Jump to content

Search the Community

Showing results for tags 'pup.optional.pushnotifications.generic'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 21 results

  1. What is MyIncognitoSearch?The Malwarebytes research team has determined that MyIncognitoSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one uses browser push notifications and changes your default search provider.How do I know if my computer is affected by MyIncognitoSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did MyIncognitoSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MyIncognitoSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MyIncognitoSearch? No, Malwarebytes removes MyIncognitoSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MyIncognitoSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.myincognitosearch.com CHR DefaultSearchURL: Default -> hxxps://feed.myincognitosearch.com/?q={searchTerms}&publisher=myincognitosearch&barcodeid=590250000000000 CHR DefaultSearchKeyword: Default -> MyIncognitoSearch CHR DefaultSuggestURL: Default -> hxxps://api.myincognitosearch.com/suggest/get?q={searchTerms} CHR Extension: (MyIncognitoSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip [2021-07-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0 Adds the file manifest.json"="7/20/2021 11:09 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\_metadata Adds the file computed_hashes.json"="7/20/2021 11:09 AM, 6725 bytes, A Adds the file verified_contents.json"="2/4/2021 12:34 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images Adds the file logo-white-text.png"="2/4/2021 12:34 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\images\icons Adds the file 128x128.png"="7/20/2021 11:09 AM, 8977 bytes, A Adds the file 16x16.png"="7/20/2021 11:09 AM, 600 bytes, A Adds the file 64x64.png"="7/20/2021 11:09 AM, 3775 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdebfhnlclpmgibliflaehjhbpafnlip\1.1.0_0\scripts Adds the file background.js"="2/4/2021 12:34 PM, 553484 bytes, A Adds the file sitecontent.js"="2/4/2021 12:34 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip Adds the file 000003.log"="7/20/2021 11:13 AM, 852 bytes, A Adds the file CURRENT"="7/20/2021 11:09 AM, 16 bytes, A Adds the file LOCK"="7/20/2021 11:09 AM, 0 bytes, A Adds the file LOG"="7/20/2021 11:09 AM, 369 bytes, A Adds the file MANIFEST-000001"="7/20/2021 11:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fdebfhnlclpmgibliflaehjhbpafnlip Adds the file MyIncognitoSearch.ico"="7/20/2021 11:09 AM, 196671 bytes, A Adds the file MyIncognitoSearch.ico.md5"="7/20/2021 11:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fdebfhnlclpmgibliflaehjhbpafnlip"="REG_SZ", "3FA7951A8EB4042009B0E11401337B244491BAED9A0970A61CA068EF1FEAEFFF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/20/21 Scan Time: 11:18 AM Log File: 6106a0c2-e93b-11eb-82bf-080027235d76.json -Software Information- Version: 4.4.3.125 Components Version: 1.0.1387 Update Package Version: 1.0.43301 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257751 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP, Quarantined, 16709, 799722, 1.0.43301, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16709, 799722, , , , , 69AD7140C7DF1EE4C6534AA78A2FCB80, EC0E9B66274243FE688488898FC1F18ACC20A62896B12F2B36F6774D355274A6 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16709, 799722, , , , , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\000003.log, Quarantined, 16709, 799722, , , , , 116A89DBCBBC4B41577B07B8F7880EEE, E29B742538ED997FC197D4FD14419A2C903CEEF45B9E42AE0405B9A9842761B6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\CURRENT, Quarantined, 16709, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOCK, Quarantined, 16709, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\LOG, Quarantined, 16709, 799722, , , , , 5CA640CDA2FC46E756D74AA3B9773BBA, D5C2380726ACD29B4DB0D7EBE97BBEDB9AD468EFE286CD376F01B08744053737 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fdebfhnlclpmgibliflaehjhbpafnlip\MANIFEST-000001, Quarantined, 16709, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FDEBFHNLCLPMGIBLIFLAEHJHBPAFNLIP\1.1.0_0\MANIFEST.JSON, Quarantined, 16709, 799722, 1.0.43301, , ame, , B18FCF6A2D7EFE1E32D4722A6C7BFF3F, 831481C9375EED98A6A9A57C3A1E4434DBE561F4455445897FCA14101898F4F9 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.43301, , ame, , C6DD6B574BBB4D3DDE67579E054ED979, 8223CECC1B2FD20E0B17E1DE9C5BF27942EF60532378DFFC089170468DC0D81F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is FreeSearchConverters?The Malwarebytes research team has determined that FreeSearchConverters is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses browser push notifications and changes your default search engine.How do I know if my computer is affected by FreeSearchConverters?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did FreeSearchConverters get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove FreeSearchConverters?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FreeSearchConverters? No, Malwarebytes removes FreeSearchConverters completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the FreeSearchConverters hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.freesearchconverters.com CHR DefaultSearchURL: Default -> hxxps://feed.freesearchconverters.com/?q={searchTerms}&publisher=freesearchconverters&barcodeid=590370000000000 CHR DefaultSearchKeyword: Default -> FreeSearchConverters CHR DefaultSuggestURL: Default -> hxxps://api.freesearchconverters.com/suggest/get?q={searchTerms} CHR Extension: (FreeSearchConverters) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk [2021-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0 Adds the file manifest.json"="6/25/2021 8:59 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/25/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="2/10/2021 1:59 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images Adds the file logo-white-text.png"="2/10/2021 1:59 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\images\icons Adds the file 128x128.png"="6/25/2021 8:59 AM, 5906 bytes, A Adds the file 16x16.png"="6/25/2021 8:59 AM, 592 bytes, A Adds the file 64x64.png"="6/25/2021 8:59 AM, 2697 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fglhccdpkbdibhaaedbmpgpkjkpgifhk\1.1.0_0\scripts Adds the file background.js"="2/10/2021 1:59 PM, 553511 bytes, A Adds the file sitecontent.js"="2/10/2021 1:59 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file 000003.log"="6/25/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="6/25/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="6/25/2021 8:59 AM, 0 bytes, A Adds the file LOG"="6/25/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="6/25/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fglhccdpkbdibhaaedbmpgpkjkpgifhk Adds the file FreeSearchConverters.ico"="6/25/2021 8:59 AM, 183975 bytes, A Adds the file FreeSearchConverters.ico.md5"="6/25/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fglhccdpkbdibhaaedbmpgpkjkpgifhk"="REG_SZ", "BE3D71B9F6C3B955211F3D262B25CB7E3E9269622E48C60D7C08D2899C667C97" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/21 Scan Time: 9:08 AM Log File: 23d7ebc2-d584-11eb-9fc1-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1344 Update Package Version: 1.0.42213 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 257554 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 1 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK, Quarantined, 16607, 799722, 1.0.42213, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16607, 799722, , , , , D678813E01E723575B12CC0FB193D4CB, 312F870E434931C4A7506C7BE083D7EDB76A3538E16B3B765DDD58031ACACEFD Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16607, 799722, , , , , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\000003.log, Quarantined, 16607, 799722, , , , , 34EC78A40E9F66051CB6EBD013BA9B83, 265C470F81CEC2E5BB7C750BCC045AAFEE2192233DC679771C6818C55E8DEAB2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\CURRENT, Quarantined, 16607, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOCK, Quarantined, 16607, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\LOG, Quarantined, 16607, 799722, , , , , 50F30416B1BE39718CBCFF38989AA045, ACAD5D6738C5D99E2398596D72361CED6108206D2E87494A982FD9E7ED120CE9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fglhccdpkbdibhaaedbmpgpkjkpgifhk\MANIFEST-000001, Quarantined, 16607, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FGLHCCDPKBDIBHAAEDBMPGPKJKPGIFHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16607, 799722, 1.0.42213, , ame, , 071A834B8A25C588C0CC3056E16A01AE, 240B6D0A0B35A6D4A9AD79D23C7769A6305003189EA921EABB172D02B8A5E0DE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.42213, , ame, , 4CDDD7A15AF5FA8072D4BB72D9D3FBE9, CE0C0C251307C5CF460FB0AD47945EE01F1B79C2A117AEC5D5302FD33EC41363 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Media Tab? The Malwarebytes research team has determined that Media Tab is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by Media Tab? You may see this entry in your list of installed Chrome extensions: You may have noticed these warnings during install: and this changed setting: How did Media Tab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Media Tab? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Media Tab? No, Malwarebytes removes Media Tab completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Media Tab hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.mediatab.club/sapi/search.php?q={searchTerms}&src=sdmedia&ssrc=ds CHR DefaultSearchKeyword: Default -> hxxps://www.mediatab.club CHR Extension: (Media Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc [2021-06-02] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0 Adds the file favicon.ico"="2/2/2021 4:20 PM, 1150 bytes, A Adds the file manifest.json"="6/2/2021 9:40 AM, 1610 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\_metadata Adds the file computed_hashes.json"="6/2/2021 9:40 AM, 2171 bytes, A Adds the file verified_contents.json"="2/2/2021 4:20 PM, 2713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\common Adds the file browseraction.js"="2/2/2021 4:20 PM, 806 bytes, A Adds the file contentscript.js"="2/2/2021 4:20 PM, 301 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\img Adds the file logo.png"="2/2/2021 4:20 PM, 9695 bytes, A Adds the file logo_128x.png"="6/2/2021 9:40 AM, 9883 bytes, A Adds the file logo_16x.png"="6/2/2021 9:40 AM, 544 bytes, A Adds the file logo_48x.png"="6/2/2021 9:40 AM, 2469 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\pages Adds the file index.html"="2/2/2021 4:20 PM, 162 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\release Adds the file script_release.js"="2/2/2021 4:20 PM, 2023 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\scripts Adds the file jquery-3.2.1.min.js"="2/2/2021 4:20 PM, 86663 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc\1.0_0\style Adds the file search.png"="2/2/2021 4:20 PM, 646 bytes, A Adds the file style.css"="2/2/2021 4:20 PM, 7283 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mjchkfdikpidgbfpnhgmhddncfdheboc"="REG_SZ", "252E56AC6F1E45ECB653BB48DDAD2671A95A1BF40588AE35A054C815E8CC7D0F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/2/21 Scan Time: 9:48 AM Log File: dcd3b0c2-c376-11eb-8cb1-080027235d76.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1308 Update Package Version: 1.0.41245 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234511 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 2 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PushNotifications.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mjchkfdikpidgbfpnhgmhddncfdheboc, Quarantined, 201, 838845, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\mjchkfdikpidgbfpnhgmhddncfdheboc, Quarantined, 201, 838845, , , , , , File: 3 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 201, 838845, , , , , 5762EF014DCC2775E52EEE26FB051C19, D696C0382FC731E97940F11F144F87BDF3A16BFF6A43626902C36ABCC77745C3 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 838845, , , , , 41D6439F5A6CA8E0502978FD9DD75275, 7870007716A648C6AD730477A24C924CAB592D8C5142608DAD7A750B4FF35B4D PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 201, 838845, 1.0.41245, , ame, , 5762EF014DCC2775E52EEE26FB051C19, D696C0382FC731E97940F11F144F87BDF3A16BFF6A43626902C36ABCC77745C3 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is YourStreamSearch? The Malwarebytes research team has determined that YourStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by YourStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed settings: How did YourStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove YourStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of YourStreamSearch? No, Malwarebytes removes YourStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the YourStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.yourstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.yourstreamsearch.com/?q={searchTerms}&publisher=yourstreamsearch&barcodeid=586300000000000 CHR DefaultSearchKeyword: Default -> YourStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.yourstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (YourStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk [2021-04-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0 Adds the file manifest.json"="4/20/2021 8:59 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/20/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="11/17/2020 2:14 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images Adds the file logo-white-text.png"="11/17/2020 2:14 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\images\icons Adds the file 128x128.png"="4/20/2021 8:59 AM, 6594 bytes, A Adds the file 16x16.png"="4/20/2021 8:59 AM, 618 bytes, A Adds the file 64x64.png"="4/20/2021 8:59 AM, 2969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kicamljljoimnnikabbhokfefoknlkhk\1.1.0_0\scripts Adds the file background.js"="11/17/2020 2:14 PM, 553475 bytes, A Adds the file sitecontent.js"="11/17/2020 2:14 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk Adds the file 000003.log"="4/20/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/20/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/20/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/20/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/20/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kicamljljoimnnikabbhokfefoknlkhk Adds the file YourStreamSearch.ico"="4/20/2021 8:59 AM, 185986 bytes, A Adds the file YourStreamSearch.ico.md5"="4/20/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kicamljljoimnnikabbhokfefoknlkhk"="REG_SZ", "1FBDB4D8EB8F99BD39FBEFF5B7B467AD535B75CCC565A1BB3C5CB2327BE6B999" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/20/21 Scan Time: 9:10 AM Log File: 74874f24-a1a7-11eb-9d50-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39611 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233909 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK, Quarantined, 16336, 799722, 1.0.39611, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16336, 799722, , , , , 1F66C49CA2F4F7650F83A631DDD3D233, DE021F4FCC437BC8C081B67275FC01A6AE4BE2B71D74B120FDBED8E0863AE1FC Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16336, 799722, , , , , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\000003.log, Quarantined, 16336, 799722, , , , , B2FE20A464E93AC7013B373FB58F2085, DC3F7304E517B7E5E9F4CAE3BE403455279BD5F9B75A36A48242DA509D18CBFA Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\CURRENT, Quarantined, 16336, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOCK, Quarantined, 16336, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\LOG, Quarantined, 16336, 799722, , , , , 48B5157B52A47A26E6C92ECD01B3B42B, 9FD196126F74CED82F4E0B7684036E32D8665DB2D3603355C342CDAC2E3A750C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kicamljljoimnnikabbhokfefoknlkhk\MANIFEST-000001, Quarantined, 16336, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KICAMLJLJOIMNNIKABBHOKFEFOKNLKHK\1.1.0_0\MANIFEST.JSON, Quarantined, 16336, 799722, 1.0.39611, , ame, , 715F51945BFEF27596E6DA52C64EFC0B, E2864F77131E285554491AADE7F27E366AFD4DC492F131ECF67C52637D84E096 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39611, , ame, , DFFDC4FDF875E64BBA781D2CA2062C9A, 957527ABF864997C5F1225ABC3183A764A9A78410DCD01CEBD544E86C8A1F9C6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is SearchConverterIt? The Malwarebytes research team has determined that SearchConverterIt is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterIt? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did SearchConverterIt get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterIt? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterIt? No, Malwarebytes removes SearchConverterIt completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterIt hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterit.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterit.com/?q={searchTerms}&publisher=searchconverterit&barcodeid=588640000000000 CHR DefaultSearchKeyword: Default -> SearchConverterIt CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterit.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterIt) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng [2021-04-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0 Adds the file manifest.json"="4/14/2021 8:59 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/14/2021 8:59 AM, 6725 bytes, A Adds the file verified_contents.json"="12/23/2020 12:10 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images Adds the file logo-white-text.png"="12/23/2020 12:10 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\images\icons Adds the file 128x128.png"="4/14/2021 8:59 AM, 8726 bytes, A Adds the file 16x16.png"="4/14/2021 8:59 AM, 829 bytes, A Adds the file 64x64.png"="4/14/2021 8:59 AM, 3790 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iineefadkfmchfkhljaggpbbnllimnng\1.1.0_0\scripts Adds the file background.js"="12/23/2020 12:10 PM, 553484 bytes, A Adds the file sitecontent.js"="12/23/2020 12:10 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng Adds the file 000003.log"="4/14/2021 8:59 AM, 0 bytes, A Adds the file CURRENT"="4/14/2021 8:59 AM, 16 bytes, A Adds the file LOCK"="4/14/2021 8:59 AM, 0 bytes, A Adds the file LOG"="4/14/2021 8:59 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/14/2021 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_iineefadkfmchfkhljaggpbbnllimnng Adds the file SearchConverterIt.ico"="4/14/2021 8:59 AM, 198511 bytes, A Adds the file SearchConverterIt.ico.md5"="4/14/2021 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iineefadkfmchfkhljaggpbbnllimnng"="REG_SZ", "52C119205FA573C4A88501553CFC0CFDC7536AC46F7F653A0406C845E5688DB0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/14/21 Scan Time: 9:12 AM Log File: c74be9f6-9cf0-11eb-8c7b-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39391 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233788 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG, Quarantined, 16302, 799722, 1.0.39391, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16302, 799722, , , , , 3532504BA85D9B1ABE75CB36C1278AFC, CC1D20EFBE57B77DD4343232C79AB3E001B216E92AD98E743D738A24A7F4D753 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16302, 799722, , , , , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\000003.log, Quarantined, 16302, 799722, , , , , 94B9F9BFA2C14735E50F191210B1A61B, BC4C7FBCC9C9EE73397714BC6AC9847FAD448DD9F72A13CF6A0C87464963C295 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\CURRENT, Quarantined, 16302, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOCK, Quarantined, 16302, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\LOG, Quarantined, 16302, 799722, , , , , 9AA2B44010154B7E04DD8D9A39A187CA, 3D7484112A5F590C6DB55F918C0716123F8D5A629397F1F58D5E39A79E5B4AEE Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iineefadkfmchfkhljaggpbbnllimnng\MANIFEST-000001, Quarantined, 16302, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IINEEFADKFMCHFKHLJAGGPBBNLLIMNNG\1.1.0_0\MANIFEST.JSON, Quarantined, 16302, 799722, 1.0.39391, , ame, , 462F3A01F5C3B4C600C24E74E11D7EF2, EFAF315B9A699789D4CA80CA88C37C8F35F90DB927E398E01D51D67C45B221EB PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.39391, , ame, , 3E6FD6CA1616CFD8F1CE8AE82B40E3A2, 094A84DBF10D44B3934114AC713697138A576C21E7680154A035E11A246DBEA1 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is PDFConverterSearchPro? The Malwarebytes research team has determined that PDFConverterSearchPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFConverterSearchPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchPro? No, Malwarebytes removes PDFConverterSearchPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchpro.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchpro.com/?q={searchTerms}&publisher=pdfconvertersearchpro&barcodeid=586550000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchPro CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchpro.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb [2021-03-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0 Adds the file manifest.json"="3/15/2021 2:06 PM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/15/2021 2:06 PM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:31 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:31 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\images\icons Adds the file 128x128.png"="3/15/2021 2:06 PM, 3646 bytes, A Adds the file 16x16.png"="3/15/2021 2:06 PM, 543 bytes, A Adds the file 64x64.png"="3/15/2021 2:06 PM, 1960 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdcioboelamekgappfajnjfpgpimmmb\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:31 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb Adds the file 000003.log"="3/15/2021 2:06 PM, 0 bytes, A Adds the file CURRENT"="3/15/2021 2:06 PM, 16 bytes, A Adds the file LOCK"="3/15/2021 2:06 PM, 0 bytes, A Adds the file LOG"="3/15/2021 2:06 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/15/2021 2:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_akdcioboelamekgappfajnjfpgpimmmb Adds the file PDFConverterSearchPro.ico"="3/15/2021 2:06 PM, 172121 bytes, A Adds the file PDFConverterSearchPro.ico.md5"="3/15/2021 2:06 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "akdcioboelamekgappfajnjfpgpimmmb"="REG_SZ", "F3AE581B78A68DEC8C113BF12D95B1AB3E28ABE5AC03BE5B0B7B6664A6E24343" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/21 Scan Time: 2:15 PM Log File: 8d238472-8590-11eb-b310-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1217 Update Package Version: 1.0.38187 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233439 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB, Quarantined, 16186, 799722, 1.0.38187, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16186, 799722, , , , , DF544FF17FCE1471E0F7FC6ABFEADA65, 61F3AF62ECF69C06A7A7BBC7CA38B72920C161EFB4D9F33D34BDB3B55A8D1DF9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16186, 799722, , , , , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\000003.log, Quarantined, 16186, 799722, , , , , D722D2A43C3A2FBE17F095BD1316ACF3, F12A197380F21674F773C3EBBEE4643EB875CD3F750371257DCFA4D79848E8EC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\CURRENT, Quarantined, 16186, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOCK, Quarantined, 16186, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\LOG, Quarantined, 16186, 799722, , , , , F44B24CA498215DC0FF0F73CF36E8652, 6C8E76DBE5234B4946CB3F860C904B7748A27B6C157FD0E8FF12DD9D5417DC22 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\akdcioboelamekgappfajnjfpgpimmmb\MANIFEST-000001, Quarantined, 16186, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AKDCIOBOELAMEKGAPPFAJNJFPGPIMMMB\1.1.0_0\MANIFEST.JSON, Quarantined, 16186, 799722, 1.0.38187, , ame, , 879C7B4C7B8FC5E96F26A9C1F015F354, E62CEAE65513F9F91D63A51F8468FD9B41573A00948B3E7AACBB89EA44C0A175 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.38187, , ame, , 70FA40BF46EE8131AD242E2C21167218, 64ACA91506C83F4C0461C1899A077D37DE8B3B772637C5E951594D5EE2B215A7 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is PDFSearchWeb? The Malwarebytes research team has determined that PDFSearchWeb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFSearchWeb? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did PDFSearchWeb get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFSearchWeb? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearchWeb? No, Malwarebytes removes PDFSearchWeb completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFSearchWeb hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfsearchweb.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfsearchweb.com/?q={searchTerms}&publisher=pdfsearchweb&barcodeid=586480000000000 CHR DefaultSearchKeyword: Default -> PDFSearchWeb CHR DefaultSuggestURL: Default -> hxxps://api.pdfsearchweb.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearchWeb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi [2021-03-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0 Adds the file manifest.json"="3/4/2021 8:46 AM, 2084 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/4/2021 8:46 AM, 6725 bytes, A Adds the file verified_contents.json"="11/16/2020 11:09 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images Adds the file logo-white-text.png"="11/16/2020 11:09 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\images\icons Adds the file 128x128.png"="3/4/2021 8:46 AM, 2578 bytes, A Adds the file 16x16.png"="3/4/2021 8:46 AM, 416 bytes, A Adds the file 64x64.png"="3/4/2021 8:46 AM, 1436 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmcjacaocadbkaoippfdhjknablobgi\1.1.0_0\scripts Adds the file background.js"="11/16/2020 11:09 AM, 553439 bytes, A Adds the file sitecontent.js"="11/16/2020 11:09 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi Adds the file 000003.log"="3/4/2021 8:46 AM, 0 bytes, A Adds the file CURRENT"="3/4/2021 8:46 AM, 16 bytes, A Adds the file LOCK"="3/4/2021 8:46 AM, 0 bytes, A Adds the file LOG"="3/4/2021 8:46 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/4/2021 8:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blmcjacaocadbkaoippfdhjknablobgi Adds the file PDFSearchWeb.ico"="3/4/2021 8:46 AM, 165020 bytes, A Adds the file PDFSearchWeb.ico.md5"="3/4/2021 8:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blmcjacaocadbkaoippfdhjknablobgi"="REG_SZ", "21383C3BCEED4E28CE353D35F37AB55C383F3D6E796A18124C0DE8CF0A38C218" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/4/21 Scan Time: 9:04 AM Log File: 4d2527fa-7cc0-11eb-9e7c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37767 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233343 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI, Quarantined, 15230, 799722, 1.0.37767, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 01C6FDC1C96A97A38133B535F53D0D30, E920A84318FD5E518AED4F1856CBF931668DF6EB4D234B3D19A58C99CC4C3232 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\000003.log, Quarantined, 15230, 799722, , , , , E1DE9B412C0C30CDEE59F9E4E63F56DB, 86A2A508B75E0F5CEE3DE285AA84735D8F1ECEB37D333BBFE5232263B612BF3D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\LOG, Quarantined, 15230, 799722, , , , , A4549DEA968C4980471BA79B2504416B, 3A609EA567AF426E9CD1C3DF641EE9F298A276437D70FC238AF6AE2175357C36 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blmcjacaocadbkaoippfdhjknablobgi\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLMCJACAOCADBKAOIPPFDHJKNABLOBGI\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.37767, , ame, , 8E1EDD9316806E38160CE820BA112006, D6F16F705C44BA34A629512B96F7950673D3E0CA8CCA07495ED8765BFE66E2FE PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.37767, , ame, , B07D93683D5433642FFB7A45BEE0F1F8, 83BA83D99DBD7D791D9A3D7C308CFCAE2AE132820C7F31C0642C0ACD357F8A70 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is SearchConverterPro? The Malwarebytes research team has determined that SearchConverterPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterPro? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SearchConverterPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterPro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterPro? No, Malwarebytes removes SearchConverterPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterPro hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterpro.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterpro.com/?q={searchTerms}&publisher=searchconverterpro&barcodeid=585410000000000 CHR DefaultSearchKeyword: Default -> SearchConverterPro CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterpro.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0 Adds the file manifest.json"="3/1/2021 1:35 PM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 1:35 PM, 6725 bytes, A Adds the file verified_contents.json"="10/25/2020 10:34 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images Adds the file logo-white-text.png"="10/25/2020 10:34 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 1:35 PM, 6306 bytes, A Adds the file 16x16.png"="3/1/2021 1:35 PM, 694 bytes, A Adds the file 64x64.png"="3/1/2021 1:35 PM, 3071 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnfhgckomdbflopemgjbncbkdeihhlb\1.1.0_0\scripts Adds the file background.js"="10/25/2020 10:34 AM, 553493 bytes, A Adds the file sitecontent.js"="10/25/2020 10:34 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file 000003.log"="3/1/2021 1:35 PM, 0 bytes, A Adds the file CURRENT"="3/1/2021 1:35 PM, 16 bytes, A Adds the file LOCK"="3/1/2021 1:35 PM, 0 bytes, A Adds the file LOG"="3/1/2021 1:35 PM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 1:35 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hjnfhgckomdbflopemgjbncbkdeihhlb Adds the file SearchConverterPro.ico"="3/1/2021 1:35 PM, 186748 bytes, A Adds the file SearchConverterPro.ico.md5"="3/1/2021 1:35 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hjnfhgckomdbflopemgjbncbkdeihhlb"="REG_SZ", "33F8C3B2409F6D8AB5CCF20B368B4AD040AFD46DC8E5F6C5A4E67A3D54DE4719" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 1:48 PM Log File: 7a1b9b80-7a8c-11eb-8099-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37625 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233311 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB, Quarantined, 15231, 799722, 1.0.37625, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , D8067A2FAD4A6447366B1C2089342374, 5248CCAAC27A4EE68520DF16E1DFD948FECEF89F796C46537ABEF0097EF388B1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\000003.log, Quarantined, 15231, 799722, , , , , 321094FBF6F04AFE2CB330470130272F, 352C9EFEA042CB951214F10CD67DB634D225D38BE2F4EB3F5F54564D51616C2E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\LOG, Quarantined, 15231, 799722, , , , , 86F8B6040268BC3304FF41A99C321ECD, A59E09D12C0EDCB7DF337D13DFCF6E3734732E5C7F74BD456A69E8FDB42C43D3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjnfhgckomdbflopemgjbncbkdeihhlb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJNFHGCKOMDBFLOPEMGJBNCBKDEIHHLB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37625, , ame, , 4A1FC792FD3BD8E05EA6771ED67CE48B, D41AA25AB279D43F6393B93025EA5E2DEF3C5E44B4B5F52A83A4DDE62FDFD4C6 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37625, , ame, , 20886FCF60602A624756A7271589506B, E158105F46D1C21EBF0959BAB4AC56DE365A1E50F61BF2DEA5C079AF295DEB60 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is PDFConverterSearchApp? The Malwarebytes research team has determined that PDFConverterSearchApp is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by PDFConverterSearchApp? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did PDFConverterSearchApp get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove PDFConverterSearchApp? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearchApp? No, Malwarebytes removes PDFConverterSearchApp completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFConverterSearchApp hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfconvertersearchapp.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearchapp.com/?q={searchTerms}&publisher=pdfconvertersearchapp&barcodeid=586540000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearchApp CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearchapp.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearchApp) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml [2021-02-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0 Adds the file manifest.json"="2/23/2021 8:51 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/23/2021 8:51 AM, 6725 bytes, A Adds the file verified_contents.json"="11/22/2020 11:22 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images Adds the file logo-white-text.png"="11/22/2020 11:22 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\images\icons Adds the file 128x128.png"="2/23/2021 8:51 AM, 2705 bytes, A Adds the file 16x16.png"="2/23/2021 8:51 AM, 431 bytes, A Adds the file 64x64.png"="2/23/2021 8:51 AM, 1524 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cblanbpgmlklhkagkhielejnbekfhgml\1.1.0_0\scripts Adds the file background.js"="11/22/2020 11:22 AM, 553520 bytes, A Adds the file sitecontent.js"="11/22/2020 11:22 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml Adds the file 000003.log"="2/23/2021 8:51 AM, 772 bytes, A Adds the file CURRENT"="2/23/2021 8:51 AM, 16 bytes, A Adds the file LOCK"="2/23/2021 8:51 AM, 0 bytes, A Adds the file LOG"="2/23/2021 8:52 AM, 0 bytes, A Adds the file LOG.old"="2/23/2021 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/23/2021 8:51 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cblanbpgmlklhkagkhielejnbekfhgml Adds the file PDFConverterSearchApp.ico"="2/23/2021 8:51 AM, 167009 bytes, A Adds the file PDFConverterSearchApp.ico.md5"="2/23/2021 8:51 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cblanbpgmlklhkagkhielejnbekfhgml"="REG_SZ", "E0BB14EFCF360DCD9F079792C8C0304B764520F6BC38ACA5472CEED8CB0F4894" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/23/21 Scan Time: 9:03 AM Log File: 9fe92f14-75ad-11eb-a024-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37409 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233235 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML, Quarantined, 15231, 799722, 1.0.37409, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 08201ECD1B85FF76F1A530F7F1CD60FA, B1BC63963EDB300951864E8313D40FF11B15C2350E063C48B476887CE50CC5C1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\000003.log, Quarantined, 15231, 799722, , , , , 67FC137A21E8071A243A4E623765F366, 3C2751C90D48A69328831A9BC0DD02B786699ED3D5F584AB24BF25502636188D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG, Quarantined, 15231, 799722, , , , , B5AAD68D85A7BBE311E96DBD055809DD, BE0E99A8647036469D3CDBF8A2E20A59ACA811061A0881A3454D6446DDAAF0EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\LOG.old, Quarantined, 15231, 799722, , , , , F5456C85FF94C78C3AEB779FB4449CD0, C03159C8CD18EA9239AA281E3A3C9456BC5D56C0998CD0E677D8A91A07BFE365 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cblanbpgmlklhkagkhielejnbekfhgml\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CBLANBPGMLKLHKAGKHIELEJNBEKFHGML\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37409, , ame, , 64D23C0EBA8E789DA30A1D1773435FD7, F2FAAD057EB6A40FCA8ACAFB0601609F54C8968A2588485B4976D8269EDA7B23 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37409, , ame, , 72371288828C9FF920161D362A9696D0, 883E233ADECA0F30A6F171774213F6CB16337E7A0434CC00A2BCAFB31A301CDC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is TopSearchConverter? The Malwarebytes research team has determined that TopSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by TopSearchConverter? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did TopSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TopSearchConverter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TopSearchConverter? No, Malwarebytes removes TopSearchConverter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the TopSearchConverter hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.topsearchconverter.com CHR DefaultSearchURL: Default -> hxxps://feed.topsearchconverter.com/?q={searchTerms}&publisher=topsearchconverter&barcodeid=588600000000000 CHR DefaultSearchKeyword: Default -> TopSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.topsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (TopSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo [2021-02-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0 Adds the file manifest.json"="2/17/2021 8:52 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/17/2021 8:52 AM, 6725 bytes, A Adds the file verified_contents.json"="12/16/2020 11:16 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\images Adds the file logo-white-text.png"="12/16/2020 11:16 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\images\icons Adds the file 128x128.png"="2/17/2021 8:52 AM, 6065 bytes, A Adds the file 16x16.png"="2/17/2021 8:52 AM, 654 bytes, A Adds the file 64x64.png"="2/17/2021 8:52 AM, 2957 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\danlpohcmjfbadhejfpmdhbfkjjndfbo\1.1.0_0\scripts Adds the file background.js"="12/16/2020 11:16 AM, 553493 bytes, A Adds the file sitecontent.js"="12/16/2020 11:16 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo Adds the file 000003.log"="2/17/2021 8:52 AM, 0 bytes, A Adds the file CURRENT"="2/17/2021 8:52 AM, 16 bytes, A Adds the file LOCK"="2/17/2021 8:52 AM, 0 bytes, A Adds the file LOG"="2/17/2021 8:52 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/17/2021 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_danlpohcmjfbadhejfpmdhbfkjjndfbo Adds the file TopSearchConverter.ico"="2/17/2021 8:52 AM, 186697 bytes, A Adds the file TopSearchConverter.ico.md5"="2/17/2021 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "danlpohcmjfbadhejfpmdhbfkjjndfbo"="REG_SZ", "2D5B7FBDCCC9F65B43582271329826D2F348192E2033105E2008EA28952B9939" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/17/21 Scan Time: 9:01 AM Log File: 5f813e6e-70f6-11eb-a419-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37215 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233208 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|danlpohcmjfbadhejfpmdhbfkjjndfbo, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DANLPOHCMJFBADHEJFPMDHBFKJJNDFBO, Quarantined, 15231, 799722, 1.0.37215, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , E7FDDE577CEF9905DD7D1EFAD2B45A8B, EC9CFAF0627F3969D3B31B3BB458B0F05DD86D1B8FA7E80B4545B9A446134FA0 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , D320BFA9FA2391F52560181CC15A138D, 558CA095B81C8D2664CACB7AD0D31EC46E5C4F0638EE94A8A55469588CA756FC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\000003.log, Quarantined, 15231, 799722, , , , , B7441C47CFEC225D1FDE33FAC314D967, A8E7F10F8AFD1D217F880ECE7F467263028C573D24CA41233EE830DF8F09FB32 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\LOG, Quarantined, 15231, 799722, , , , , 674E168D43C7EDF6287AC2EAE8490C55, 8282D909F75F0023350F39C48F4B3CEBDD9417389C42A1F8EFA2F6F383D17774 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\danlpohcmjfbadhejfpmdhbfkjjndfbo\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DANLPOHCMJFBADHEJFPMDHBFKJJNDFBO\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37215, , ame, , 712D6751F9CFF213C0B5FE2EADC5A664, E2F1E18D4A1BBBFAB78FEFC60B4B952CC30DCF92F444CD93F5A1C06911A08C61 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15848, 832955, 1.0.37215, , ame, , D320BFA9FA2391F52560181CC15A138D, 558CA095B81C8D2664CACB7AD0D31EC46E5C4F0638EE94A8A55469588CA756FC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is SearchConverterInc? The Malwarebytes research team has determined that SearchConverterInc is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SearchConverterInc? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did SearchConverterInc get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterInc? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterInc? No, Malwarebytes removes SearchConverterInc completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterInc hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchconverterinc.com CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterinc.com/?q={searchTerms}&publisher=searchconverterinc&barcodeid=588570000000000 CHR DefaultSearchKeyword: Default -> SearchConverterInc CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterinc.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterInc) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb [2021-01-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb\1.1.0_0 Adds the file manifest.json"="1/14/2021 9:03 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/14/2021 9:03 AM, 6725 bytes, A Adds the file verified_contents.json"="12/16/2020 11:07 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb\1.1.0_0\images Adds the file logo-white-text.png"="12/16/2020 11:07 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb\1.1.0_0\images\icons Adds the file 128x128.png"="1/14/2021 9:03 AM, 8155 bytes, A Adds the file 16x16.png"="1/14/2021 9:03 AM, 648 bytes, A Adds the file 64x64.png"="1/14/2021 9:03 AM, 3655 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\omamiojllkilcljbcjmfliacdiadkgbb\1.1.0_0\scripts Adds the file background.js"="12/16/2020 11:07 AM, 553493 bytes, A Adds the file sitecontent.js"="12/16/2020 11:07 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb Adds the file 000003.log"="1/14/2021 9:08 AM, 823 bytes, A Adds the file CURRENT"="1/14/2021 9:03 AM, 16 bytes, A Adds the file LOCK"="1/14/2021 9:03 AM, 0 bytes, A Adds the file LOG"="1/14/2021 9:03 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/14/2021 9:03 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_omamiojllkilcljbcjmfliacdiadkgbb Adds the file SearchConverterInc.ico"="1/14/2021 9:03 AM, 194494 bytes, A Adds the file SearchConverterInc.ico.md5"="1/14/2021 9:04 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "omamiojllkilcljbcjmfliacdiadkgbb"="REG_SZ", "ED3DAFC264CEBC301F50542ED0C3DB6DE20B886197717AB52FEEC0E87D2B8074" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/14/21 Scan Time: 9:13 AM Log File: 69616966-5640-11eb-a8ec-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35717 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232851 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 21 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|omamiojllkilcljbcjmfliacdiadkgbb, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OMAMIOJLLKILCLJBCJMFLIACDIADKGBB, Quarantined, 15230, 799722, 1.0.35717, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , EF6DAC21CE379DA81B88AB06F139B4F4, 340A9A2D9157D4430E72D6F25675A01AE4DB78A4A44C29AE200CACF7CF22F38E Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 21620F87B69B37775EAF44487FDD1256, DD4105E73B3F683FD9C48969FD5E9D84ECDF0A0811E9AE984DA347F267920E9E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb\000003.log, Quarantined, 15230, 799722, , , , , 5F91D45C0D04F823D10FBA45A508793A, E51E3F5D4F5867F41B6D85F2732DBD20931B0C8D39B4FC82AAEE9FD63A970D47 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb\LOG, Quarantined, 15230, 799722, , , , , 35CC7597AEECB020C98BCE4CBFB34A49, 82EA1C51E979627FA5AE29B911379662811EF85003BDDE20804696750ED670CC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\omamiojllkilcljbcjmfliacdiadkgbb\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OMAMIOJLLKILCLJBCJMFLIACDIADKGBB\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35717, , ame, , 9CCE412F8256B5A64A200DF822162C53, AB146C922C2A7C25E5B215481B4BBE6BC9AD50048CF0C699271D257BDFFC462F PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.35717, , ame, , 21620F87B69B37775EAF44487FDD1256, DD4105E73B3F683FD9C48969FD5E9D84ECDF0A0811E9AE984DA347F267920E9E Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is GlobalPDFConverterSearch? The Malwarebytes research team has determined that GlobalPDFConverterSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by GlobalPDFConverterSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did GlobalPDFConverterSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GlobalPDFConverterSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GlobalPDFConverterSearch? No, Malwarebytes removes GlobalPDFConverterSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the GlobalPDFConverterSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.globalpdfconvertersearch.com CHR DefaultSearchURL: Default -> hxxps://feed.globalpdfconvertersearch.com/?q={searchTerms}&publisher=globalpdfconvertersearch&barcodeid=579910000000000 CHR DefaultSearchKeyword: Default -> GlobalPDFConverterSearch CHR DefaultSuggestURL: Default -> hxxps://api.globalpdfconvertersearch.com/suggest/get?q={searchTerms} CHR Extension: (GlobalPDFConverterSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj [2021-01-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj\1.1.0_0 Adds the file manifest.json"="1/11/2021 9:09 AM, 2228 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/11/2021 9:09 AM, 6725 bytes, A Adds the file verified_contents.json"="10/22/2020 2:06 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj\1.1.0_0\images Adds the file logo-white-text.png"="10/22/2020 2:06 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj\1.1.0_0\images\icons Adds the file 128x128.png"="1/11/2021 9:09 AM, 4103 bytes, A Adds the file 16x16.png"="1/11/2021 9:09 AM, 482 bytes, A Adds the file 64x64.png"="1/11/2021 9:09 AM, 2028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpckbdmiphipdecfodandpiecjieclj\1.1.0_0\scripts Adds the file background.js"="10/22/2020 2:06 PM, 553385 bytes, A Adds the file sitecontent.js"="10/22/2020 2:06 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj Adds the file 000003.log"="1/11/2021 9:09 AM, 0 bytes, A Adds the file CURRENT"="1/11/2021 9:09 AM, 16 bytes, A Adds the file LOCK"="1/11/2021 9:09 AM, 0 bytes, A Adds the file LOG"="1/11/2021 9:09 AM, 0 bytes, A Adds the file MANIFEST-000001"="1/11/2021 9:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dgpckbdmiphipdecfodandpiecjieclj Adds the file GlobalPDFConverterSearch.ico"="1/11/2021 9:09 AM, 175165 bytes, A Adds the file GlobalPDFConverterSearch.ico.md5"="1/11/2021 9:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dgpckbdmiphipdecfodandpiecjieclj"="REG_SZ", "9A44262B94B7396230BF9508A2924ACD4EA34FBE8EF1D55F4AC6F7E029780740" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/11/21 Scan Time: 9:23 AM Log File: 478e95cc-53e6-11eb-a0d2-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35553 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232744 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 6 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dgpckbdmiphipdecfodandpiecjieclj, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGPCKBDMIPHIPDECFODANDPIECJIECLJ, Quarantined, 15230, 799722, 1.0.35553, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , A3BF87F113FA56BEBDD9275F18613AC2, 7104C3BE5B658B73860410C553B51A1C0D019D1116A7E48A39B747C731CF0666 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 5EEEEAB8B8B80801EC9034B1B34BE2B9, F2F5FAD1A17E49033C67E416D60B8BB4B7EBD0341F38F441006DFB3220978F65 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj\000003.log, Quarantined, 15230, 799722, , , , , 0D916328F90EED88C8CF60F136EFE450, 1A0854471C30A0C6A3D34C06634D95A84B92BFD64E64E428BD634D8C1C15B4B6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj\LOG, Quarantined, 15230, 799722, , , , , 057FEF919C83663675F58C7DCA51414C, D209B9881B1F8BC99F6343CE5F85C507DAB9AEC841247BD92DCA0CD3EFF43A49 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgpckbdmiphipdecfodandpiecjieclj\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGPCKBDMIPHIPDECFODANDPIECJIECLJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35553, , ame, , 0AD62C4C2955B76C4250C05E220B9AB6, DC74D9E4E6B804A128F775DA25B29D51ED4F4DF1E79BE733DB085438A5344E32 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.35553, , ame, , 5EEEEAB8B8B80801EC9034B1B34BE2B9, F2F5FAD1A17E49033C67E416D60B8BB4B7EBD0341F38F441006DFB3220978F65 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is NetGameSearch?The Malwarebytes research team has determined that NetGameSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by NetGameSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did NetGameSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove NetGameSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of NetGameSearch? No, Malwarebytes removes NetGameSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the NetGameSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.netgamesearch.com CHR DefaultSearchURL: Default -> hxxps://feed.netgamesearch.com/?q={searchTerms}&publisher=netgamesearch&barcodeid=585480000000000 CHR DefaultSearchKeyword: Default -> NetGameSearch CHR DefaultSuggestURL: Default -> hxxps://api.netgamesearch.com/suggest/get?q={searchTerms} CHR Extension: (NetGameSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg [2021-01-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg\1.1.0_0 Adds the file manifest.json"="1/8/2021 8:50 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/8/2021 8:50 AM, 6725 bytes, A Adds the file verified_contents.json"="10/20/2020 8:13 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg\1.1.0_0\images Adds the file logo-white-text.png"="10/20/2020 8:13 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg\1.1.0_0\images\icons Adds the file 128x128.png"="1/8/2021 8:50 AM, 10354 bytes, A Adds the file 16x16.png"="1/8/2021 8:50 AM, 854 bytes, A Adds the file 64x64.png"="1/8/2021 8:50 AM, 5028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjannonjgjdmbccbolbgoohidalenclg\1.1.0_0\scripts Adds the file background.js"="10/20/2020 8:13 AM, 553448 bytes, A Adds the file sitecontent.js"="10/20/2020 8:13 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg Adds the file 000003.log"="1/8/2021 8:53 AM, 801 bytes, A Adds the file CURRENT"="1/8/2021 8:50 AM, 16 bytes, A Adds the file LOCK"="1/8/2021 8:50 AM, 0 bytes, A Adds the file LOG"="1/8/2021 8:50 AM, 183 bytes, A Adds the file MANIFEST-000001"="1/8/2021 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hjannonjgjdmbccbolbgoohidalenclg Adds the file NetGameSearch.ico"="1/8/2021 8:50 AM, 209275 bytes, A Adds the file NetGameSearch.ico.md5"="1/8/2021 8:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hjannonjgjdmbccbolbgoohidalenclg"="REG_SZ", "EA3B082A3EA51975E89777CA9217BFECF0B88D6DFA7C99212FC36F79B3583E97" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/8/21 Scan Time: 9:08 AM Log File: ad506526-5188-11eb-8070-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35397 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232737 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hjannonjgjdmbccbolbgoohidalenclg, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJANNONJGJDMBCCBOLBGOOHIDALENCLG, Quarantined, 15230, 799722, 1.0.35397, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 43DAB5038CD161E4925ABDD20555FDC2, 518274CE7142C00CA72C71415F1E53CF7DB6917AF1282E0CB85EF44247364E51 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 24B3ED17E7DB9E8E5122108A98217150, A72B0FA5B7ECB192560268DA62BD2AA5DDAF7FB25EE69C3CA42644DDD93D605F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg\000003.log, Quarantined, 15230, 799722, , , , , D8880D3A7704CFC09C3BE183FDC7A925, 5FDC74095C7F13DC36F65CBF1E97D5C1151EF847A3CB724376517D2BE885EA59 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg\LOG, Quarantined, 15230, 799722, , , , , FC95085C05CBD10FA809FCBD20D43CA9, 26E907BC59D0687A036CACC7CAB5A28F6A2803A66E8ED7C51EB3C6135A2C95EB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hjannonjgjdmbccbolbgoohidalenclg\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HJANNONJGJDMBCCBOLBGOOHIDALENCLG\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35397, , ame, , 109B25C5FDA2B2574DF87634E67A82A9, 0C46B3FAD4343CC4FD540DA1A942AC69CA3484883302F776BB800AE6DAA48087 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.35397, , ame, , 24B3ED17E7DB9E8E5122108A98217150, A72B0FA5B7ECB192560268DA62BD2AA5DDAF7FB25EE69C3CA42644DDD93D605F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is PDFSearchHQ?The Malwarebytes research team has determined that PDFSearchHQ is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches.How do I know if my computer is affected by PDFSearchHQ?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and these changed settings:How did PDFSearchHQ get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove PDFSearchHQ?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFSearchHQ? No, Malwarebytes removes PDFSearchHQ completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PDFSearchHQ hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.pdfsearchhq.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfsearchhq.com/?q={searchTerms}&publisher=pdfsearchhq&barcodeid=586490000000000 CHR DefaultSearchKeyword: Default -> PDFSearchHQ CHR DefaultSuggestURL: Default -> hxxps://api.pdfsearchhq.com/suggest/get?q={searchTerms} CHR Extension: (PDFSearchHQ) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf [2021-01-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf\1.1.0_0 Adds the file manifest.json"="1/6/2021 9:13 AM, 2072 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/6/2021 9:13 AM, 6725 bytes, A Adds the file verified_contents.json"="11/16/2020 11:11 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf\1.1.0_0\images Adds the file logo-white-text.png"="11/16/2020 11:11 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf\1.1.0_0\images\icons Adds the file 128x128.png"="1/6/2021 9:13 AM, 1956 bytes, A Adds the file 16x16.png"="1/6/2021 9:13 AM, 365 bytes, A Adds the file 64x64.png"="1/6/2021 9:13 AM, 1156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbfcbidlcbnolaphegpcpippkdpckihf\1.1.0_0\scripts Adds the file background.js"="11/16/2020 11:11 AM, 553430 bytes, A Adds the file sitecontent.js"="11/16/2020 11:11 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf Adds the file 000003.log"="1/6/2021 9:18 AM, 818 bytes, A Adds the file CURRENT"="1/6/2021 9:13 AM, 16 bytes, A Adds the file LOCK"="1/6/2021 9:13 AM, 0 bytes, A Adds the file LOG"="1/6/2021 9:13 AM, 183 bytes, A Adds the file MANIFEST-000001"="1/6/2021 9:13 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hbfcbidlcbnolaphegpcpippkdpckihf Adds the file PDFSearchHQ.ico"="1/6/2021 9:13 AM, 163385 bytes, A Adds the file PDFSearchHQ.ico.md5"="1/6/2021 9:13 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hbfcbidlcbnolaphegpcpippkdpckihf"="REG_SZ", "6B497F7C7A31A15E6F12396B7345715FD8D1E6402F9BFE14E0D5021A67A6DE87" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/6/21 Scan Time: 9:24 AM Log File: a7391b60-4ff8-11eb-8551-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35345 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232725 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hbfcbidlcbnolaphegpcpippkdpckihf, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HBFCBIDLCBNOLAPHEGPCPIPPKDPCKIHF, Quarantined, 15230, 799722, 1.0.35345, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 4F8F3EC6702661DA4056E9DB64B496C3, 58AC66BE2D76FD20AC080E649D3C1461D7069B9318734BA192026A4473376CF4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 973CDF83152930FE2C4EA648841CF232, A5E07D000E91A53F771D0D0AAD59A7A418138BCB98DDE63D5AFACE03E06FF84A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf\000003.log, Quarantined, 15230, 799722, , , , , 1A22301933EA217C3FA79F9F9AB76419, E50D165509495745D279A4414A60F3651FCCC971B5FB48211F835556AE4FFC39 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf\LOG, Quarantined, 15230, 799722, , , , , 3BC31D03A2D419D3609CB4DA1A33114E, E618DF6F5BBBDFA85700FA021CE0297304D9552508D59B8693DA8F152BF082F0 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hbfcbidlcbnolaphegpcpippkdpckihf\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HBFCBIDLCBNOLAPHEGPCPIPPKDPCKIHF\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35345, , ame, , 4880A7C13558FC9C7CB30D328FE4D1FA, C90D2709DA3F6355BFCF7045847E9AD3AAFB12C5490F97B9EBE8F56356E30C5A PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.35345, , ame, , 973CDF83152930FE2C4EA648841CF232, A5E07D000E91A53F771D0D0AAD59A7A418138BCB98DDE63D5AFACE03E06FF84A Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is IncognitoSearchPro?The Malwarebytes research team has determined that IncognitoSearchPro is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of search recommendations.How do I know if my computer is affected by IncognitoSearchPro?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and these changed settings:How did IncognitoSearchPro get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove IncognitoSearchPro?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of IncognitoSearchPro? No, Malwarebytes removes IncognitoSearchPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.The full version of Malwarebytes, as well as Browser Guard would have protected you against the IncognitoSearchPro hijacker. It would have blocked their website, giving you a chance to stop before it became too late.Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://install.incognitosearchpro.com CHR DefaultSearchURL: Default -> hxxps://feed.incognitosearchpro.com/?q={searchTerms}&publisher=incognitosearchpro&barcodeid=586390000000000 CHR DefaultSearchKeyword: Default -> IncognitoSearchPro CHR DefaultSuggestURL: Default -> hxxps://api.incognitosearchpro.com/suggest/get?q={searchTerms} CHR Extension: (IncognitoSearchPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij [2021-01-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij\1.1.0_0 Adds the file manifest.json"="1/3/2021 12:39 PM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/3/2021 12:39 PM, 6725 bytes, A Adds the file verified_contents.json"="11/11/2020 11:13 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij\1.1.0_0\images Adds the file logo-white-text.png"="11/11/2020 11:13 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij\1.1.0_0\images\icons Adds the file 128x128.png"="1/3/2021 12:39 PM, 5896 bytes, A Adds the file 16x16.png"="1/3/2021 12:39 PM, 629 bytes, A Adds the file 64x64.png"="1/3/2021 12:39 PM, 2591 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjenlgjplfbkcblajicehijdofcnamij\1.1.0_0\scripts Adds the file background.js"="11/11/2020 11:13 AM, 553493 bytes, A Adds the file sitecontent.js"="11/11/2020 11:13 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij Adds the file 000003.log"="1/3/2021 12:42 PM, 820 bytes, A Adds the file CURRENT"="1/3/2021 12:39 PM, 16 bytes, A Adds the file LOCK"="1/3/2021 12:39 PM, 0 bytes, A Adds the file LOG"="1/3/2021 12:39 PM, 183 bytes, A Adds the file MANIFEST-000001"="1/3/2021 12:39 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jjenlgjplfbkcblajicehijdofcnamij Adds the file IncognitoSearchPro.ico"="1/3/2021 12:39 PM, 187549 bytes, A Adds the file IncognitoSearchPro.ico.md5"="1/3/2021 12:39 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jjenlgjplfbkcblajicehijdofcnamij"="REG_SZ", "4EDE5778021863D8192FB2E6257FB0CDC8F7BF10B9DFEF14DEC8EE0446EE2BDF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/3/21 Scan Time: 12:50 PM Log File: e1bbb86a-4db9-11eb-9193-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35219 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232720 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 5 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jjenlgjplfbkcblajicehijdofcnamij, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JJENLGJPLFBKCBLAJICEHIJDOFCNAMIJ, Quarantined, 15230, 799722, 1.0.35219, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , BA6C880691BE78E47CE28C116F67279B, 58987ABC11700AA3BFBDE41848DD1BDAC034A236E144D9E628619F4FC948CB7C Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 9A101D6305D36530DB7D12A82A535695, FA2147C3D5A2AA201526580BA61181B65358FD8ECADDC7C1DC86369C938D9176 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij\000003.log, Quarantined, 15230, 799722, , , , , 4E72046F9105282AF12F1537FDDD2ACD, 63950B96F4A1F985F78876B11B9CA4A95405C86B88D82E0313744A17466BB6F7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij\LOG, Quarantined, 15230, 799722, , , , , 60BF8DC915AA7DC06700005AB52442D1, 8C3F617379D4A833CFCFDF7191CA6DDCFA33FA031EDB2AA129E6192A8236D5DC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jjenlgjplfbkcblajicehijdofcnamij\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JJENLGJPLFBKCBLAJICEHIJDOFCNAMIJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35219, , ame, , 15D96ABA2B650A1CD369B08E66F8DF72, 6D03B241B19BCB21A3B248F710B89090426B5886ABE580D1D9C2DDDBB518B5A0 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.35219, , ame, , 9A101D6305D36530DB7D12A82A535695, FA2147C3D5A2AA201526580BA61181B65358FD8ECADDC7C1DC86369C938D9176 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is StreaminSearches? The Malwarebytes research team has determined that StreaminSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by StreaminSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did StreaminSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove StreaminSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of StreaminSearches? No, Malwarebytes removes StreaminSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the StreaminSearches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.streaminsearchs.com CHR DefaultSearchURL: Default -> hxxps://feed.streaminsearchs.com/?q={searchTerms}&publisher=streaminsearchs&barcodeid=576110000000000 CHR DefaultSearchKeyword: Default -> StreaminSearchs CHR DefaultSuggestURL: Default -> hxxps://api.streaminsearchs.com/suggest/get?q={searchTerms} CHR Extension: (StreaminSearchs) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk [2020-12-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk\1.1.0_0 Adds the file manifest.json"="12/23/2020 1:06 PM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk\1.1.0_0\_metadata Adds the file computed_hashes.json"="12/23/2020 1:06 PM, 6255 bytes, A Adds the file verified_contents.json"="6/16/2020 2:51 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk\1.1.0_0\images Adds the file logo-white-text.png"="6/16/2020 2:51 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk\1.1.0_0\images\icons Adds the file 128x128.png"="12/23/2020 1:06 PM, 8891 bytes, A Adds the file 16x16.png"="12/23/2020 1:06 PM, 709 bytes, A Adds the file 64x64.png"="12/23/2020 1:06 PM, 4407 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clhgiclnnfjjeedkloemefpadddjnbfk\1.1.0_0\scripts Adds the file background.js"="6/16/2020 2:51 PM, 514626 bytes, A Adds the file sitecontent.js"="6/16/2020 2:51 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk Adds the file 000003.log"="12/23/2020 1:06 PM, 0 bytes, A Adds the file CURRENT"="12/23/2020 1:06 PM, 16 bytes, A Adds the file LOCK"="12/23/2020 1:06 PM, 0 bytes, A Adds the file LOG"="12/23/2020 1:06 PM, 0 bytes, A Adds the file MANIFEST-000001"="12/23/2020 1:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_clhgiclnnfjjeedkloemefpadddjnbfk Adds the file StreaminSearchs.ico"="12/23/2020 1:06 PM, 210404 bytes, A Adds the file StreaminSearchs.ico.md5"="12/23/2020 1:06 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "clhgiclnnfjjeedkloemefpadddjnbfk"="REG_SZ", "7A925E19BCBF273A2D944B81C4DBFDF9A0158603AB243E78E522A79284416FEA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/23/20 Scan Time: 1:19 PM Log File: 0d823540-4519-11eb-b19b-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.34665 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232535 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|clhgiclnnfjjeedkloemefpadddjnbfk, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLHGICLNNFJJEEDKLOEMEFPADDDJNBFK, Quarantined, 15230, 799722, 1.0.34665, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 7D6ABAB94371796E54ABE77010919E6E, 6DE434BA0753EF8635BF8FF9E4371020848007251DB6B0E1C44833C4508DA4E5 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , A540F4B9202E14C935C483381564E50D, E425D27D506BCAEB377DFE66987EB8AD69F0EEF402FC72FF79B70F5EC5E382C2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk\000003.log, Quarantined, 15230, 799722, , , , , 60F576F2CE42563EB55CCBFD5896A2D2, 873CC99DAC6530BE1DDF10B59845454E6C160B166DF526C08292F34A5EB85DB0 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk\LOG, Quarantined, 15230, 799722, , , , , CB74B6038414EEFB21A1DC8DDFE4CEA8, B780F6A8FFF7E56494489F45BF69D05745650D9CF9F6FD1191752F7E38F6FE28 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clhgiclnnfjjeedkloemefpadddjnbfk\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLHGICLNNFJJEEDKLOEMEFPADDDJNBFK\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.34665, , ame, , E01E0FF9187D293AC8CBA1B9D3908503, 91FB61AD2BF2AE71C2A9798F3E8D6F0FE75FA62003646ACE18D46B5047334BB0 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15847, 832955, 1.0.34665, , ame, , A540F4B9202E14C935C483381564E50D, E425D27D506BCAEB377DFE66987EB8AD69F0EEF402FC72FF79B70F5EC5E382C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is UltimateStreamSearch? The Malwarebytes research team has determined that UltimateStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by UltimateStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did UltimateStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove UltimateStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of UltimateStreamSearch? No, Malwarebytes removes UltimateStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the UltimateStreamSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.ultimatestreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.ultimatestreamsearch.com/?q={searchTerms}&publisher=ultimatestreamsearch&barcodeid=584090000000000 CHR DefaultSearchKeyword: Default -> UltimateStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.ultimatestreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (UltimateStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip [2020-12-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip\1.1.0_0 Adds the file manifest.json"="12/14/2020 9:27 AM, 2180 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip\1.1.0_0\_metadata Adds the file computed_hashes.json"="12/14/2020 9:27 AM, 6725 bytes, A Adds the file verified_contents.json"="10/20/2020 9:47 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip\1.1.0_0\images Adds the file logo-white-text.png"="10/20/2020 9:47 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip\1.1.0_0\images\icons Adds the file 128x128.png"="12/14/2020 9:27 AM, 1798 bytes, A Adds the file 16x16.png"="12/14/2020 9:27 AM, 553 bytes, A Adds the file 64x64.png"="12/14/2020 9:27 AM, 1390 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcblfcpemlkpioffiihkfmmdkcfddjip\1.1.0_0\scripts Adds the file background.js"="10/20/2020 9:47 AM, 553511 bytes, A Adds the file sitecontent.js"="10/20/2020 9:47 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip Adds the file 000003.log"="12/14/2020 9:27 AM, 0 bytes, A Adds the file CURRENT"="12/14/2020 9:27 AM, 16 bytes, A Adds the file LOCK"="12/14/2020 9:27 AM, 0 bytes, A Adds the file LOG"="12/14/2020 9:27 AM, 0 bytes, A Adds the file MANIFEST-000001"="12/14/2020 9:27 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jcblfcpemlkpioffiihkfmmdkcfddjip Adds the file UltimateStreamSearch.ico"="12/14/2020 9:27 AM, 164974 bytes, A Adds the file UltimateStreamSearch.ico.md5"="12/14/2020 9:27 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jcblfcpemlkpioffiihkfmmdkcfddjip"="REG_SZ", "E9E057A305F2CAF837D1577BA2B449A004ED21F94BB2D494735BC9D808EBCC59" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/14/20 Scan Time: 9:36 AM Log File: 6dc54c46-3de7-11eb-b50e-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.34343 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232225 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jcblfcpemlkpioffiihkfmmdkcfddjip, Quarantined, 15785, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip, Quarantined, 15785, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCBLFCPEMLKPIOFFIIHKFMMDKCFDDJIP, Quarantined, 15785, 799722, 1.0.34343, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15785, 799722, , , , , 91083E7F00C73DE23E1E39DAEC55E0D7, 651E73177ACBBE7FF63C5E3C4A4D24907BFA14C24C049EA476A364D8665C03B1 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15785, 799722, , , , , 9B0E841DC92DAC42D462184128D7F52E, 34B4F2148706187896F5343D9C01A7DB2C5FB07E36D166FA0B3E18766D955190 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip\000003.log, Quarantined, 15785, 799722, , , , , B56B021D8DC34597690DAD20E36B54B6, D5598C44B7A7FB130B099B1F7D3AF81D52415C737DE9FA7F963A4473E021F70E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip\CURRENT, Quarantined, 15785, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip\LOCK, Quarantined, 15785, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip\LOG, Quarantined, 15785, 799722, , , , , 9D99E15AA0C6E0650BD0D1BB0BCB16DB, 68E8A0A55B97E8F8566538A2082225F4916CCE77A1654811A8936FD38ED6B9B0 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcblfcpemlkpioffiihkfmmdkcfddjip\MANIFEST-000001, Quarantined, 15785, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCBLFCPEMLKPIOFFIIHKFMMDKCFDDJIP\1.1.0_0\MANIFEST.JSON, Quarantined, 15785, 799722, 1.0.34343, , ame, , 3EF49FDCB6F55E458AC9CA363A9E81E5, 2F37EB907250AEA240B4D775A2AE5B086449EDC53ABAA6437134EA0B6FEA7ED5 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.34343, , ame, , 9B0E841DC92DAC42D462184128D7F52E, 34B4F2148706187896F5343D9C01A7DB2C5FB07E36D166FA0B3E18766D955190 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is GlobalSearchConverter? The Malwarebytes research team has determined that GlobalSearchConverter is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by GlobalSearchConverter? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did GlobalSearchConverter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GlobalSearchConverter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GlobalSearchConverter? No, Malwarebytes removes GlobalSearchConverter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GlobalSearchConverter hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.globalsearchconverter.com CHR DefaultSearchURL: Default -> hxxps://feed.globalsearchconverter.com/?q={searchTerms}&publisher=globalsearchconverter&barcodeid=585370000000000 CHR DefaultSearchKeyword: Default -> GlobalSearchConverter CHR DefaultSuggestURL: Default -> hxxps://api.globalsearchconverter.com/suggest/get?q={searchTerms} CHR Extension: (GlobalSearchConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc [2020-12-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc\1.1.0_0 Adds the file manifest.json"="12/11/2020 9:06 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc\1.1.0_0\_metadata Adds the file computed_hashes.json"="12/11/2020 9:06 AM, 6725 bytes, A Adds the file verified_contents.json"="10/21/2020 10:27 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc\1.1.0_0\images Adds the file logo-white-text.png"="10/21/2020 10:27 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc\1.1.0_0\images\icons Adds the file 128x128.png"="12/11/2020 9:06 AM, 7402 bytes, A Adds the file 16x16.png"="12/11/2020 9:06 AM, 621 bytes, A Adds the file 64x64.png"="12/11/2020 9:06 AM, 3447 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kehbfcajkbpmompiplmodakpceicfgkc\1.1.0_0\scripts Adds the file background.js"="10/21/2020 10:27 AM, 553520 bytes, A Adds the file sitecontent.js"="10/21/2020 10:27 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc Adds the file 000003.log"="12/11/2020 9:06 AM, 0 bytes, A Adds the file CURRENT"="12/11/2020 9:06 AM, 16 bytes, A Adds the file LOCK"="12/11/2020 9:06 AM, 0 bytes, A Adds the file LOG"="12/11/2020 9:06 AM, 0 bytes, A Adds the file MANIFEST-000001"="12/11/2020 9:06 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kehbfcajkbpmompiplmodakpceicfgkc Adds the file GlobalSearchConverter.ico"="12/11/2020 9:07 AM, 192415 bytes, A Adds the file GlobalSearchConverter.ico.md5"="12/11/2020 9:07 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kehbfcajkbpmompiplmodakpceicfgkc"="REG_SZ", "D89C85E1A68CD5A74837C5A569BE9E1301841B9BF9D164CD66B3FF34126F803D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/11/20 Scan Time: 9:14 AM Log File: ea6f9c12-3b88-11eb-87b8-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.34199 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232222 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kehbfcajkbpmompiplmodakpceicfgkc, Quarantined, 15774, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc, Quarantined, 15774, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KEHBFCAJKBPMOMPIPLMODAKPCEICFGKC, Quarantined, 15774, 799722, 1.0.34199, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15774, 799722, , , , , 9B650D015FEB7C504A09FB336D1AA0A0, 05B0EACC6E1FB45E24120D3E0C07BDF02BBD7F5428067CFDC45280095D91B13C Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15774, 799722, , , , , 629DDE397E1DCB2DD061AB45B8D913A5, 693BCDCA450483721D2C3F8127663807DD9B8B042510564FF28AA171568BFC71 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc\000003.log, Quarantined, 15774, 799722, , , , , 38ADBFA379FBB3FA18F797793345D607, EF1467864E90D75E66D95C50749CCCA1B11D36902961330E7F390508A03DE45B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc\CURRENT, Quarantined, 15774, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc\LOCK, Quarantined, 15774, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc\LOG, Quarantined, 15774, 799722, , , , , 7C03329581B60F702B4CCBE4C42620F4, 4B487DE75A2B058436500F221E28C33550EF2F79201A9A2E97FF6A7B702C3C26 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kehbfcajkbpmompiplmodakpceicfgkc\MANIFEST-000001, Quarantined, 15774, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KEHBFCAJKBPMOMPIPLMODAKPCEICFGKC\1.1.0_0\MANIFEST.JSON, Quarantined, 15774, 799722, 1.0.34199, , ame, , 1AC2A6AE2B49D4CA4E6F478CE4467168, 22082CB20A02CE49E9DCE23A48578A7A11F2D98A50916D8F0408137612617428 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832955, 1.0.34199, , ame, , 629DDE397E1DCB2DD061AB45B8D913A5, 693BCDCA450483721D2C3F8127663807DD9B8B042510564FF28AA171568BFC71 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is GamingSearch? The Malwarebytes research team has determined that GamingSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by GamingSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did GamingSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GamingSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GamingSearch? No, Malwarebytes removes GamingSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the GamingSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.gaming-search.com CHR DefaultSearchURL: Default -> hxxps://feed.gaming-search.com/?q={searchTerms}&publisher=gamingsearch&barcodeid=576900000000000 CHR DefaultSearchKeyword: Default -> GamingSearch CHR DefaultSuggestURL: Default -> hxxps://api.gaming-search.com/suggest/get?q={searchTerms} CHR Extension: (GamingSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn [2020-10-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn\1.1.0_0 Adds the file manifest.json"="10/15/2020 9:15 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/15/2020 9:15 AM, 6255 bytes, A Adds the file verified_contents.json"="7/9/2020 3:21 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn\1.1.0_0\images Adds the file logo-white-text.png"="7/9/2020 3:21 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn\1.1.0_0\images\icons Adds the file 128x128.png"="10/15/2020 9:15 AM, 9229 bytes, A Adds the file 16x16.png"="10/15/2020 9:15 AM, 719 bytes, A Adds the file 64x64.png"="10/15/2020 9:15 AM, 4264 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glamnjagemaiajfkpipadnlelgodobhn\1.1.0_0\scripts Adds the file background.js"="7/9/2020 3:21 PM, 514579 bytes, A Adds the file sitecontent.js"="7/9/2020 3:21 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn Adds the file 000003.log"="10/15/2020 9:18 AM, 821 bytes, A Adds the file CURRENT"="10/15/2020 9:15 AM, 16 bytes, A Adds the file LOCK"="10/15/2020 9:15 AM, 0 bytes, A Adds the file LOG"="10/15/2020 9:15 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/15/2020 9:15 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_glamnjagemaiajfkpipadnlelgodobhn Adds the file GamingSearch.ico"="10/15/2020 9:15 AM, 204153 bytes, A Adds the file GamingSearch.ico.md5"="10/15/2020 9:15 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "glamnjagemaiajfkpipadnlelgodobhn"="REG_SZ", "38C019CF408E3E4883A40BE73448D67B9C74A65EDCDC0D1A818427E3CE91C2B9" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/15/20 Scan Time: 9:24 AM Log File: 8379607c-0eb7-11eb-beed-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1061 Update Package Version: 1.0.31372 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231839 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 6 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|glamnjagemaiajfkpipadnlelgodobhn, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLAMNJAGEMAIAJFKPIPADNLELGODOBHN, Quarantined, 15232, 799722, 1.0.31372, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 5DFEC17C25C4FA1E346E80934AB0304F, 1E0B8A9E57A589E6159335B0CEB4BDC09A874EBC8C1C46E0F1ED8D2F76E9CECD Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 272BD87B6A3F433F81AA02837AABF99F, 6154DB0B47FC23A270DB24B510CF818F2187FF9BC5B774C67143797E57A71099 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn\000003.log, Quarantined, 15232, 799722, , , , , D2A3707270CC3E27CD823852BA986680, 0EB64A1496B8090C5DCA3C6E0FF37B4D62C1391F2EF7FADACF9331FF1D8D91D3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn\LOG, Quarantined, 15232, 799722, , , , , 26342D5ACB2B9A93BBAF5303F071B47B, 83FE647B5417C338C5A7793FEFA5C8DD7F9F8ED9C562EA67B12C28EDBE36120C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glamnjagemaiajfkpipadnlelgodobhn\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLAMNJAGEMAIAJFKPIPADNLELGODOBHN\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.31372, , ame, , 49DEB8FC97B79543A4FAC86E25B5876D, D807FC9D0CFD5BAA7A6596D065274C52C1A16A8906EC1D5ED6A1B2819AB6F18F PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15846, 832182, 1.0.31372, , ame, , 272BD87B6A3F433F81AA02837AABF99F, 6154DB0B47FC23A270DB24B510CF818F2187FF9BC5B774C67143797E57A71099 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is NewVideoSearch?The Malwarebytes research team has determined that NewVideoSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by NewVideoSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and these changed settings:How did NewVideoSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove NewVideoSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of NewVideoSearch? No, Malwarebytes removes NewVideoSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the NewVideoSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://get.newvideo-search.com CHR DefaultSearchURL: Default -> hxxps://feed.newvideo-search.com/?q={searchTerms}&publisher=newvideosearch&barcodeid=579290000000000 CHR DefaultSearchKeyword: Default -> NewVideoSearch CHR DefaultSuggestURL: Default -> hxxps://api.newvideo-search.com/suggest/get?q={searchTerms} CHR Extension: (NewVideoSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac [2020-10-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac\1.1.0_0 Adds the file manifest.json"="10/9/2020 10:46 AM, 2114 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/9/2020 10:46 AM, 6255 bytes, A Adds the file verified_contents.json"="8/4/2020 9:18 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac\1.1.0_0\images Adds the file logo-white-text.png"="8/4/2020 9:18 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac\1.1.0_0\images\icons Adds the file 128x128.png"="10/9/2020 10:46 AM, 5765 bytes, A Adds the file 16x16.png"="10/9/2020 10:46 AM, 548 bytes, A Adds the file 64x64.png"="10/9/2020 10:46 AM, 2789 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\onkmbbpgdkabcfleaiilcncfffnkfjac\1.1.0_0\scripts Adds the file background.js"="8/4/2020 9:18 AM, 514512 bytes, A Adds the file sitecontent.js"="8/4/2020 9:18 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac Adds the file 000003.log"="10/9/2020 10:50 AM, 850 bytes, A Adds the file CURRENT"="10/9/2020 10:46 AM, 16 bytes, A Adds the file LOCK"="10/9/2020 10:46 AM, 0 bytes, A Adds the file LOG"="10/9/2020 10:46 AM, 184 bytes, A Adds the file MANIFEST-000001"="10/9/2020 10:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_onkmbbpgdkabcfleaiilcncfffnkfjac Adds the file NewVideoSearch.ico"="10/9/2020 10:46 AM, 185482 bytes, A Adds the file NewVideoSearch.ico.md5"="10/9/2020 10:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "onkmbbpgdkabcfleaiilcncfffnkfjac"="REG_SZ", "A832298019F7DB75F7B285B6AB6991B71EFC02A8AB24C49425DD253826C4CB63" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/9/20 Scan Time: 10:56 AM Log File: 466a5b72-0a0d-11eb-b6ec-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1061 Update Package Version: 1.0.31034 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231711 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 5 min, 49 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|onkmbbpgdkabcfleaiilcncfffnkfjac, Quarantined, 15407, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac, Quarantined, 15407, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ONKMBBPGDKABCFLEAIILCNCFFFNKFJAC, Quarantined, 15407, 799722, 1.0.31034, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15407, 799722, , , , , 18484CEC5C96C602F22172C7A577DDAE, 931E75140F551B9B124E7ED3C354B1EE56E91447821704E970CE77289126E4FA Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15407, 799722, , , , , 4E4A26A6EA4285A566ADAA1796EC204B, B04B4C1FDDD76947A9536B3A4AE3FF22B39B30387A3BEBBF59667AD81C77069B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac\000003.log, Quarantined, 15407, 799722, , , , , 8C21615C27C2A735309820ECF22C7263, 963F3D12034D46581BBE267D3C906F294BD815177ACB8ECFB0CCE01E4BB3F283 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac\CURRENT, Quarantined, 15407, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac\LOCK, Quarantined, 15407, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac\LOG, Quarantined, 15407, 799722, , , , , 381A749C3B5A9A812E65E2DB7EFB5D42, 94061B902D0B2EE5F505E4897F27BBAE2169015F01045C98586181F360C0F40A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\onkmbbpgdkabcfleaiilcncfffnkfjac\MANIFEST-000001, Quarantined, 15407, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ONKMBBPGDKABCFLEAIILCNCFFFNKFJAC\1.1.0_0\MANIFEST.JSON, Quarantined, 15407, 799722, 1.0.31034, , ame, , 77031D2D54ECA60F28E2A52383AFD42A, 6B7EFA5BC96358CA464286F67F5F26363AF16A903D79FDF6CEF4C449B0FC9027 PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832182, 1.0.31034, , ame, , 4E4A26A6EA4285A566ADAA1796EC204B, B04B4C1FDDD76947A9536B3A4AE3FF22B39B30387A3BEBBF59667AD81C77069B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is VidSearch?The Malwarebytes research team has determined that VidSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by VidSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and these changed settings:How did VidSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove VidSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of VidSearch? No, Malwarebytes removes VidSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the VidSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://get.vid-search.com CHR DefaultSearchURL: Default -> hxxps://feed.vid-search.com/?q={searchTerms}&publisher=vidsearch&barcodeid=573580000000000 CHR DefaultSearchKeyword: Default -> VidSearch CHR DefaultSuggestURL: Default -> hxxps://api.vid-search.com/suggest/get?q={searchTerms} CHR Extension: (VidSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg [2020-08-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg\1.1.0_0 Adds the file manifest.json"="8/10/2020 8:49 AM, 2055 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg\1.1.0_0\_metadata Adds the file computed_hashes.json"="8/10/2020 8:49 AM, 6255 bytes, A Adds the file verified_contents.json"="6/1/2020 4:23 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg\1.1.0_0\images Adds the file logo-white-text.png"="6/1/2020 4:23 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg\1.1.0_0\images\icons Adds the file 128x128.png"="8/10/2020 8:49 AM, 5330 bytes, A Adds the file 16x16.png"="8/10/2020 8:49 AM, 615 bytes, A Adds the file 64x64.png"="8/10/2020 8:49 AM, 2637 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\daflhdlcccfhdmilfjjapjnacnakmndg\1.1.0_0\scripts Adds the file background.js"="6/1/2020 4:23 PM, 514531 bytes, A Adds the file sitecontent.js"="6/1/2020 4:23 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg Adds the file 000003.log"="8/10/2020 8:52 AM, 797 bytes, A Adds the file CURRENT"="8/10/2020 8:49 AM, 16 bytes, A Adds the file LOCK"="8/10/2020 8:49 AM, 0 bytes, A Adds the file LOG"="8/10/2020 8:52 AM, 183 bytes, A Adds the file MANIFEST-000001"="8/10/2020 8:49 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_daflhdlcccfhdmilfjjapjnacnakmndg Adds the file VidSearch.ico"="8/10/2020 8:49 AM, 185667 bytes, A Adds the file VidSearch.ico.md5"="8/10/2020 8:49 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "daflhdlcccfhdmilfjjapjnacnakmndg"="REG_SZ", "E5BEC70C09073600BC53BD28748C6B44D4FE39A4C67E1C9D1695B5EA4E908461" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/10/20 Scan Time: 8:57 AM Log File: cc04cb48-dad6-11ea-8cf8-00ffdcc6fdfc.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.990 Update Package Version: 1.0.28249 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231035 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 5 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|daflhdlcccfhdmilfjjapjnacnakmndg, Quarantined, 15173, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DAFLHDLCCCFHDMILFJJAPJNACNAKMNDG, Quarantined, 15173, 799722, 1.0.28249, , ame, File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg\000003.log, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg\CURRENT, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg\LOCK, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg\LOG, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\daflhdlcccfhdmilfjjapjnacnakmndg\MANIFEST-000001, Quarantined, 15173, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DAFLHDLCCCFHDMILFJJAPJNACNAKMNDG\1.1.0_0\MANIFEST.JSON, Quarantined, 15173, 799722, 1.0.28249, , ame, PUP.Optional.PushNotifications.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 201, 832182, 1.0.28249, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.