233745 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 5 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ, Quarantined, 16285, 799722, 1.0.39257, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16285, 799722, , , , , D7B7EC60A57BAAC24CB139343DC7EAA6, 67407A3B3D594CC57F242A025D6482FEE7143FDB6A564F79F1A134EDFFF6E13A Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16285, 799722, , , , , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\000003.log, Quarantined, 16285, 799722, , , , , FCD43F3CAB81A6261B9DD9E6CABB1088, 311B0AFBE31E9C6AE5D72D3589F9D47C1D6D861C89E0EA77CACC199EB1309069 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\CURRENT, Quarantined, 16285, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOCK, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG, Quarantined, 16285, 799722, , , , , 41E2F6E522E0FD88F65000D12DA25D06, 75EC7C327CCF05CC127453F933BEE1CAFBCC0FDC4A3DDB22334D80A124155B5D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG.old, Quarantined, 16285, 799722, , , , , 9D00CD778637544C4F6A4F56C1DD1014, E00505269842D1BA97D4D9C5C3D6F3B6D126349A4ACC12545C01F1C97632BE56 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\MANIFEST-000001, Quarantined, 16285, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16285, 799722, 1.0.39257, , ame, , D81AEE0DDE16C52BD2D5D15274B0EB6A, 07F02DBBD00E646AFAF2AD5C4027F4759BF1D7D3EE76C4E78A8E031E14A0C468 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.39257, , ame, , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is PDFConverterSearchPro? The Malwarebytes research team has determined that PDFConverterSearchPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFConverterSearchPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchPro? No, Malwarebytes removes PDFConverterSearchPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchpro.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchpro.com/?q={searchTerms}&publisher=pdfconvertersearchpro&barcodeid=586550000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchPro CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchpro.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb [2021-03-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0 Adds the file manifest.json"="3/15/2021 2:06 PM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/15/2021 2:06 PM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:31 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:31 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images\icons Adds the file 128x128.png"="3/15/2021 2:06 PM, 3646 bytes, A Adds the file 16x16.png"="3/15/2021 2:06 PM, 543 bytes, A Adds the file 64x64.png"="3/15/2021 2:06 PM, 1960 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:31 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb Adds the file 000003.log"="3/15/2021 2:06 PM, 0 bytes, A Adds the file CURRENT"="3/15/2021 2:06 PM, 16 bytes, A Adds the file LOCK"="3/15/2021 2:06 PM, 0 bytes, A Adds the file LOG"="3/15/2021 2:06 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/15/2021 2:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_akdcioboelamekgappfajnjfpgpimmmb Adds the file PDFConverterSearchPro.ico"="3/15/2021 2:06 PM, 172121 bytes, A Adds the file PDFConverterSearchPro.ico.md5"="3/15/2021 2:06 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "akdcioboelamekgappfajnjfpgpimmmb"="REG_SZ", "F3AE581B78A68DEC8C113BF12D95B1AB3E28ABE5AC03BE5B0B7B6664A6E24343" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/21 Scan Time: 2:15 PM Log File: 8d238472-8590-11eb-b310-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38187 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233439 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB, Quarantined, 16186, 799722, 1.0.38187, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16186, 799722, , , , , DF544FF17FCE1471E0F7FC6ABFEADA65, 61F3AF62ECF69C06A7A7BBC7CA38B72920C161EFB4D9F33D34BDB3B55A8D1DF9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16186, 799722, , , , , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\000003.log, Quarantined, 16186, 799722, , , , , D722D2A43C3A2FBE17F095BD1316ACF3, F12A197380F21674F773C3EBBEE4643EB875CD3F750371257DCFA4D79848E8EC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\CURRENT, Quarantined, 16186, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOCK, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOG, Quarantined, 16186, 799722, , , , , F44B24CA498215DC0FF0F73CF36E8652, 6C8E76DBE5234B4946CB3F860C904B7748A27B6C157FD0E8FF12DD9D5417DC22 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\MANIFEST-000001, Quarantined, 16186, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB\1.1.0_0\MANIFEST.JSON, Quarantined, 16186, 799722, 1.0.38187, , ame, , 879C7B4C7B8FC5E96F26A9C1F015F354, E62CEAE65513F9F91D63A51F8468FD9B41573A00948B3E7AACBB89EA44C0A175 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.38187, , ame, , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is AllMusicSearches? The Malwarebytes research team has determined that AllMusicSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AllMusicSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AllMusicSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllMusicSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllMusicSearches? No, Malwarebytes removes AllMusicSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the AllMusicSearches hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allmusicsearches.com CHR DefaultSearchURL: Default -> hxxps://feed.allmusicsearches.com/?q={searchTerms}&publisher=allmusicsearches&barcodeid=577260000000000 CHR DefaultSearchKeyword: Default -> AllMusicSearches CHR DefaultSuggestURL: Default -> hxxps://api.allmusicsearches.com/suggest/get?q={searchTerms} CHR Extension: (AllMusicSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj [2021-03-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0 Adds the file manifest.json"="3/8/2021 10:18 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/8/2021 10:18 AM, 6255 bytes, A Adds the file verified_contents.json"="8/24/2020 10:44 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images Adds the file logo-white-text.png"="8/24/2020 10:44 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images\icons Adds the file 128x128.png"="3/8/2021 10:18 AM, 4637 bytes, A Adds the file 16x16.png"="3/8/2021 10:18 AM, 520 bytes, A Adds the file 64x64.png"="3/8/2021 10:18 AM, 2321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\scripts Adds the file background.js"="8/24/2020 10:44 AM, 514529 bytes, A Adds the file sitecontent.js"="8/24/2020 10:44 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj Adds the file 000003.log"="3/8/2021 10:18 AM, 0 bytes, A Adds the file CURRENT"="3/8/2021 10:18 AM, 16 bytes, A Adds the file LOCK"="3/8/2021 10:18 AM, 0 bytes, A Adds the file LOG"="3/8/2021 10:18 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/8/2021 10:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ljkniknmacmhdnefmnadabodljhilooj Adds the file AllMusicSearches.ico"="3/8/2021 10:18 AM, 181707 bytes, A Adds the file AllMusicSearches.ico.md5"="3/8/2021 10:18 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ljkniknmacmhdnefmnadabodljhilooj"="REG_SZ", "B908D13B0EEA82D134E21FF89BEB5DAC1C8C4177B4B181F6585A3539DAF29138" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/8/21 Scan Time: 10:25 AM Log File: 443572f2-7ff0-11eb-bceb-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37877 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233367 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ, Quarantined, 16150, 799722, 1.0.37877, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16150, 799722, , , , , 96FECE9926463CBD0B08B3FB5BC753BE, C3F52BFF541292B2004F2DFEBADD2E42FE4B66B5707D8C1C14DF5B5942E4A098 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16150, 799722, , , , , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\000003.log, Quarantined, 16150, 799722, , , , , 1336BECEF15014988CE71F9B84C76B63, 8457B0EF1CE375E0B331E8D9115228D3D22FDEF73905F184BE32FF422C202B94 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\CURRENT, Quarantined, 16150, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOCK, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOG, Quarantined, 16150, 799722, , , , , 4CDECD7BDFAF7DCD3202A901445E0EFA, 5EA2ACAD3FF62049F45EED93C438C61FE34BA519342CE3EC4A362E7E87B9850C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\MANIFEST-000001, Quarantined, 16150, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16150, 799722, 1.0.37877, , ame, , F571C4062C2C546E57D7C120801A6355, 0CD8A873E269F4E43B066A63433B8D300AA333A34BF4EB71CB0371BBCA1393BE PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 856479, 1.0.37877, , ame, , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is PDFSearchWeb? The Malwarebytes research team has determined that PDFSearchWeb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFSearchWeb? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFSearchWeb get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearchWeb? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearchWeb? No, Malwarebytes removes PDFSearchWeb completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFSearchWeb hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfsearchweb.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfsearchweb.com/?q={searchTerms}&publisher=pdfsearchweb&barcodeid=586480000000000 CHR DefaultSearchKeyword: Default -> PDFSearchWeb CHR DefaultSuggestURL: Default -> hxxps://api.pdfsearchweb.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearchWeb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi [2021-03-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0 Adds the file manifest.json"="3/4/2021 8:46 AM, 2084 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/4/2021 8:46 AM, 6725 bytes, A Adds the file verified_contents.json"="11/16/2020 11:09 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images Adds the file logo-white-text.png"="11/16/2020 11:09 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images\icons Adds the file 128x128.png"="3/4/2021 8:46 AM, 2578 bytes, A Adds the file 16x16.png"="3/4/2021 8:46 AM, 416 bytes, A Adds the file 64x64.png"="3/4/2021 8:46 AM, 1436 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\scripts Adds the file background.js"="11/16/2020 11:09 AM, 553439 bytes, A Adds the file sitecontent.js"="11/16/2020 11:09 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi Adds the file 000003.log"="3/4/2021 8:46 AM, 0 bytes, A Adds the file CURRENT"="3/4/2021 8:46 AM, 16 bytes, A Adds the file LOCK"="3/4/2021 8:46 AM, 0 bytes, A Adds the file LOG"="3/4/2021 8:46 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/4/2021 8:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blmcjacaocadbkaoippfdhjknablobgi Adds the file PDFSearchWeb.ico"="3/4/2021 8:46 AM, 165020 bytes, A Adds the file PDFSearchWeb.ico.md5"="3/4/2021 8:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blmcjacaocadbkaoippfdhjknablobgi"="REG_SZ", "21383C3BCEED4E28CE353D35F37AB55C383F3D6E796A18124C0DE8CF0A38C218" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/4/21 Scan Time: 9:04 AM Log File: 4d2527fa-7cc0-11eb-9e7c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37767 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233343 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI, Quarantined, 15230, 799722, 1.0.37767, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 01C6FDC1C96A97A38133B535F53D0D30, E920A84318FD5E518AED4F1856CBF931668DF6EB4D234B3D19A58C99CC4C3232 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\000003.log, Quarantined, 15230, 799722, , , , , E1DE9B412C0C30CDEE59F9E4E63F56DB, 86A2A508B75E0F5CEE3DE285AA84735D8F1ECEB37D333BBFE5232263B612BF3D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOG, Quarantined, 15230, 799722, , , , , A4549DEA968C4980471BA79B2504416B, 3A609EA567AF426E9CD1C3DF641EE9F298A276437D70FC238AF6AE2175357C36 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.37767, , ame, , 8E1EDD9316806E38160CE820BA112006, D6F16F705C44BA34A629512B96F7950673D3E0CA8CCA07495ED8765BFE66E2FE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.37767, , ame, , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is SearchConverterPro? The Malwarebytes research team has determined that SearchConverterPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SearchConverterPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterPro? No, Malwarebytes removes SearchConverterPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterpro.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterpro.com/?q={searchTerms}&publisher=searchconverterpro&barcodeid=585410000000000 CHR DefaultSearchKeyword: Default -> SearchConverterPro CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterpro.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0 Adds the file manifest.json"="3/1/2021 1:35 PM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 1:35 PM, 6725 bytes, A Adds the file verified_contents.json"="10/25/2020 10:34 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images Adds the file logo-white-text.png"="10/25/2020 10:34 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 1:35 PM, 6306 bytes, A Adds the file 16x16.png"="3/1/2021 1:35 PM, 694 bytes, A Adds the file 64x64.png"="3/1/2021 1:35 PM, 3071 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\scripts Adds the file background.js"="10/25/2020 10:34 AM, 553493 bytes, A Adds the file sitecontent.js"="10/25/2020 10:34 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file 000003.log"="3/1/2021 1:35 PM, 0 bytes, A Adds the file CURRENT"="3/1/2021 1:35 PM, 16 bytes, A Adds the file LOCK"="3/1/2021 1:35 PM, 0 bytes, A Adds the file LOG"="3/1/2021 1:35 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 1:35 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file SearchConverterPro.ico"="3/1/2021 1:35 PM, 186748 bytes, A Adds the file SearchConverterPro.ico.md5"="3/1/2021 1:35 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hjnfhgckomdbflopemgjbncbkdeihhlb"="REG_SZ", "33F8C3B2409F6D8AB5CCF20B368B4AD040AFD46DC8E5F6C5A4E67A3D54DE4719" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 1:48 PM Log File: 7a1b9b80-7a8c-11eb-8099-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37625 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233311 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB, Quarantined, 15231, 799722, 1.0.37625, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D8067A2FAD4A6447366B1C2089342374, 5248CCAAC27A4EE68520DF16E1DFD948FECEF89F796C46537ABEF0097EF388B1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\000003.log, Quarantined, 15231, 799722, , , , , 321094FBF6F04AFE2CB330470130272F, 352C9EFEA042CB951214F10CD67DB634D225D38BE2F4EB3F5F54564D51616C2E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOG, Quarantined, 15231, 799722, , , , , 86F8B6040268BC3304FF41A99C321ECD, A59E09D12C0EDCB7DF337D13DFCF6E3734732E5C7F74BD456A69E8FDB42C43D3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37625, , ame, , 4A1FC792FD3BD8E05EA6771ED67CE48B, D41AA25AB279D43F6393B93025EA5E2DEF3C5E44B4B5F52A83A4DDE62FDFD4C6 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37625, , ame, , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is MovieSearchTool? The Malwarebytes research team has determined that MovieSearchTool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by MovieSearchTool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did MovieSearchTool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MovieSearchTool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MovieSearchTool? No, Malwarebytes removes MovieSearchTool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MovieSearchTool hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.moviesearchtool.com CHR DefaultSearchURL: Default -> hxxps://feed.moviesearchtool.com/?q={searchTerms}&publisher=moviesearchtool&barcodeid=584280000000000 CHR DefaultSearchKeyword: Default -> MovieSearchTool CHR DefaultSuggestURL: Default -> hxxps://api.moviesearchtool.com/suggest/get?q={searchTerms} CHR Extension: (MovieSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0 Adds the file manifest.json"="3/1/2021 9:02 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 9:02 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 11:06 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 11:06 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 9:02 AM, 9798 bytes, A Adds the file 16x16.png"="3/1/2021 9:02 AM, 702 bytes, A Adds the file 64x64.png"="3/1/2021 9:02 AM, 4198 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\scripts Adds the file background.js"="10/6/2020 11:06 AM, 514520 bytes, A Adds the file sitecontent.js"="10/6/2020 11:06 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb Adds the file 000003.log"="3/1/2021 9:02 AM, 0 bytes, A Adds the file CURRENT"="3/1/2021 9:02 AM, 16 bytes, A Adds the file LOCK"="3/1/2021 9:02 AM, 0 bytes, A Adds the file LOG"="3/1/2021 9:02 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pnmnfklndbilokgddplokhdlmlkhaphb Adds the file MovieSearchTool.ico"="3/1/2021 9:02 AM, 196949 bytes, A Adds the file MovieSearchTool.ico.md5"="3/1/2021 9:02 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pnmnfklndbilokgddplokhdlmlkhaphb"="REG_SZ", "78A3D07F2CD2E616A9587AE07ADE3797D4E397353C1A18B1268042C6C75C9686" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 9:11 AM Log File: c14d54d4-7a65-11eb-82c1-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37613 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233298 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB, Quarantined, 15231, 799722, 1.0.37613, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 1D56C00ACDEF2146FD214881F0949EE2, ADA00ED18C8CE7BE41C0BF66EBA9918AFC3CF7C9869C80563A2834C293FF67C7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\000003.log, Quarantined, 15231, 799722, , , , , 0D630FDD3FEB10765D0F43DDDFBDEDF7, E4AF3D1899051070A1EB6C1FB8D820636D92C7757D76BBBD7D46C38E08C70A49 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOG, Quarantined, 15231, 799722, , , , , FEA63FEC66680EB8AD70324E253DFEDB, 79E07DE941D8BA28ED959075399ECF8239A4EB40414B4CD73B6AC54FF818903F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37613, , ame, , 90D19280D957DCE6CE3126439DEA6758, 74BBCFB5642BB975FE4DB6B1EB0F1DE0873B04F7366EC39F7A2C60E38FA41F97 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 858871, 1.0.37613, , ame, , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is HDMovieSearch? The Malwarebytes research team has determined that HDMovieSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by HDMovieSearch? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did HDMovieSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove HDMovieSearch? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of HDMovieSearch? No, Malwarebytes removes HDMovieSearch completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the HDMovieSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.hdmoviesearch.com/?q={searchTerms}&publisher=hdmoviesearch&barcodeid=577180000000000 CHR DefaultSearchKeyword: Default -> HDMovieSearch CHR DefaultSuggestURL: Default -> hxxps://api.hdmoviesearch.com/suggest/get?q={searchTerms} CHR Extension: (HDMovieSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac [2021-02-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0 Adds the file manifest.json"="2/26/2021 8:44 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/26/2021 8:44 AM, 6255 bytes, A Adds the file verified_contents.json"="8/30/2020 1:44 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images Adds the file logo-white-text.png"="8/30/2020 1:44 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\images\icons Adds the file 128x128.png"="2/26/2021 8:44 AM, 3700 bytes, A Adds the file 16x16.png"="2/26/2021 8:44 AM, 371 bytes, A Adds the file 64x64.png"="2/26/2021 8:44 AM, 1934 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciemldlbecaohelcffdkcnbdkfakdcac\1.1.0_0\scripts Adds the file background.js"="8/30/2020 1:44 PM, 514502 bytes, A Adds the file sitecontent.js"="8/30/2020 1:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac Adds the file 000003.log"="2/26/2021 8:48 AM, 507 bytes, A Adds the file CURRENT"="2/26/2021 8:44 AM, 16 bytes, A Adds the file LOCK"="2/26/2021 8:44 AM, 0 bytes, A Adds the file LOG"="2/26/2021 8:44 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/26/2021 8:44 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ciemldlbecaohelcffdkcnbdkfakdcac Adds the file HDMovieSearch.ico"="2/26/2021 8:44 AM, 172794 bytes, A Adds the file HDMovieSearch.ico.md5"="2/26/2021 8:44 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ciemldlbecaohelcffdkcnbdkfakdcac"="REG_SZ", "5C01EE9A6CFF6EE4D76D055E6EF5AB4772AE0E0CB3462DCC5BEB3B6447DA6266" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/26/21 Scan Time: 8:58 AM Log File: 6db9651a-7808-11eb-b7dc-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37507 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233260 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC, Quarantined, 15231, 799722, 1.0.37507, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E4D5A7E047AE4042E345C28F63F88434, DD1314E9E4BEEBD33FFA0B0010F98E6D18D1636FA25A6333CD808A1A7AD548A8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A4DE2582714B3F02322EAAA0BF800B66, 173276BFA2922117F894768B8E5ECBF72CF3F1FE677CA62FB6729728EBEB7EB8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\000003.log, Quarantined, 15231, 799722, , , , , 89B3923A7B3AAA46E6BFB31464B9662E, 20977C5EAE6D2816A943804C9C8D264930802BE1B25A2FE5C1289DC8C1B333E5 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\LOG, Quarantined, 15231, 799722, , , , , EE7E390A9569E59848CB0032C6C7DD41, 7B79610B95006B4BD8F1E8757DB386FE8C861CAF00E1478A68A5C818C4D695F2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ciemldlbecaohelcffdkcnbdkfakdcac\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CIEMLDLBECAOHELCFFDKCNBDKFAKDCAC\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37507, , ame, , 47FDB93F6CF303861648712F82731253, 4439C5376D9C3D1D0D40221D3B98CB0E4613D89F841DE895436D616AC7CE94C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is PDFConverterSearchApp? The Malwarebytes research team has determined that PDFConverterSearchApp is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchApp? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did PDFConverterSearchApp get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchApp? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchApp? No, Malwarebytes removes PDFConverterSearchApp completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchApp hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchapp.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchapp.com/?q={searchTerms}&publisher=pdfconvertersearchapp&barcodeid=586540000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchApp CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchapp.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchApp) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml [2021-02-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0 Adds the file manifest.json"="2/23/2021 8:51 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/23/2021 8:51 AM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:22 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:22 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images\icons Adds the file 128x128.png"="2/23/2021 8:51 AM, 2705 bytes, A Adds the file 16x16.png"="2/23/2021 8:51 AM, 431 bytes, A Adds the file 64x64.png"="2/23/2021 8:51 AM, 1524 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:22 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:22 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml Adds the file 000003.log"="2/23/2021 8:51 AM, 772 bytes, A Adds the file CURRENT"="2/23/2021 8:51 AM, 16 bytes, A Adds the file LOCK"="2/23/2021 8:51 AM, 0 bytes, A Adds the file LOG"="2/23/2021 8:52 AM, 0 bytes, A Adds the file LOG.old"="2/23/2021 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/23/2021 8:51 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cblanbpgmlklhkagkhielejnbekfhgml Adds the file PDFConverterSearchApp.ico"="2/23/2021 8:51 AM, 167009 bytes, A Adds the file PDFConverterSearchApp.ico.md5"="2/23/2021 8:51 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cblanbpgmlklhkagkhielejnbekfhgml"="REG_SZ", "E0BB14EFCF360DCD9F079792C8C0304B764520F6BC38ACA5472CEED8CB0F4894" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/23/21 Scan Time: 9:03 AM Log File: 9fe92f14-75ad-11eb-a024-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37409 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233235 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML, Quarantined, 15231, 799722, 1.0.37409, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 08201ECD1B85FF76F1A530F7F1CD60FA, B1BC63963EDB300951864E8313D40FF11B15C2350E063C48B476887CE50CC5C1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\000003.log, Quarantined, 15231, 799722, , , , , 67FC137A21E8071A243A4E623765F366, 3C2751C90D48A69328831A9BC0DD02B786699ED3D5F584AB24BF25502636188D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG, Quarantined, 15231, 799722, , , , , B5AAD68D85A7BBE311E96DBD055809DD, BE0E99A8647036469D3CDBF8A2E20A59ACA811061A0881A3454D6446DDAAF0EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG.old, Quarantined, 15231, 799722, , , , , F5456C85FF94C78C3AEB779FB4449CD0, C03159C8CD18EA9239AA281E3A3C9456BC5D56C0998CD0E677D8A91A07BFE365 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37409, , ame, , 64D23C0EBA8E789DA30A1D1773435FD7, F2FAAD057EB6A40FCA8ACAFB0601609F54C8968A2588485B4976D8269EDA7B23 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37409, , ame, , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is GameSearcher? The Malwarebytes research team has determined that GameSearcher is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine and adds Search Recommendations. How do I know if my computer is affected by GameSearcher? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did GameSearcher get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GameSearcher? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GameSearcher? No, Malwarebytes removes GameSearcher completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GameSearcher hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.game-searcher.com/?q={searchTerms}&publisher=gamesearcher&barcodeid=576940000000000 CHR DefaultSearchKeyword: Default -> GameSearcher CHR DefaultSuggestURL: Default -> hxxps://api.game-searcher.com/suggest/get?q={searchTerms} CHR Extension: (GameSearcher) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod [2021-02-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0 Adds the file manifest.json"="2/22/2021 8:50 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/22/2021 8:50 AM, 6255 bytes, A Adds the file verified_contents.json"="8/9/2020 9:01 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\images Adds the file logo-white-text.png"="8/9/2020 9:01 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\images\icons Adds the file 128x128.png"="2/22/2021 8:50 AM, 8631 bytes, A Adds the file 16x16.png"="2/22/2021 8:50 AM, 693 bytes, A Adds the file 64x64.png"="2/22/2021 8:50 AM, 3995 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnhoddhapmmplpkmbgehgnhdmfbkjod\1.1.0_0\scripts Adds the file background.js"="8/9/2020 9:01 AM, 514494 bytes, A Adds the file sitecontent.js"="8/9/2020 9:01 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod Adds the file 000003.log"="2/22/2021 8:53 AM, 780 bytes, A Adds the file CURRENT"="2/22/2021 8:50 AM, 16 bytes, A Adds the file LOCK"="2/22/2021 8:50 AM, 0 bytes, A Adds the file LOG"="2/22/2021 8:50 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/22/2021 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bfnhoddhapmmplpkmbgehgnhdmfbkjod Adds the file GameSearcher.ico"="2/22/2021 8:50 AM, 192304 bytes, A Adds the file GameSearcher.ico.md5"="2/22/2021 8:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bfnhoddhapmmplpkmbgehgnhdmfbkjod"="REG_SZ", "1E01B86C836EC0828E96E04F9D71DCCF7FA2E1592CD433402D8281CB9BE73AE4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/22/21 Scan Time: 8:59 AM Log File: e941c2c2-74e3-11eb-90f9-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37377 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233228 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bfnhoddhapmmplpkmbgehgnhdmfbkjod, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BFNHODDHAPMMPLPKMBGEHGNHDMFBKJOD, Quarantined, 15231, 799722, 1.0.37377, , ame, , , File: 8 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 7590B64B91E8473A5B2529594902CCE4, 111925D6413D2ABE37F373231617CE6B4347A79E9C984AA10F78413B2CE8558F Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A144BA24A1C48C43991601EC7F0F94FB, 2851C7B5AA3E3748C42D2E6D25B364CD1503787C9FAE3FA82E10EC86119466B0 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\000003.log, Quarantined, 15231, 799722, , , , , AAEED116BD123790265E48C41D02E870, 90C1DD21C30523A7A4D136260CDA934489DB4234745D251C0F10E931E78C9F45 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\LOG, Quarantined, 15231, 799722, , , , , 69D3C7CCB5E696F96046B8CFF4B93233, 4FC73D116D1C3620C07B0618E1E0619B23D539C6A6A9F27BD3BD909E1E43994C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bfnhoddhapmmplpkmbgehgnhdmfbkjod\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BFNHODDHAPMMPLPKMBGEHGNHDMFBKJOD\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37377, , ame, , A1BBC8E608882BF77355B4B9A28393DD, AEC2296FA9252E8DA100867F685B0F8E72C3551A35103E3C317857901B56A7CB Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.