Jump to content

Search the Community

Showing results for tags 'pup.optional.forcedextension'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 9 results

  1. What is Clip Finder? The Malwarebytes research team has determined that Clip Finder is a potentially unwanted program (PUP) that behaves like adware. This PUP was pushed by malvertising websites as fake updates. How do I know if my computer is affected by Clip Finder? You may see one of these entries in your list of installed browser extensions: You may have noticed one of these warnings during install: and this new rightclick menu for selected text: How did Clip Finder get on my computer? PUPs use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Clip Finder? Our program Malwarebytes can detect and remove this PUP. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found items. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Clip Finder? No, Malwarebytes removes Clip Finder completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you remove this PUP. As you can see below the full version of Malwarebytes would have protected you against the Clip Finder PUP. It would have blocked the installer before it became too late. Technical details for experts Possible signs in FRST logs: Edge Extension: (Clip Finder) - C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl [2021-07-01] FF Extension: (Clip Finder) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\profile.default\Extensions\clipsearch@ext.xpi [2021-07-01] [UpdateUrl:hxxps://clip-finder.com/FirefoxApiFolder/extension.json] CHR Extension: (Clip Finder) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd [2021-07-01] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd\1.0_0 Adds the file jquery.js"="5/11/2021 6:09 AM, 86671 bytes, A Adds the file manifest.json"="7/1/2021 9:03 AM, 1097 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd\1.0_0\_metadata Adds the file computed_hashes.json"="7/1/2021 9:03 AM, 1328 bytes, A Adds the file verified_contents.json"="5/13/2021 5:48 PM, 1991 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd\1.0_0\pics Adds the file image128.png"="7/1/2021 9:03 AM, 3894 bytes, A Adds the file image16.png"="7/1/2021 9:03 AM, 409 bytes, A Adds the file image32.png"="7/1/2021 9:03 AM, 927 bytes, A Adds the file image64.png"="7/1/2021 9:03 AM, 1959 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd\1.0_0\ScriptdBacks Adds the file bckgd.js"="5/11/2021 7:02 AM, 8953 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd Adds the file 000003.log"="7/1/2021 9:03 AM, 290 bytes, A Adds the file CURRENT"="7/1/2021 9:03 AM, 16 bytes, A Adds the file LOCK"="7/1/2021 9:03 AM, 0 bytes, A Adds the file LOG"="7/1/2021 9:03 AM, 371 bytes, A Adds the file MANIFEST-000001"="7/1/2021 9:03 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl\1.0_0 Adds the file jquery.js"="5/11/2021 11:38 PM, 105696 bytes, A Adds the file manifest.json"="7/1/2021 8:59 AM, 1034 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl\1.0_0\_metadata Adds the file computed_hashes.json"="7/1/2021 8:59 AM, 1469 bytes, A Adds the file verified_contents.json"="5/14/2021 4:37 PM, 2219 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl\1.0_0\pics Adds the file image128.png"="7/1/2021 8:59 AM, 3894 bytes, A Adds the file image16.png"="7/1/2021 8:59 AM, 409 bytes, A Adds the file image32.png"="7/1/2021 8:59 AM, 927 bytes, A Adds the file image64.png"="7/1/2021 8:59 AM, 1959 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl\1.0_0\ScriptdBacks Adds the file bckgd.js"="5/11/2021 11:45 PM, 5640 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl Adds the file 000003.log"="7/1/2021 8:59 AM, 233 bytes, A Adds the file CURRENT"="7/1/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="7/1/2021 8:59 AM, 0 bytes, A Adds the file LOG"="7/1/2021 8:59 AM, 373 bytes, A Adds the file MANIFEST-000001"="7/1/2021 8:59 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\profile.default\extensions Adds the file clipsearch@ext.xpi"="7/1/2021 9:01 AM, 48758 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "njnmjhifihjacdmhmdapcjgjkhhpcjdd"="REG_SZ", "099F4AFCA09077B9A5BA4037590DE4104BAC3DD1649738929DA16860C96F67E3" [HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings] "adofelgdgkoeiclilehfciedimiepdnl"="REG_SZ", "37DE9BEBAE2A577469DD50CF1606088BE577508598FAA323A24F771CCC28CEC7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/1/21 Scan Time: 9:13 AM Log File: e2211e1c-da3b-11eb-887e-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1344 Update Package Version: 1.0.42510 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257616 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 1 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 2 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|njnmjhifihjacdmhmdapcjgjkhhpcjdd, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, HKCU\SOFTWARE\MICROSOFT\EDGE\PREFERENCEMACS\Default\extensions.settings|adofelgdgkoeiclilehfciedimiepdnl, Quarantined, 298, 954145, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\njnmjhifihjacdmhmdapcjgjkhhpcjdd, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Extensions\adofelgdgkoeiclilehfciedimiepdnl, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl, Quarantined, 298, 954145, , , , , , File: 17 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PROFILE.DEFAULT\EXTENSIONS\CLIPSEARCH@EXT.XPI, Quarantined, 298, 954877, 1.0.42510, , ame, , B7F47856162C6B807F9DD7DE66F16AFD, 37EE6F82878A1175377B7C7C552AD69DE981542C88D2EDF139B5C44156DD8D2A PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 298, 954145, , , , , 505796177AD854B6C7CC3FF1FC793E5C, DDE556CA1F1C73455A9E5880FE5A9BBB3FEA422230DAAA71020ECFBE036EC07F PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 298, 954145, , , , , ECDDECB5DEDD2CF14734FF57445C6C6F, 91B74BACA8500696A517F54C8A6E59711952890A0D27ABCCEB2BB7C04FA3F057 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd\000003.log, Quarantined, 298, 954145, , , , , F2A4805B2836556DED20FFCA829E1236, 950BF09D3749CCF981D5B48FC4CAB607F0AFEDB076DBDDB8BA919983242DA760 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd\CURRENT, Quarantined, 298, 954145, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd\LOCK, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd\LOG, Quarantined, 298, 954145, , , , , DCB03B6025004E527BDFFD33128A48E0, D6BB2C345339E9575C8688F84528D18A6C7C704A1DA44060667ED237408694A8 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njnmjhifihjacdmhmdapcjgjkhhpcjdd\MANIFEST-000001, Quarantined, 298, 954145, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NJNMJHIFIHJACDMHMDAPCJGJKHHPCJDD\1.0_0\SCRIPTDBACKS\BCKGD.JS, Quarantined, 298, 954145, 1.0.42510, , ame, , 6B67A60BEFB6BCED2379AA4815445D49, 9E174CCB38B65C2F5375FFA1224F16A950F4E80747D29CB9131EC6EF5EB74D2E PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Secure Preferences, Replaced, 298, 954145, , , , , BF57D114540C40FDD20D8609443CA8AB, 6BF036BF20E6B8E877C81382DF70786FA96219CB936319AC12B489E6CB345AF3 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Preferences, Replaced, 298, 954145, , , , , FFA9E3DA6D9C4911542591B34DF3CE04, 0054545B391C152EDD282BDFBE0E87B428E087C9822CEA901C0F397BA9A35B32 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl\000003.log, Quarantined, 298, 954145, , , , , 48918D476B8322903C177281E371183B, 879530FACAC981EB99B79CD8F0AE71F8F3BD4BE0C15BC614ECE879F83CCB41E4 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl\CURRENT, Quarantined, 298, 954145, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl\LOCK, Quarantined, 298, 954145, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl\LOG, Quarantined, 298, 954145, , , , , 431C528D29E604EED258C878845F6204, A4379BA3313A9C6A751959173A3400631598D69FF109BE542A56015E5C1F8419 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\adofelgdgkoeiclilehfciedimiepdnl\MANIFEST-000001, Quarantined, 298, 954145, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\ADOFELGDGKOEICLILEHFCIEDIMIEPDNL\1.0_0\SCRIPTDBACKS\BCKGD.JS, Quarantined, 298, 954145, 1.0.42510, , ame, , 5F1E1C6F66A3AE4BFA00F7AED17BB078, 9DDAAA3A78B4976E676151E43F30E95D60BB4A9A57BE82B57C3DE2E4ED17D739 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected. Like This Pieter Arntz
  2. What is Clean Master? The Malwarebytes research team has determined that Clean Master pushes notifications and qualifies as a forced Edge extension. How do I know if my computer is affected by Clean Master? You may see these warnings during install: You may see this entry in your list of installed Edge extensions: and this icon in the browser menu bar: This is the main screen of the application: How did Clean Master get on my computer? Forced extensions use misleading methods for distributing themselves. This particular one was pushed by a fake system popup: that redirected the user to the webstore: How do I remove Clean Master? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Clean Master? No, Malwarebytes removes Clean Master completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this forced extension. We protect our customers from these extensions by blocking the sites that spread them: Technical details for experts Possible signs in FRST logs: Edge Extension: (Clean Master) - C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe [2021-06-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0 Adds the file bg.js"="5/20/2021 4:21 PM, 8384 bytes, A Adds the file manifest.json"="6/16/2021 8:40 AM, 1039 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\_metadata Adds the file computed_hashes.json"="6/16/2021 8:40 AM, 4636 bytes, A Adds the file verified_contents.json"="5/20/2021 3:19 PM, 2572 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\fonts Adds the file Roboto-Bold.ttf"="1/8/2013 11:00 PM, 170348 bytes, A Adds the file Roboto-Regular.ttf"="1/8/2013 11:00 PM, 171272 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\images Adds the file icon-128.png"="6/16/2021 8:40 AM, 3635 bytes, A Adds the file icon-16.png"="6/16/2021 8:40 AM, 418 bytes, A Adds the file icon-64.png"="6/16/2021 8:40 AM, 1911 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\main Adds the file popup.html"="1/23/2021 3:55 PM, 624 bytes, A Adds the file style.css"="1/23/2021 2:36 PM, 3655 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\scripts Adds the file index.js"="1/23/2021 3:04 PM, 388 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings] "fglppimedodihgiikeephjaepcflbeoe"="REG_SZ", "FF5337FD477876B5623DDBA67330355D2C1F7CEB4078DDF351BF6CF99E427DEB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/16/21 Scan Time: 8:52 AM Log File: 7677f636-ce6f-11eb-b224-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1318 Update Package Version: 1.0.41779 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234722 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 2 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\_metadata, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\scripts, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\images, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\fonts, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\main, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0, Quarantined, 298, 949801, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\FGLPPIMEDODIHGIIKEEPHJAEPCFLBEOE, Quarantined, 298, 949801, 1.0.41779, , ame, , , File: 12 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSIONS\FGLPPIMEDODIHGIIKEEPHJAEPCFLBEOE\1.4_0\BG.JS, Quarantined, 298, 949801, 1.0.41779, , ame, , C7455590E105B4A46DB70CE3F3E35410, 30395A9B395B46159308F273406AB95B27477614E2913E47F0533E9F860D8A9E PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\fonts\Roboto-Bold.ttf, Quarantined, 298, 949801, , , , , E07DF86CEF2E721115583D61D1FB68A6, C9CC991DEB5D27F267830A19F2301EB164D9E61EC08669C1A1A291C5620FF40A PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\fonts\Roboto-Regular.ttf, Quarantined, 298, 949801, , , , , 11EABCA2251325CFC5589C9C6FB57B46, 017C0BE9AAA6D0359737E1FA762AD304C0E0107927FAFF5A6C1F415C7F5244ED PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\images\icon-128.png, Quarantined, 298, 949801, , , , , 893D03DBFF3BCBD2DB8A00524F69FB0E, 6C5602F649BBBA62D9B95D732E7437A9E551315C1F4D91985E317C17914689AF PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\images\icon-16.png, Quarantined, 298, 949801, , , , , 90A76668D2A91BDA6B69055BB940B656, 9FA40205E7096A2CC42CD463A4583EE43AE0C4AACD678641A353A2D64FE74235 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\images\icon-64.png, Quarantined, 298, 949801, , , , , 952C643F7CD0C3A6DD2BF853DF6048FA, 84390A1F60338C0DDF7A06B0395FD3B51FE7BEE068A585EC63FE3EDDEFA2606B PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\main\popup.html, Quarantined, 298, 949801, , , , , 7F0A5966279F1800B26EA669BD5A60A8, 987E60FD8F1812271851D9AE8AD061D639D08A416639557824B92332E2B33722 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\main\style.css, Quarantined, 298, 949801, , , , , 43955E10538679C14D7DE6C2CDF94D0B, C648703A7702FB796339FF09B713BBEAD2D534C46BC89A4CB3C67CCBAFAF8137 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\scripts\index.js, Quarantined, 298, 949801, , , , , B24A46C6442F5A5579853ADAE3137D85, 864C132434910BBE06591D62838BE1706278B2264BBFAE5865EE161907EF9049 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\_metadata\computed_hashes.json, Quarantined, 298, 949801, , , , , 93D7BCC0000C13B2BE8E094337894321, 061A57272B2D8B8D26AAB486503EB1868A1AD87E962E3404189FF709D7BDA177 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\_metadata\verified_contents.json, Quarantined, 298, 949801, , , , , 35723EA8F03B4D18AA4509FB057232C8, 8ED7671A38C28565F9238DFD5EFB4E5D0D7B868AEF4B9A80A17FEABD4E95117A PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\fglppimedodihgiikeephjaepcflbeoe\1.4_0\manifest.json, Quarantined, 298, 949801, , , , , 4C87FA10FDDF90E0849F0DFB32F49080, EC5444E091D92E0308B7275C8657BB77016DF9094587640880C81D0C8E3517BC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Tag Search? The Malwarebytes research team has determined that Tag Search is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Tag Search? You may see this entry in your list of installed Chrome extensions: these warnings during install: and this new context menu when you select text on a website: How did Tag Search get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Tag Search? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Tag Search? No, Malwarebytes removes Tag Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below, Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Tag Search adware. It would have blocked the installer before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Tag Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf [2021-03-31] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0 Adds the file manifest.json"="3/31/2021 8:55 AM, 1115 bytes, A Adds the file methods.js"="12/29/2020 2:40 PM, 3980 bytes, A Adds the file tag.js"="12/29/2020 1:53 PM, 5252 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\_metadata Adds the file computed_hashes.json"="3/31/2021 8:55 AM, 1377 bytes, A Adds the file verified_contents.json"="12/29/2020 2:40 PM, 2151 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\image Adds the file 128magnifying-glass.png"="3/31/2021 8:55 AM, 8302 bytes, A Adds the file 16magnifying-glass.png"="3/31/2021 8:55 AM, 811 bytes, A Adds the file 32magnifying-glass.png"="3/31/2021 8:55 AM, 1783 bytes, A Adds the file 64magnifying-glass.png"="3/31/2021 8:55 AM, 3846 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdeljicacjfkikakemhlhmnnepbinpgf\2.0_0\js_lib Adds the file jquery.js"="11/26/2020 6:48 PM, 86670 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf Adds the file 000003.log"="3/31/2021 8:55 AM, 224 bytes, A Adds the file CURRENT"="3/31/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="3/31/2021 8:55 AM, 0 bytes, A Adds the file LOG"="3/31/2021 8:55 AM, 185 bytes, A Adds the file MANIFEST-000001"="3/31/2021 8:55 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gdeljicacjfkikakemhlhmnnepbinpgf"="REG_SZ", "77BBD7C4E03E9B3360EDDE091ADDE5672DD007FAEF693ED2DAB73D6596F3E5E0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/31/21 Scan Time: 1:56 PM Log File: 21bacf12-9218-11eb-9207-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1236 Update Package Version: 1.0.38934 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233730 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 2 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\Google\Chrome\USER DATA\Default\EXTENSIONS\gdeljicacjfkikakemhlhmnnepbinpgf, Quarantined, 298, 926811, 1.0.38934, , ame, , , File: 7 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 298, 926811, , , , , F3153FE17CB442FF8037EBD2CE56E025, FA2554B1E9807019B15795668A7400C1B98760323549E23784FE9F557FDC125F PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 298, 926811, , , , , B65DCAF86E01EDC9EA6B5E53056973BE, ACBE02E782A9C7E6C8023A973292D903A842CA7962CA6DB900B3F024D920F5A6 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\000003.log, Quarantined, 298, 926811, , , , , BDD4E6E04A4397AF7BC83417945C8D9F, 58D42CDCE1DFA83D87E7F20945ACF4379CC9F046160E764C794C51894B83BD1F PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\CURRENT, Quarantined, 298, 926811, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\LOCK, Quarantined, 298, 926811, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\LOG, Quarantined, 298, 926811, , , , , 7F612FDA0225E1D800BC5A5D4167EF19, 99DEF1E21088FB0CDA60930C8BD468BA1F5A3E8B0D54CE3B1EABEA1684207607 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gdeljicacjfkikakemhlhmnnepbinpgf\MANIFEST-000001, Quarantined, 298, 926811, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Screenshot Tool and Editor? The Malwarebytes research team has determined that Screenshot Tool and Editor is a forced Chrome extension. This particular extension was pushed through persistent pop-ups and opens connections to blocked domains. How do I know if my computer is affected by Screenshot Tool and Editor? You may see these warnings during install: and this extension in the list of installed extensions: After the install you may see this menu accessible from the browser menu-bar: How did Screenshot Tool and Editor get on my computer? Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore. How do I remove Screenshot Tool and Editor? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Screenshot Tool and Editor? No, Malwarebytes removes Screenshot Tool and Editor completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this forced extension. We protect our customers from these extensions by blocking the sites that spread them and by alerting users about the connections to unwanted sites: Technical details for experts Possible signs in FRST logs: CHR Extension: (Screenshot Tool and Editor) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal [2021-01-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0 Adds the file index.html"="12/22/2020 4:37 AM, 354 bytes, A Adds the file manifest.json"="1/15/2021 9:18 AM, 1359 bytes, A Adds the file modal.html"="12/22/2020 4:37 AM, 611 bytes, A Adds the file settings.html"="12/22/2020 4:37 AM, 409 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\_metadata Adds the file computed_hashes.json"="1/15/2021 9:18 AM, 49382 bytes, A Adds the file verified_contents.json"="12/22/2020 4:37 AM, 14672 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets Adds the file 128.png"="1/15/2021 9:18 AM, 12226 bytes, A Adds the file 32.png"="1/15/2021 9:18 AM, 2327 bytes, A Adds the file 64.png"="1/15/2021 9:18 AM, 5654 bytes, A Adds the file f.js"="12/22/2020 4:37 AM, 296959 bytes, A Adds the file hot-reload.js"="12/22/2020 4:37 AM, 1291 bytes, A Adds the file jspdf.js"="12/22/2020 4:37 AM, 307591 bytes, A Adds the file konva.js"="12/22/2020 4:37 AM, 154759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\css Adds the file didactgothic.css"="12/22/2020 4:37 AM, 180 bytes, A Adds the file hidescrollbar.css"="12/22/2020 4:37 AM, 83 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\css\fonts Adds the file DidactGothic-Regular.woff"="12/22/2020 4:37 AM, 94416 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\images Adds the file 128_disabled.png"="12/22/2020 4:37 AM, 25143 bytes, A Adds the file 32_disabled.png"="12/22/2020 4:37 AM, 19168 bytes, A Adds the file 64_disabled.png"="12/22/2020 4:37 AM, 21454 bytes, A Adds the file add-page.svg"="12/22/2020 4:37 AM, 1619 bytes, A Adds the file arrow.png"="12/22/2020 4:37 AM, 17115 bytes, A Adds the file back.svg"="12/22/2020 4:37 AM, 1494 bytes, A Adds the file browser-window.svg"="12/22/2020 4:37 AM, 1760 bytes, A Adds the file circle.png"="12/22/2020 4:37 AM, 17443 bytes, A Adds the file circle.svg"="12/22/2020 4:37 AM, 864 bytes, A Adds the file cursor-image.svg"="12/22/2020 4:37 AM, 1278 bytes, A Adds the file cursor-imagen.svg"="12/22/2020 4:37 AM, 737 bytes, A Adds the file dotted-line.svg"="12/22/2020 4:37 AM, 752 bytes, A Adds the file download-entire-page.svg"="12/22/2020 4:37 AM, 2030 bytes, A Adds the file edit.png"="12/22/2020 4:37 AM, 17587 bytes, A Adds the file entire-page.svg"="12/22/2020 4:37 AM, 2043 bytes, A Adds the file line.svg"="12/22/2020 4:37 AM, 791 bytes, A Adds the file line-width.svg"="12/22/2020 4:37 AM, 1085 bytes, A Adds the file logo-vvvv.png"="12/22/2020 4:37 AM, 13972 bytes, A Adds the file message.svg"="12/22/2020 4:37 AM, 2284 bytes, A Adds the file new-arrow.svg"="12/22/2020 4:37 AM, 1326 bytes, A Adds the file new-double-arrow.svg"="12/22/2020 4:37 AM, 1138 bytes, A Adds the file new-zig-zag-arrow.svg"="12/22/2020 4:37 AM, 1394 bytes, A Adds the file next.svg"="12/22/2020 4:37 AM, 1577 bytes, A Adds the file not-working.png"="12/22/2020 4:37 AM, 8957 bytes, A Adds the file options.png"="12/22/2020 4:37 AM, 244206 bytes, A Adds the file remove.svg"="12/22/2020 4:37 AM, 457 bytes, A Adds the file selected-area.svg"="12/22/2020 4:37 AM, 2253 bytes, A Adds the file square.svg"="12/22/2020 4:37 AM, 890 bytes, A Adds the file text.png"="12/22/2020 4:37 AM, 16490 bytes, A Adds the file text-edit.png"="12/22/2020 4:37 AM, 18147 bytes, A Adds the file text-edit.svg"="12/22/2020 4:37 AM, 1932 bytes, A Adds the file triangle.svg"="12/22/2020 4:37 AM, 375 bytes, A Adds the file update-arrows.svg"="12/22/2020 4:37 AM, 2874 bytes, A Adds the file visible-page.svg"="12/22/2020 4:37 AM, 2048 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\js Adds the file background.js"="12/22/2020 4:37 AM, 132590 bytes, A Adds the file content-script.js"="12/22/2020 4:37 AM, 104706 bytes, A Adds the file modal.js"="12/22/2020 4:37 AM, 1859040 bytes, A Adds the file popup.js"="12/22/2020 4:37 AM, 114018 bytes, A Adds the file settings.js"="12/22/2020 4:37 AM, 315139 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal Adds the file 000003.log"="1/15/2021 9:18 AM, 929 bytes, A Adds the file CURRENT"="1/15/2021 9:18 AM, 16 bytes, A Adds the file LOCK"="1/15/2021 9:18 AM, 0 bytes, A Adds the file LOG"="1/15/2021 9:18 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/15/2021 9:18 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ijejnggjjphlenbhmjhhgcdpehhacaal"="REG_SZ", "3FDD3E3B7E75D0B00F8F3216E0408337D9EECF9C74464A60DFC2383719542DFE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/15/21 Scan Time: 9:33 AM Log File: 55b42454-570c-11eb-adb6-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35775 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232858 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, 1.0.35775, , ame, , , File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 8634, 897256, , , , , 0EB3A57DF61F08DB108AF1FB8DD20794, 213643B03991F947863069FF185D2DA9F917EB15D92DBB4A6DCB97B900C872E9 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 8634, 897256, , , , , 5E674D532607383CD6921D4978C70733, 83E98A6BADDF6EBFF6677817328F04AF3E2EE589601683D5D89884DD9EA01B49 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\000003.log, Quarantined, 8634, 897256, , , , , 1F36C498B0B629A28FFC44D2FBFA7639, B455ECD2D976423F07C1DE1F1F877911878B0944D790DB1460DCEC46566077FA PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\CURRENT, Quarantined, 8634, 897256, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOCK, Quarantined, 8634, 897256, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOG, Quarantined, 8634, 897256, , , , , 983D1B2AFD021613B393E9696C59FE43, 3B5CA9EEF93772305DE855FD914BAC438296BC1D1D32DF4DFAC9063B18146080 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOG.old, Quarantined, 8634, 897256, , , , , F5F8C9A1A9035D8EAB3F179679E5D3D9, 39F839F24EA7E4CE933E74214908782C89B7BBBD5EC9CFBE070A1E1773D3F562 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\MANIFEST-000001, Quarantined, 8634, 897256, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is InternetSpeedUtility?The Malwarebytes research team has determined that InternetSpeedUtility is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by InternetSpeedUtility?You may see this browser extension:these warnings during install:this new startpage:and this new setting:How did get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove InternetSpeedUtility?Our program Malwarebytes can detect and remove this potentially unwanted program.[Mindspark only]You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of InternetSpeedUtility? No, Malwarebytes' Anti-Malware removes InternetSpeedUtility completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://bdmpgbmbdllbpdidgdcliliimmkeocin/ntp1.html" CHR Extension: (InternetSpeedUtility) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin [2020-12-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0 Adds the file manifest.json"="12/1/2020 9:33 AM, 2688 bytes, A Adds the file ntp1.html"="10/30/2020 6:12 PM, 1348 bytes, A Adds the file ntp2.html"="10/30/2020 6:12 PM, 1282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\de Adds the file messages.json"="12/1/2020 9:33 AM, 223 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\en Adds the file messages.json"="12/1/2020 9:33 AM, 311 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\es Adds the file messages.json"="12/1/2020 9:33 AM, 232 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\es_419 Adds the file messages.json"="12/1/2020 9:33 AM, 236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\fr Adds the file messages.json"="12/1/2020 9:33 AM, 244 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\it Adds the file messages.json"="12/1/2020 9:33 AM, 230 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\ja Adds the file messages.json"="12/1/2020 9:33 AM, 371 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\pt_BR Adds the file messages.json"="12/1/2020 9:33 AM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_locales\pt_PT Adds the file messages.json"="12/1/2020 9:33 AM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\_metadata Adds the file computed_hashes.json"="12/1/2020 9:33 AM, 8698 bytes, A Adds the file verified_contents.json"="10/30/2020 6:12 PM, 9289 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\config Adds the file config.json"="10/30/2020 6:12 PM, 3151 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\icons Adds the file icon128.png"="12/1/2020 9:33 AM, 5055 bytes, A Adds the file icon16.png"="12/1/2020 9:33 AM, 406 bytes, A Adds the file icon19disabled.png"="10/30/2020 6:12 PM, 1499 bytes, A Adds the file icon19on.png"="12/1/2020 9:33 AM, 706 bytes, A Adds the file icon48.png"="12/1/2020 9:33 AM, 1891 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdmpgbmbdllbpdidgdcliliimmkeocin\13.958.19.24177_0\js Adds the file ajax.js"="10/30/2020 6:12 PM, 3263 bytes, A Adds the file B2BService.js"="10/30/2020 6:12 PM, 11775 bytes, A Adds the file babAPI.js"="10/30/2020 6:12 PM, 5950 bytes, A Adds the file babClickHandler.js"="10/30/2020 6:12 PM, 3485 bytes, A Adds the file babContentScript.js"="10/30/2020 6:12 PM, 10509 bytes, A Adds the file babContentScriptAPI.js"="10/30/2020 6:12 PM, 13191 bytes, A Adds the file babRemoteConfigProcessor.js"="10/30/2020 6:12 PM, 4311 bytes, A Adds the file babTypeFactory.js"="10/30/2020 6:12 PM, 1999 bytes, A Adds the file babTypeInjectionEmbededPage.js"="10/30/2020 6:12 PM, 3383 bytes, A Adds the file babTypeInjectionIframe.js"="10/30/2020 6:12 PM, 2114 bytes, A Adds the file babTypeInjectionIframeAPIProxy.js"="10/30/2020 6:12 PM, 3160 bytes, A Adds the file babTypeInjectionScript.js"="10/30/2020 6:12 PM, 4111 bytes, A Adds the file background.js"="10/30/2020 6:12 PM, 30047 bytes, A Adds the file browserUtils.js"="10/30/2020 6:12 PM, 1896 bytes, A Adds the file chrome.js"="10/30/2020 6:12 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="10/30/2020 6:12 PM, 23601 bytes, A Adds the file dailyContentService.js"="10/30/2020 6:12 PM, 11632 bytes, A Adds the file dateTimeUtils.js"="10/30/2020 6:12 PM, 1213 bytes, A Adds the file dlp.js"="10/30/2020 6:12 PM, 13393 bytes, A Adds the file dlpHelper.js"="10/30/2020 6:12 PM, 1717 bytes, A Adds the file extensionDetect.js"="10/30/2020 6:12 PM, 4357 bytes, A Adds the file extensionDetectWithHash.js"="10/30/2020 6:12 PM, 3986 bytes, A Adds the file globalConfigService.js"="10/30/2020 6:12 PM, 1319 bytes, A Adds the file index.js"="10/30/2020 6:12 PM, 49 bytes, A Adds the file localStorageContentScript.js"="10/30/2020 6:12 PM, 2237 bytes, A Adds the file logger.js"="10/30/2020 6:12 PM, 531 bytes, A Adds the file loggingLevelUtils.js"="10/30/2020 6:12 PM, 1976 bytes, A Adds the file meta.js"="10/30/2020 6:12 PM, 3300 bytes, A Adds the file newTabPageRedirectHandler.js"="10/30/2020 6:12 PM, 2902 bytes, A Adds the file notificationService.js"="10/30/2020 6:12 PM, 15360 bytes, A Adds the file offerService.js"="10/30/2020 6:12 PM, 17241 bytes, A Adds the file pageUtils.js"="10/30/2020 6:12 PM, 4197 bytes, A Adds the file PartnerId.js"="10/30/2020 6:12 PM, 16402 bytes, A Adds the file polyfill.js"="10/30/2020 6:12 PM, 875 bytes, A Adds the file product.js"="10/30/2020 6:12 PM, 8337 bytes, A Adds the file pTagService.js"="10/30/2020 6:12 PM, 7300 bytes, A Adds the file remoteConfigLoader.js"="10/30/2020 6:12 PM, 6653 bytes, A Adds the file scheduler.js"="10/30/2020 6:12 PM, 4419 bytes, A Adds the file splashPageRedirectHandler.js"="10/30/2020 6:12 PM, 3762 bytes, A Adds the file storageUtils.js"="10/30/2020 6:12 PM, 1718 bytes, A Adds the file surveyService.js"="10/30/2020 6:12 PM, 5401 bytes, A Adds the file templateParser.js"="10/30/2020 6:12 PM, 3153 bytes, A Adds the file ul.js"="10/30/2020 6:12 PM, 7044 bytes, A Adds the file urlFragmentActions.js"="10/30/2020 6:12 PM, 2453 bytes, A Adds the file urlUtils.js"="10/30/2020 6:12 PM, 6382 bytes, A Adds the file util.js"="10/30/2020 6:12 PM, 6714 bytes, A Adds the file watchExtensionsHandler.js"="10/30/2020 6:12 PM, 10297 bytes, A Adds the file webtooltabAPI.js"="10/30/2020 6:12 PM, 12619 bytes, A Adds the file webTooltabAPIProxy.js"="10/30/2020 6:12 PM, 8782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin Adds the file 000003.log"="12/1/2020 9:33 AM, 0 bytes, A Adds the file CURRENT"="12/1/2020 9:33 AM, 16 bytes, A Adds the file LOCK"="12/1/2020 9:33 AM, 0 bytes, A Adds the file LOG"="12/1/2020 9:33 AM, 0 bytes, A Adds the file MANIFEST-000001"="12/1/2020 9:33 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bdmpgbmbdllbpdidgdcliliimmkeocin"="REG_SZ", "73FDE5921469BF56B41A236CD22620D11A1C811840C5B2F7D41EC1DCA2766168" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/1/20 Scan Time: 9:42 AM Log File: 16193736-33b1-11eb-92b8-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33690 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232121 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bdmpgbmbdllbpdidgdcliliimmkeocin, Quarantined, 298, 848753, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin, Quarantined, 298, 848753, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\bdmpgbmbdllbpdidgdcliliimmkeocin, Quarantined, 298, 848753, 1.0.33690, , ame, , , File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 298, 848753, , , , , 368606E0FD1369BD2421E087865EA150, 879F9FB25041D948DAAF9F8ABEAAC6EE719816239685C98D37F9FCA7BAD07F87 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 298, 848753, , , , , 6986B542ACE6C54F13DF9307442093AF, 5BC659E626EE2ADF0477BC344F6853D7EAD9283EA710354431D77C37F3DE3869 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin\000003.log, Quarantined, 298, 848753, , , , , 630B4389437976B19C1228BDA31AEFD6, 062CCD2B3AF5A69C658A186B2867BA2D0002C4C12478EFAD0B18985AF477809B PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin\CURRENT, Quarantined, 298, 848753, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin\LOCK, Quarantined, 298, 848753, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin\LOG, Quarantined, 298, 848753, , , , , 5CF3822DCF7EC7B1C9B799092DE2BBEC, 4C935B57C0B6E4527CA0412A2CBF0C3319D64AE2F88263A6C9BA909332A1DC6A PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdmpgbmbdllbpdidgdcliliimmkeocin\MANIFEST-000001, Quarantined, 298, 848753, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BDMPGBMBDLLBPDIDGDCLILIIMMKEOCIN\13.958.19.24177_0\MANIFEST.JSON, Quarantined, 1836, 867816, 1.0.33690, , ame, , 01C16F0FB59E2E94116D674FF0E81B63, B436518B30A2EDE814182A925D1B7633E599ADD8DE6C098F0734931B82C88968 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Free Package Tracker Plus? The Malwarebytes research team has determined that Free Package Tracker Plus is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Free Package Tracker Plus? You may see these warnings during install: and this entry in your list of installed browser extensions: This particular one displays an advertisement on every page you visit: or the minimized version: How did Free Package Tracker Plus get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Free Package Tracker Plus? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Free Package Tracker Plus? No, Malwarebytes removes Free Package Tracker Plus completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. The full version of Malwarebytes would have protected you against the Free Package Tracker Plus adware. It would have blocked their site before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Free Package Tracker Plus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc [2020-07-10] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0 Adds the file background.html"="7/3/2020 1:30 AM, 1958 bytes, A Adds the file block-list.txt"="7/3/2020 1:30 AM, 254 bytes, A Adds the file manifest.json"="7/10/2020 8:53 AM, 1742 bytes, A Adds the file widget.config.json"="7/2/2020 8:08 AM, 11390 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\_metadata Adds the file computed_hashes.json"="7/10/2020 8:53 AM, 6383 bytes, A Adds the file verified_contents.json"="7/3/2020 1:30 AM, 6803 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\control\background Adds the file ad-request-handler.js"="7/3/2020 1:30 AM, 3307 bytes, A Adds the file ad-response-handler.js"="7/3/2020 1:30 AM, 3119 bytes, A Adds the file background-event-manager.js"="7/3/2020 1:30 AM, 8816 bytes, A Adds the file background-initializer.js"="7/3/2020 1:30 AM, 2286 bytes, A Adds the file block-list-handler.js"="7/3/2020 1:30 AM, 548 bytes, A Adds the file branding-event-handler.js"="7/3/2020 1:30 AM, 798 bytes, A Adds the file display-ad-delivery-handler.js"="7/3/2020 1:30 AM, 4243 bytes, A Adds the file ext-install-handler.js"="7/3/2020 1:30 AM, 483 bytes, A Adds the file ext-update-handler.js"="7/3/2020 1:30 AM, 94 bytes, A Adds the file lightbox-ad-delivery-handler.js"="7/3/2020 1:30 AM, 2095 bytes, A Adds the file push-ad-delivery-handler.js"="7/3/2020 1:30 AM, 3642 bytes, A Adds the file survey-event-handler.js"="7/3/2020 1:30 AM, 3779 bytes, A Adds the file timer-heart-beat-handler.js"="7/3/2020 1:30 AM, 275 bytes, A Adds the file widget-handler.js"="7/3/2020 1:30 AM, 1975 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\control\content Adds the file content.js"="7/3/2020 1:30 AM, 93054 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\helper Adds the file constants.js"="7/3/2020 1:30 AM, 3545 bytes, A Adds the file utility.js"="7/3/2020 1:30 AM, 6125 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\helper\logger Adds the file logger.js"="7/3/2020 1:30 AM, 966 bytes, A Adds the file logger-chrome-message-channel.js"="7/3/2020 1:30 AM, 250 bytes, A Adds the file logger-console-channel.js"="7/3/2020 1:30 AM, 122 bytes, A Adds the file logger-network-channel.js"="7/3/2020 1:30 AM, 648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\icons Adds the file 128.png"="7/10/2020 8:53 AM, 5784 bytes, A Adds the file 16.png"="7/10/2020 8:53 AM, 519 bytes, A Adds the file 19.png"="7/10/2020 8:53 AM, 661 bytes, A Adds the file 32.png"="7/10/2020 8:53 AM, 1026 bytes, A Adds the file 38.png"="7/10/2020 8:53 AM, 1367 bytes, A Adds the file 48.png"="7/10/2020 8:53 AM, 2121 bytes, A Adds the file 64.png"="7/10/2020 8:53 AM, 2295 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\lib Adds the file cntx.js"="7/3/2020 1:30 AM, 26109 bytes, A Adds the file fdbck.js"="7/3/2020 1:30 AM, 19932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\model Adds the file ad-info.js"="7/3/2020 1:30 AM, 1650 bytes, A Adds the file ad-request.js"="7/3/2020 1:30 AM, 3253 bytes, A Adds the file ad-response.js"="7/3/2020 1:30 AM, 1051 bytes, A Adds the file context.js"="7/3/2020 1:30 AM, 2049 bytes, A Adds the file ext-config.js"="7/3/2020 1:30 AM, 8941 bytes, A Adds the file thank-you-page.js"="7/3/2020 1:30 AM, 941 bytes, A Adds the file user.js"="7/3/2020 1:30 AM, 5495 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\view Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbconaaffabelmgeenpebcapbnnoigpc\2.2.1075.102_0\view\background Adds the file display-ad-renderer.js"="7/3/2020 1:30 AM, 4191 bytes, A Adds the file thank-you-page-renderer.js"="7/3/2020 1:30 AM, 715 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc Adds the file 000003.log"="7/10/2020 8:57 AM, 1890 bytes, A Adds the file CURRENT"="7/10/2020 8:53 AM, 16 bytes, A Adds the file LOCK"="7/10/2020 8:53 AM, 0 bytes, A Adds the file LOG"="7/10/2020 8:58 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/10/2020 8:53 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lbconaaffabelmgeenpebcapbnnoigpc"="REG_SZ", "E2DD05A6A7BCF2DAD3831B3D99FBB14E826871AE0A4673FD8244D7D095CEB39E" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/10/20 Scan Time: 9:03 AM Log File: 712428f4-c27b-11ea-99a5-00ffdcc6fdfc.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.976 Update Package Version: 1.0.26647 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232046 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lbconaaffabelmgeenpebcapbnnoigpc, Quarantined, 335, 838945, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\lbconaaffabelmgeenpebcapbnnoigpc, Quarantined, 335, 838945, 1.0.26647, , ame, File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc\000003.log, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc\CURRENT, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc\LOCK, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc\LOG, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbconaaffabelmgeenpebcapbnnoigpc\MANIFEST-000001, Quarantined, 335, 838945, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBCONAAFFABELMGEENPEBCAPBNNOIGPC\2.2.1075.102_0\MANIFEST.JSON, Quarantined, 335, 838944, 1.0.26647, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Secured Search?The Malwarebytes research team has determined that Secured Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is also a browser NewTab.How do I know if my computer is affected by Secured Search?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:these changed settings:and this new startpage:You may have noticed these warnings during install:How did Secured Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Secured Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Secured Search? No, Malwarebytes removes Secured Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Secured Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late.Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://ilnidodcffjfecahcfiihlhiohnaobic/index.html" CHR DefaultSearchURL: Default -> hxxp://securedserch.com/?q={searchTerms} CHR DefaultSearchKeyword: Default -> sse CHR DefaultSuggestURL: Default -> hxxp://securedsearch.xyz/?s={searchTerms} CHR Extension: (Secured Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic [2020-05-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0 Adds the file background.html"="10/29/2019 1:07 PM, 276 bytes, A Adds the file e_.json"="10/29/2019 1:07 PM, 113 bytes, A Adds the file index.html"="10/29/2019 1:07 PM, 738 bytes, A Adds the file manifest.json"="5/22/2020 9:28 AM, 2500 bytes, A Adds the file responseConfig.json"="10/29/2019 1:07 PM, 158356 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\_metadata Adds the file computed_hashes.json"="5/22/2020 9:28 AM, 29429 bytes, A Adds the file verified_contents.json"="10/29/2019 1:07 PM, 7349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\fonts Adds the file HelveticaNeueLT-Roman.woff"="10/29/2019 1:07 PM, 16320 bytes, A Adds the file HelveticaNeue-Thin.otf"="10/29/2019 1:07 PM, 24888 bytes, A Adds the file neue.woff"="10/29/2019 1:07 PM, 14492 bytes, A Adds the file neue-bold.woff"="10/29/2019 1:07 PM, 48112 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\fonts\websafe-awesome Adds the file websafe-awesome.css"="10/29/2019 1:07 PM, 1476 bytes, A Adds the file websafe-awesome.woff2"="10/29/2019 1:07 PM, 2820 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\images Adds the file radio-selected.svg"="10/29/2019 1:07 PM, 504 bytes, A Adds the file radio-unselected.svg"="10/29/2019 1:07 PM, 832 bytes, A Adds the file star.svg"="10/29/2019 1:07 PM, 666 bytes, A Adds the file star-unselected.svg"="10/29/2019 1:07 PM, 786 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\images\bsb Adds the file bad.png"="10/29/2019 1:07 PM, 354 bytes, A Adds the file bytefence-logo-transparent.svg"="10/29/2019 1:07 PM, 4765 bytes, A Adds the file close.png"="10/29/2019 1:07 PM, 348 bytes, A Adds the file logo.svg"="10/29/2019 1:07 PM, 24289 bytes, A Adds the file logo-small.svg"="10/29/2019 1:07 PM, 4117 bytes, A Adds the file ok.png"="10/29/2019 1:07 PM, 1065 bytes, A Adds the file search-icon.png"="10/29/2019 1:07 PM, 380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\images\bsb\icons Adds the file icon-red.svg"="10/29/2019 1:07 PM, 3160 bytes, A Adds the file red-favicon.ico"="10/29/2019 1:07 PM, 15086 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\images\icons Adds the file 128.png"="5/22/2020 9:28 AM, 6001 bytes, A Adds the file 16.png"="5/22/2020 9:28 AM, 804 bytes, A Adds the file 19.png"="5/22/2020 9:28 AM, 806 bytes, A Adds the file 32.png"="5/22/2020 9:28 AM, 1983 bytes, A Adds the file 38.png"="5/22/2020 9:28 AM, 1800 bytes, A Adds the file 48.png"="5/22/2020 9:28 AM, 3103 bytes, A Adds the file favicon.ico"="10/29/2019 1:07 PM, 1150 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\content\scripts Adds the file search.css"="10/29/2019 1:07 PM, 3867 bytes, A Adds the file search.js"="10/29/2019 1:07 PM, 6539 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\css Adds the file style.css"="10/29/2019 1:07 PM, 4815 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\fonts Adds the file HelveticaNeueLT-Roman.woff"="10/29/2019 1:07 PM, 16320 bytes, A Adds the file HelveticaNeue-Thin.otf"="10/29/2019 1:07 PM, 24888 bytes, A Adds the file neue.woff"="10/29/2019 1:07 PM, 14492 bytes, A Adds the file neue-bold.woff"="10/29/2019 1:07 PM, 48112 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\fonts\websafe-awesome Adds the file websafe-awesome.css"="10/29/2019 1:07 PM, 1425 bytes, A Adds the file websafe-awesome.woff2"="10/29/2019 1:07 PM, 2820 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\js Adds the file background.v0.0.1.min.js"="10/29/2019 1:07 PM, 8188 bytes, A Adds the file common.v0.0.1.min.js"="10/29/2019 1:07 PM, 1457455 bytes, A Adds the file common.v0.0.1.min.js.LICENSE"="10/29/2019 1:07 PM, 4323 bytes, A Adds the file index.v0.0.1.min.js"="10/29/2019 1:07 PM, 212212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\skin\icons Adds the file 16.png"="10/29/2019 1:07 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilnidodcffjfecahcfiihlhiohnaobic\10.1.4.60_0\vendor Adds the file md5.min.js"="10/29/2019 1:07 PM, 9202 bytes, A Adds the file react-with-addons.min.js"="10/29/2019 1:07 PM, 38232 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ilnidodcffjfecahcfiihlhiohnaobic"="REG_SZ", "CCA0FD20CBB64EA263D9CFA85D7CAA7F98DA5E3F0449DEC715C214A25A93781A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/22/20 Scan Time: 9:46 AM Log File: 4a17283e-9c00-11ea-962f-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24238 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232770 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 6 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ilnidodcffjfecahcfiihlhiohnaobic, Quarantined, 333, 823161, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\ilnidodcffjfecahcfiihlhiohnaobic, Quarantined, 333, 823161, 1.0.24238, , ame, File: 6 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 333, 823161, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 333, 823161, , , , PUP.Optional.SecuredSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ILNIDODCFFJFECAHCFIIHLHIOHNAOBIC\10.1.4.60_0\MANIFEST.JSON, Quarantined, 15280, 443103, 1.0.24238, , ame, PUP.Optional.SearchManager.BITSRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ILNIDODCFFJFECAHCFIIHLHIOHNAOBIC\10.1.4.60_0\RESPONSECONFIG.JSON, Quarantined, 283, 626727, 1.0.24238, , ame, PUP.Optional.SecuredSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 235, 551753, 1.0.24238, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 405, 462944, 1.0.24238, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Tab Recovery - Save & Organize Your Tabs? The Malwarebytes research team has determined that Tab Recovery is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is also a browser NewTab. How do I know if my computer is affected by Tab Recovery? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: these changed settings: and this new startpage: and searchpage: You may have noticed these warnings during install: How did Tab Recovery get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: How do I remove Tab Recovery? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Tab Recovery? No, Malwarebytes removes Tab Recovery completely. We hope our application and this guide have helped you eradicate this hijacker. Technical details for experts Possible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://pbkpcnlmaopgbmjepnnlinggpbdlhfll/newtab.html" CHR DefaultSearchURL: Default -> hxxp://explormatrix.com/?q={searchTerms} CHR DefaultSearchKeyword: Default -> e CHR Extension: (ExplorMatrix) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbkpcnlmaopgbmjepnnlinggpbdlhfll [2020-03-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbkpcnlmaopgbmjepnnlinggpbdlhfll\0.0.20_0 Adds the file background.bundle.js"="3/9/2020 5:23 PM, 6625 bytes, A Adds the file icon-128.png"="3/24/2020 8:59 AM, 7719 bytes, A Adds the file icon-16.png"="3/24/2020 8:59 AM, 578 bytes, A Adds the file icon-32.png"="3/24/2020 8:59 AM, 1324 bytes, A Adds the file icon-48.png"="3/9/2020 5:23 PM, 2463 bytes, A Adds the file manifest.json"="3/24/2020 8:59 AM, 1746 bytes, A Adds the file newtab.bundle.js"="3/9/2020 5:23 PM, 1065230 bytes, A Adds the file newtab.html"="3/9/2020 5:23 PM, 1304 bytes, A Adds the file options.bundle.js"="3/9/2020 5:23 PM, 9608 bytes, A Adds the file options.html"="3/9/2020 5:23 PM, 170 bytes, A Adds the file popup.bundle.js"="3/9/2020 5:23 PM, 10461 bytes, A Adds the file popup.html"="3/9/2020 5:23 PM, 293 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbkpcnlmaopgbmjepnnlinggpbdlhfll\0.0.20_0\_metadata Adds the file computed_hashes.json"="3/24/2020 8:59 AM, 13348 bytes, A Adds the file verified_contents.json"="3/9/2020 5:23 PM, 2529 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll Adds the file 000003.log"="3/24/2020 9:07 AM, 41120 bytes, A Adds the file CURRENT"="3/24/2020 8:59 AM, 16 bytes, A Adds the file LOCK"="3/24/2020 8:59 AM, 0 bytes, A Adds the file LOG"="3/24/2020 9:08 AM, 185 bytes, A Adds the file MANIFEST-000001"="3/24/2020 8:59 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pbkpcnlmaopgbmjepnnlinggpbdlhfll"="REG_SZ", "B0889A1DD7A8E4BB42403445301E71644389315666FCD0AD532942ED863921A6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/24/20 Scan Time: 9:17 AM Log File: f5c18f44-6da7-11ea-b90e-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.835 Update Package Version: 1.0.21278 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234623 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 10 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pbkpcnlmaopgbmjepnnlinggpbdlhfll, Quarantined, 334, 803109, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PBKPCNLMAOPGBMJEPNNLINGGPBDLHFLL, Quarantined, 334, 803109, 1.0.21278, , ame, File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll\000003.log, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll\CURRENT, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll\LOCK, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll\LOG, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbkpcnlmaopgbmjepnnlinggpbdlhfll\MANIFEST-000001, Quarantined, 334, 803109, , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 334, 803108, 1.0.21278, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) The full version of Malwarebytes could have protected your computer against this type of threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is firequestions?The Malwarebytes research team has determined that firequestions is a potentially unwanted program that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by firequestions?You may see these warnings during install:and this Firefox add-on in your list of installed add-ons:After install you may see this warning in the latest version of Firefox:or a bunch of new tabs and popups if they weren't blocked.You may also see extra advertisements added at the top of your search results, accompanied by the message "Ads by Lyrics":How did firequestions get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by their website:How do I remove firequestions?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of firequestions? No, Malwarebytes removes firequestions completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the firequestions adware. It would have blocked their domain.Users of the Malwarebytes browser extension (BETA) would have been protected even before we added this domain to our blocklist: Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\firequestions@mozilla.com.xpi [2018-08-24] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file firequestions@mozilla.com.xpi"="8/24/2018 11:47 AM, 58282 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/24/18 Scan Time: 12:40 PM Log File: 20c10188-a78a-11e8-a6e9-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6489 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 251719 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 3 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\FIREQUESTIONS@MOZILLA.COM.XPI, Quarantined, [2250], [556864],1.0.6489 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\firequestions@mozilla.com.xpi [2018-08-24] As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.