Jump to content

Search the Community

Showing results for tags 'pup.optional.pushnotifications'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

  1. What is OnlineStreamSearch? The Malwarebytes research team has determined that OnlineStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by OnlineStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did OnlineStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove OnlineStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of OnlineStreamSearch? No, Malwarebytes removes OnlineStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the OnlineStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.onlinestreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.onlinestreamsearch.com/?q={searchTerms}&publisher=onlinestreamsearch&barcodeid=584040000000000 CHR DefaultSearchKeyword: Default -> OnlineStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.onlinestreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (OnlineStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj [2021-04-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0 Adds the file manifest.json"="4/9/2021 8:55 AM, 2156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/9/2021 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 9:26 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 9:26 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\images\icons Adds the file 128x128.png"="4/9/2021 8:55 AM, 10427 bytes, A Adds the file 16x16.png"="4/9/2021 8:55 AM, 669 bytes, A Adds the file 64x64.png"="4/9/2021 8:55 AM, 4057 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\1.1.0_0\scripts Adds the file background.js"="10/6/2020 9:26 AM, 514547 bytes, A Adds the file sitecontent.js"="10/6/2020 9:26 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file 000003.log"="4/9/2021 8:55 AM, 0 bytes, A Adds the file CURRENT"="4/9/2021 8:55 AM, 16 bytes, A Adds the file LOCK"="4/9/2021 8:55 AM, 0 bytes, A Adds the file LOG"="4/9/2021 8:55 AM, 0 bytes, A Adds the file MANIFEST-000001"="4/9/2021 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kjpkpjaepmfhndihmhdmgkfnhnmgabpj Adds the file OnlineStreamSearch.ico"="4/9/2021 8:55 AM, 194804 bytes, A Adds the file OnlineStreamSearch.ico.md5"="4/9/2021 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjpkpjaepmfhndihmhdmgkfnhnmgabpj"="REG_SZ", "2F218777DD2DEE73C7805AFE50CC42603D6959F5735FD1628C6F20C663949E64" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/9/21 Scan Time: 9:03 AM Log File: bec2f72c-9901-11eb-af71-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1249 Update Package Version: 1.0.39257 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233745 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 5 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ, Quarantined, 16285, 799722, 1.0.39257, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16285, 799722, , , , , D7B7EC60A57BAAC24CB139343DC7EAA6, 67407A3B3D594CC57F242A025D6482FEE7143FDB6A564F79F1A134EDFFF6E13A Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16285, 799722, , , , , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\000003.log, Quarantined, 16285, 799722, , , , , FCD43F3CAB81A6261B9DD9E6CABB1088, 311B0AFBE31E9C6AE5D72D3589F9D47C1D6D861C89E0EA77CACC199EB1309069 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\CURRENT, Quarantined, 16285, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOCK, Quarantined, 16285, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG, Quarantined, 16285, 799722, , , , , 41E2F6E522E0FD88F65000D12DA25D06, 75EC7C327CCF05CC127453F933BEE1CAFBCC0FDC4A3DDB22334D80A124155B5D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\LOG.old, Quarantined, 16285, 799722, , , , , 9D00CD778637544C4F6A4F56C1DD1014, E00505269842D1BA97D4D9C5C3D6F3B6D126349A4ACC12545C01F1C97632BE56 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjpkpjaepmfhndihmhdmgkfnhnmgabpj\MANIFEST-000001, Quarantined, 16285, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPKPJAEPMFHNDIHMHDMGKFNHNMGABPJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16285, 799722, 1.0.39257, , ame, , D81AEE0DDE16C52BD2D5D15274B0EB6A, 07F02DBBD00E646AFAF2AD5C4027F4759BF1D7D3EE76C4E78A8E031E14A0C468 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.39257, , ame, , 6EE8774596BCC887AD9EE13E095126F2, 343CAF48B3C7BC359CAB208681B31E4850F6A352A4159C88A6F911A90BE78AE2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is AllMusicSearches? The Malwarebytes research team has determined that AllMusicSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AllMusicSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AllMusicSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllMusicSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllMusicSearches? No, Malwarebytes removes AllMusicSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the AllMusicSearches hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allmusicsearches.com CHR DefaultSearchURL: Default -> hxxps://feed.allmusicsearches.com/?q={searchTerms}&publisher=allmusicsearches&barcodeid=577260000000000 CHR DefaultSearchKeyword: Default -> AllMusicSearches CHR DefaultSuggestURL: Default -> hxxps://api.allmusicsearches.com/suggest/get?q={searchTerms} CHR Extension: (AllMusicSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj [2021-03-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0 Adds the file manifest.json"="3/8/2021 10:18 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/8/2021 10:18 AM, 6255 bytes, A Adds the file verified_contents.json"="8/24/2020 10:44 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images Adds the file logo-white-text.png"="8/24/2020 10:44 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\images\icons Adds the file 128x128.png"="3/8/2021 10:18 AM, 4637 bytes, A Adds the file 16x16.png"="3/8/2021 10:18 AM, 520 bytes, A Adds the file 64x64.png"="3/8/2021 10:18 AM, 2321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljkniknmacmhdnefmnadabodljhilooj\1.1.0_0\scripts Adds the file background.js"="8/24/2020 10:44 AM, 514529 bytes, A Adds the file sitecontent.js"="8/24/2020 10:44 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj Adds the file 000003.log"="3/8/2021 10:18 AM, 0 bytes, A Adds the file CURRENT"="3/8/2021 10:18 AM, 16 bytes, A Adds the file LOCK"="3/8/2021 10:18 AM, 0 bytes, A Adds the file LOG"="3/8/2021 10:18 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/8/2021 10:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ljkniknmacmhdnefmnadabodljhilooj Adds the file AllMusicSearches.ico"="3/8/2021 10:18 AM, 181707 bytes, A Adds the file AllMusicSearches.ico.md5"="3/8/2021 10:18 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ljkniknmacmhdnefmnadabodljhilooj"="REG_SZ", "B908D13B0EEA82D134E21FF89BEB5DAC1C8C4177B4B181F6585A3539DAF29138" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/8/21 Scan Time: 10:25 AM Log File: 443572f2-7ff0-11eb-bceb-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37877 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233367 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ, Quarantined, 16150, 799722, 1.0.37877, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 16150, 799722, , , , , 96FECE9926463CBD0B08B3FB5BC753BE, C3F52BFF541292B2004F2DFEBADD2E42FE4B66B5707D8C1C14DF5B5942E4A098 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 16150, 799722, , , , , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\000003.log, Quarantined, 16150, 799722, , , , , 1336BECEF15014988CE71F9B84C76B63, 8457B0EF1CE375E0B331E8D9115228D3D22FDEF73905F184BE32FF422C202B94 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\CURRENT, Quarantined, 16150, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOCK, Quarantined, 16150, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\LOG, Quarantined, 16150, 799722, , , , , 4CDECD7BDFAF7DCD3202A901445E0EFA, 5EA2ACAD3FF62049F45EED93C438C61FE34BA519342CE3EC4A362E7E87B9850C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ljkniknmacmhdnefmnadabodljhilooj\MANIFEST-000001, Quarantined, 16150, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJKNIKNMACMHDNEFMNADABODLJHILOOJ\1.1.0_0\MANIFEST.JSON, Quarantined, 16150, 799722, 1.0.37877, , ame, , F571C4062C2C546E57D7C120801A6355, 0CD8A873E269F4E43B066A63433B8D300AA333A34BF4EB71CB0371BBCA1393BE PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 856479, 1.0.37877, , ame, , DF1E75DD9BF6119F195E522F3848C26D, 110AC98529A525098145BBD217AEE2BFDD1170CB82BC655A3AB5879E146E8691 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is MovieSearchTool? The Malwarebytes research team has determined that MovieSearchTool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by MovieSearchTool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did MovieSearchTool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove MovieSearchTool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MovieSearchTool? No, Malwarebytes removes MovieSearchTool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the MovieSearchTool hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.moviesearchtool.com CHR DefaultSearchURL: Default -> hxxps://feed.moviesearchtool.com/?q={searchTerms}&publisher=moviesearchtool&barcodeid=584280000000000 CHR DefaultSearchKeyword: Default -> MovieSearchTool CHR DefaultSuggestURL: Default -> hxxps://api.moviesearchtool.com/suggest/get?q={searchTerms} CHR Extension: (MovieSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb [2021-03-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0 Adds the file manifest.json"="3/1/2021 9:02 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/1/2021 9:02 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 11:06 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 11:06 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\images\icons Adds the file 128x128.png"="3/1/2021 9:02 AM, 9798 bytes, A Adds the file 16x16.png"="3/1/2021 9:02 AM, 702 bytes, A Adds the file 64x64.png"="3/1/2021 9:02 AM, 4198 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnmnfklndbilokgddplokhdlmlkhaphb\1.1.0_0\scripts Adds the file background.js"="10/6/2020 11:06 AM, 514520 bytes, A Adds the file sitecontent.js"="10/6/2020 11:06 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb Adds the file 000003.log"="3/1/2021 9:02 AM, 0 bytes, A Adds the file CURRENT"="3/1/2021 9:02 AM, 16 bytes, A Adds the file LOCK"="3/1/2021 9:02 AM, 0 bytes, A Adds the file LOG"="3/1/2021 9:02 AM, 0 bytes, A Adds the file MANIFEST-000001"="3/1/2021 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pnmnfklndbilokgddplokhdlmlkhaphb Adds the file MovieSearchTool.ico"="3/1/2021 9:02 AM, 196949 bytes, A Adds the file MovieSearchTool.ico.md5"="3/1/2021 9:02 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pnmnfklndbilokgddplokhdlmlkhaphb"="REG_SZ", "78A3D07F2CD2E616A9587AE07ADE3797D4E397353C1A18B1268042C6C75C9686" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/1/21 Scan Time: 9:11 AM Log File: c14d54d4-7a65-11eb-82c1-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37613 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233298 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 4 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB, Quarantined, 15231, 799722, 1.0.37613, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 1D56C00ACDEF2146FD214881F0949EE2, ADA00ED18C8CE7BE41C0BF66EBA9918AFC3CF7C9869C80563A2834C293FF67C7 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\000003.log, Quarantined, 15231, 799722, , , , , 0D630FDD3FEB10765D0F43DDDFBDEDF7, E4AF3D1899051070A1EB6C1FB8D820636D92C7757D76BBBD7D46C38E08C70A49 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\LOG, Quarantined, 15231, 799722, , , , , FEA63FEC66680EB8AD70324E253DFEDB, 79E07DE941D8BA28ED959075399ECF8239A4EB40414B4CD73B6AC54FF818903F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pnmnfklndbilokgddplokhdlmlkhaphb\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PNMNFKLNDBILOKGDDPLOKHDLMLKHAPHB\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37613, , ame, , 90D19280D957DCE6CE3126439DEA6758, 74BBCFB5642BB975FE4DB6B1EB0F1DE0873B04F7366EC39F7A2C60E38FA41F97 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 858871, 1.0.37613, , ame, , EEAE1DA7F19C2D376915CE0A24A0A935, 57B310B953E848578C4F16FF816AB8A6A591D40FCAC5F807C64E0EA56EEE953B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Browser Checkup for Chrome by Doctor? The Malwarebytes research team has determined that Browser Checkup for Chrome by Doctor is a browser hijacker. This particular one uses web push notifications. It may also give users a false sense of security. How do I know if my computer is affected by Browser Checkup for Chrome by Doctor? You may see this browser extension: these warnings during install: and these screens during operations: How did Browser Checkup for Chrome by Doctor get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Browser Checkup for Chrome by Doctor? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Browser Checkup for Chrome by Doctor? No, Malwarebytes' Anti-Malware removes Browser Checkup for Chrome by Doctor completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Browser Checkup for Chrome by Doctor hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Extension: (Browser Checkup for Chrome by Doctor) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd [2021-02-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0 Adds the file 11eabca2251325cfc5589c9c6fb57b46.ttf"="12/27/2020 11:01 AM, 171272 bytes, A Adds the file bb20bd82505e606d2271e1aa308d62f2.otf"="12/27/2020 11:01 AM, 43024 bytes, A Adds the file doctor.js"="12/27/2020 11:01 AM, 133801 bytes, A Adds the file index.html"="12/27/2020 11:01 AM, 292 bytes, A Adds the file index.js"="12/27/2020 11:01 AM, 406601 bytes, A Adds the file manifest.json"="2/18/2021 8:48 AM, 1355 bytes, A Adds the file style.css"="12/27/2020 11:01 AM, 90776 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0\_metadata Adds the file computed_hashes.json"="2/18/2021 8:48 AM, 10289 bytes, A Adds the file verified_contents.json"="12/27/2020 2:36 PM, 2344 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okjdbeegldeilceaflghgfdemobmfhbd\1.1.9.63_0\icons Adds the file 128.png"="2/18/2021 8:48 AM, 14638 bytes, A Adds the file 16.png"="2/18/2021 8:48 AM, 937 bytes, A Adds the file 48.png"="2/18/2021 8:48 AM, 4228 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd Adds the file 000003.log"="2/18/2021 8:48 AM, 0 bytes, A Adds the file CURRENT"="2/18/2021 8:48 AM, 16 bytes, A Adds the file LOCK"="2/18/2021 8:48 AM, 0 bytes, A Adds the file LOG"="2/18/2021 8:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/18/2021 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd Adds the file 000003.log"="2/18/2021 8:48 AM, 0 bytes, A Adds the file CURRENT"="2/18/2021 8:48 AM, 16 bytes, A Adds the file LOCK"="2/18/2021 8:48 AM, 0 bytes, A Adds the file LOG"="2/18/2021 8:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/18/2021 8:48 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "okjdbeegldeilceaflghgfdemobmfhbd"="REG_SZ", "8EDF3CA2D1CDF7B4C6FE4153E9C347733168B0B490E1357CF25B81DDB33B02C6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/21 Scan Time: 8:55 AM Log File: bb4af140-71be-11eb-ac72-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37251 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233218 Threats Detected: 16 Threats Quarantined: 16 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PushNotifications, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, , , , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\okjdbeegldeilceaflghgfdemobmfhbd, Quarantined, 14952, 909426, 1.0.37251, , ame, , , File: 12 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 14952, 909426, , , , , C0C5AE2E8EF88CAF8AFC316D166F28C6, 40E2F80853F65AFC68A784C0A42D580D85F0A299DDBC47C4FB4EDD985935BC23 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 909426, , , , , BDB58078307E32DB3FBC075D7E714622, 7DC3260265AD0A47FF07D3288CE5FB736ADC8AD2F3DDB19C1F4A8D9A905E6467 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\000003.log, Quarantined, 14952, 909426, , , , , C200AA6EF85C072E48CDC579DD93D116, A30EC27E693304C9D62B80E7D6635EA425778CC32124991B458786CB6E1B28FF PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\CURRENT, Quarantined, 14952, 909426, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOCK, Quarantined, 14952, 909426, , , , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOG, Quarantined, 14952, 909426, , , , , ADE422FE8F73F3761612F9F86E261CC4, 4D8DF8172CBEA9B918724F3164FB1C51D4ACE1ECA68279B8C118B1A71117FD0B PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\MANIFEST-000001, Quarantined, 14952, 909426, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\000003.log, Quarantined, 14952, 909426, , , , , 528D256930B32BD45C9413B94A22BDAE, E4DF5514FA61302CEFDC0A2DC338B80677353F9DCE3F6A711067A6E0897D57B6 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\CURRENT, Quarantined, 14952, 909426, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOCK, Quarantined, 14952, 909426, , , , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\LOG, Quarantined, 14952, 909426, , , , , AACDC0AB59A0D8F5368CBBE87A636EA1, 1F2620C233369DC798868E5CF2F6CAC7125C8B2283BCB82EAF45E5D07D9EB16F PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\okjdbeegldeilceaflghgfdemobmfhbd\MANIFEST-000001, Quarantined, 14952, 909426, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Package Tracker Express BETA EXTENSION? The Malwarebytes research team has determined that Package Tracker Express BETA EXTENSION is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and sometimes uses web push notifications. How do I know if my computer is affected by Package Tracker Express BETA EXTENSION? You may see this browser extension: these warnings during install: You may see this new startpage: and this new setting: How did Package Tracker Express BETA EXTENSION get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: and you can find their EULA on their website: How do I remove Package Tracker Express BETA EXTENSION? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Package Tracker Express BETA EXTENSION? No, Malwarebytes' Anti-Malware removes Package Tracker Express BETA EXTENSION completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Package Tracker Express BETA EXTENSION hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://cpakijaoamlficlbekncfmjoihbdkdff/modern_newtab.html" CHR Extension: (Package Tracker Express BETA EXTENSION) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff [2021-02-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff\2.9.1.20_0 Adds the file manifest.json"="2/16/2021 8:10 AM, 1095 bytes, A Adds the file modern_newtab.html"="8/26/2020 6:20 PM, 279 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff\2.9.1.20_0\_metadata Adds the file computed_hashes.json"="2/16/2021 8:10 AM, 643 bytes, A Adds the file verified_contents.json"="8/26/2020 6:20 PM, 2023 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff\2.9.1.20_0\icons Adds the file icon128.png"="2/16/2021 8:10 AM, 1254 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff\2.9.1.20_0\js Adds the file background.js"="8/26/2020 6:20 PM, 1126 bytes, A Adds the file cmnConstant.js"="8/26/2020 6:20 PM, 2836 bytes, A Adds the file modern_newtab.js"="8/26/2020 6:20 PM, 89 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpakijaoamlficlbekncfmjoihbdkdff\2.9.1.20_0\permission Adds the file permissions.html"="8/26/2020 6:20 PM, 6731 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff Adds the file 000003.log"="2/16/2021 8:10 AM, 0 bytes, A Adds the file CURRENT"="2/16/2021 8:10 AM, 16 bytes, A Adds the file LOCK"="2/16/2021 8:10 AM, 0 bytes, A Adds the file LOG"="2/16/2021 8:10 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/16/2021 8:10 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpakijaoamlficlbekncfmjoihbdkdff"="REG_SZ", "024BA087F49033D44566A0798720CCCBB9CE72B4660CC19B1B275C4665160512" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/16/21 Scan Time: 8:22 AM Log File: ca1c64d0-7027-11eb-b2f5-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.37183 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233192 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 14 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PushNotifications, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cpakijaoamlficlbekncfmjoihbdkdff, Quarantined, 14952, 909425, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff, Quarantined, 14952, 909425, , , , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\cpakijaoamlficlbekncfmjoihbdkdff, Quarantined, 14952, 909425, 1.0.37183, , ame, , , File: 8 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 14952, 909425, , , , , CB4FCBEC4F37FD8AB509B45FF9CA84A4, 2F61E72AA13912272FE790229EFE19D516700C952F69DCD8FBC2C8C767FF729C PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 909425, , , , , 6C0F8964745490E3276408CCEC801879, 4364975258438599F26FF2E6603198071A3C6E6A2A0C199930423DB69D830916 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\000003.log, Quarantined, 14952, 909425, , , , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\CURRENT, Quarantined, 14952, 909425, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\LOCK, Quarantined, 14952, 909425, , , , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\LOG, Quarantined, 14952, 909425, , , , , EF3EE5BD6377D58F601D35D5C9137369, 47894DF4C2C4DEEF186FD7E73A3CFD2FE6B3416BBF51D816277CDC900C0218D0 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\LOG.old, Quarantined, 14952, 909425, , , , , F3F2A226E6D8A380CA0F215B02BD8957, 2D9EF78E548101FCF6BD8FE1922A4024A8A64233ACF80C2A62A9EA67A52087E3 PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpakijaoamlficlbekncfmjoihbdkdff\MANIFEST-000001, Quarantined, 14952, 909425, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is ConvertItSearch? The Malwarebytes research team has determined that ConvertItSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by ConvertItSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did ConvertItSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ConvertItSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ConvertItSearch? No, Malwarebytes removes ConvertItSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the ConvertItSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.convertitsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.convertitsearch.com/?q={searchTerms}&publisher=convertitsearch&barcodeid=577290000000000 CHR DefaultSearchKeyword: Default -> ConvertItSearch CHR DefaultSuggestURL: Default -> hxxps://api.convertitsearch.com/suggest/get?q={searchTerms} CHR Extension: (ConvertItSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn [2021-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0 Adds the file manifest.json"="2/12/2021 9:03 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/12/2021 9:03 AM, 6255 bytes, A Adds the file verified_contents.json"="7/21/2020 11:16 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\images Adds the file logo-white-text.png"="7/21/2020 11:16 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\images\icons Adds the file 128x128.png"="2/12/2021 9:03 AM, 7167 bytes, A Adds the file 16x16.png"="2/12/2021 9:03 AM, 624 bytes, A Adds the file 64x64.png"="2/12/2021 9:03 AM, 3363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdfbocoencgihhaeefgbikgkohjpkdbn\1.1.0_0\scripts Adds the file background.js"="7/21/2020 11:16 AM, 514626 bytes, A Adds the file sitecontent.js"="7/21/2020 11:16 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn Adds the file 000003.log"="2/12/2021 9:03 AM, 0 bytes, A Adds the file CURRENT"="2/12/2021 9:03 AM, 16 bytes, A Adds the file LOCK"="2/12/2021 9:03 AM, 0 bytes, A Adds the file LOG"="2/12/2021 9:03 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/12/2021 9:03 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cdfbocoencgihhaeefgbikgkohjpkdbn Adds the file ConvertItSearch.ico"="2/12/2021 9:03 AM, 195478 bytes, A Adds the file ConvertItSearch.ico.md5"="2/12/2021 9:03 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cdfbocoencgihhaeefgbikgkohjpkdbn"="REG_SZ", "84EFAE078E5DD9FACEE1849459296F79590565412D49E832F159538D32F17115" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/21 Scan Time: 9:12 AM Log File: 16c177d8-6d0a-11eb-b43a-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.37005 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233156 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cdfbocoencgihhaeefgbikgkohjpkdbn, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CDFBOCOENCGIHHAEEFGBIKGKOHJPKDBN, Quarantined, 15231, 799722, 1.0.37005, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 0C96BB358CB70874D4F193D81D941AD6, DD5A48AECE783379C9EDE06A4C1D8C8A04C29E70C6FFF4D958D3592C02C439CF Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 7ACA655856B97E9BBA1A6A52AF5D11B1, 38A4B7DE6AD92ECEE090E78A4E139D2929FC81D379B4B7F7D68098D940D486A9 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\000003.log, Quarantined, 15231, 799722, , , , , BFD0A630859D3BC542F078513002347A, 19E2F03537C36DF7568A66A1EF778A7009337FF98E6779EEAEC88BF6BA50778B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\LOG, Quarantined, 15231, 799722, , , , , CB2607F733082B525901A79A347044B1, AA10F771DBA4A22EA8EBC04D19CEC200CE6224BA900380B83807698A3FC8251E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cdfbocoencgihhaeefgbikgkohjpkdbn\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CDFBOCOENCGIHHAEEFGBIKGKOHJPKDBN\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.37005, , ame, , BA88184F4F4C9257A2B773EF37015D09, 957F5C779E4C8941785044DEB0F268C43077792DD844D17E3D1146B00CF0561F PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14952, 846248, 1.0.37005, , ame, , 7ACA655856B97E9BBA1A6A52AF5D11B1, 38A4B7DE6AD92ECEE090E78A4E139D2929FC81D379B4B7F7D68098D940D486A9 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is AnyGameSearch? The Malwarebytes research team has determined that AnyGameSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by AnyGameSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did AnyGameSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AnyGameSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AnyGameSearch? No, Malwarebytes removes AnyGameSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the AnyGameSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.anygamesearch.com CHR DefaultSearchURL: Default -> hxxps://feed.anygamesearch.com/?q={searchTerms}&publisher=anygamesearch&barcodeid=576890000000000 CHR DefaultSearchKeyword: Default -> AnyGameSearch CHR DefaultSuggestURL: Default -> hxxps://api.anygamesearch.com/suggest/get?q={searchTerms} CHR Extension: (AnyGameSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn [2021-02-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0 Adds the file manifest.json"="2/10/2021 7:48 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/10/2021 7:48 AM, 6255 bytes, A Adds the file verified_contents.json"="7/9/2020 2:50 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\images Adds the file logo-white-text.png"="7/9/2020 2:50 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\images\icons Adds the file 128x128.png"="2/10/2021 7:48 AM, 8772 bytes, A Adds the file 16x16.png"="2/10/2021 7:48 AM, 835 bytes, A Adds the file 64x64.png"="2/10/2021 7:48 AM, 4193 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cneeapnjflfgmlffolfefiehoclcmdkn\1.1.0_0\scripts Adds the file background.js"="7/9/2020 2:50 PM, 514594 bytes, A Adds the file sitecontent.js"="7/9/2020 2:50 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn Adds the file 000003.log"="2/10/2021 7:48 AM, 0 bytes, A Adds the file CURRENT"="2/10/2021 7:48 AM, 16 bytes, A Adds the file LOCK"="2/10/2021 7:48 AM, 0 bytes, A Adds the file LOG"="2/10/2021 7:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/10/2021 7:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cneeapnjflfgmlffolfefiehoclcmdkn Adds the file AnyGameSearch.ico"="2/10/2021 7:48 AM, 206154 bytes, A Adds the file AnyGameSearch.ico.md5"="2/10/2021 7:48 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cneeapnjflfgmlffolfefiehoclcmdkn"="REG_SZ", "4BD71F2627ED23125986AF0586F6463B5209AFE36FF267AB760814E156179BB3" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/10/21 Scan Time: 7:57 AM Log File: 444cd43e-6b6d-11eb-814c-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36899 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233171 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cneeapnjflfgmlffolfefiehoclcmdkn, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNEEAPNJFLFGMLFFOLFEFIEHOCLCMDKN, Quarantined, 15232, 799722, 1.0.36899, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 0B0A79FC52E9233ECDD1C5EF4537AF0E, 934E2F5F8F19F6AC64F9250339291832B628F68781206B35238FB419C2E2CE78 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 3661F4B716BA223A0BE2E6112ECCE952, A87547EF33630902BB5E4A3E95DADDB7E842F33E31ACAAECBB93A5CA517C2860 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\000003.log, Quarantined, 15232, 799722, , , , , 1AFECC7432404BCF7E58B207A2FD50E9, C44FD1632096D4D5FEAE72C4D889462E90F50AAB8DCE7B0E2ECF6F0489789C4D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\LOG, Quarantined, 15232, 799722, , , , , ECF73745D594746614526CA7F4581CF2, F163E3767E6AD310D7A4EEE7A046C912299E3DB284EE4BBD06426BFC804A705E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cneeapnjflfgmlffolfefiehoclcmdkn\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNEEAPNJFLFGMLFFOLFEFIEHOCLCMDKN\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36899, , ame, , DF9415DE2BC5685B8BE0E35C4B5027D1, C390249524ED4EF3442414BB49038B34759948854BC3D2A39AFC385A6D0C2749 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14953, 846248, 1.0.36899, , ame, , 3661F4B716BA223A0BE2E6112ECCE952, A87547EF33630902BB5E4A3E95DADDB7E842F33E31ACAAECBB93A5CA517C2860 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is CoolStreamSearch? The Malwarebytes research team has determined that CoolStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by CoolStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did CoolStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove CoolStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of CoolStreamSearch? No, Malwarebytes removes CoolStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the CoolStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.coolstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.coolstreamsearch.com/?q={searchTerms}&publisher=coolstreamsearch&barcodeid=583980000000000 CHR DefaultSearchKeyword: Default -> CoolStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.coolstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (CoolStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni [2021-02-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0 Adds the file manifest.json"="2/4/2021 8:48 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\_metadata Adds the file computed_hashes.json"="2/4/2021 8:48 AM, 6255 bytes, A Adds the file verified_contents.json"="9/16/2020 4:58 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\images Adds the file logo-white-text.png"="9/16/2020 4:58 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\images\icons Adds the file 128x128.png"="2/4/2021 8:48 AM, 13136 bytes, A Adds the file 16x16.png"="2/4/2021 8:48 AM, 748 bytes, A Adds the file 64x64.png"="2/4/2021 8:48 AM, 4994 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blijkdeookckchojnjobhgninmepigni\1.1.0_0\scripts Adds the file background.js"="9/16/2020 4:58 PM, 514529 bytes, A Adds the file sitecontent.js"="9/16/2020 4:58 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni Adds the file 000003.log"="2/4/2021 8:48 AM, 0 bytes, A Adds the file CURRENT"="2/4/2021 8:48 AM, 16 bytes, A Adds the file LOCK"="2/4/2021 8:48 AM, 0 bytes, A Adds the file LOG"="2/4/2021 8:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/4/2021 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_blijkdeookckchojnjobhgninmepigni Adds the file CoolStreamSearch.ico"="2/4/2021 8:48 AM, 203859 bytes, A Adds the file CoolStreamSearch.ico.md5"="2/4/2021 8:48 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blijkdeookckchojnjobhgninmepigni"="REG_SZ", "4DF99D9673A5EB03234513F84815E3AD4197D2A5F24102C1F2CB274E0515EBF1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/21 Scan Time: 9:30 AM Log File: 3a587824-66c3-11eb-9841-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1157 Update Package Version: 1.0.36707 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233127 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|blijkdeookckchojnjobhgninmepigni, Quarantined, 15232, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLIJKDEOOKCKCHOJNJOBHGNINMEPIGNI, Quarantined, 15232, 799722, 1.0.36707, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15232, 799722, , , , , 71429604707ADCC4A53385B531B37680, FAE185739C2808B073C0754000EB40453A24D0BD0AE2B025B0714B81375C861D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15232, 799722, , , , , 7444E667A96044ECC4138EA10CAE81C5, 92255DD4AF7D1373DB557E556EA6D78F57385B48AC7B9A847411219D32A5495E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\000003.log, Quarantined, 15232, 799722, , , , , 31D6527E5206FEDB2018923E2B8611CB, AE1F2A9C1707778B455E1A6341ED0D36653A3988D0A5913F2D6D9F2AF5F0DAEC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\CURRENT, Quarantined, 15232, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\LOCK, Quarantined, 15232, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\LOG, Quarantined, 15232, 799722, , , , , C913D847D8309EB100E61D0A5DEBB184, 2B690EE2E2367FAFE883795B2173CDE502B6D38D69C6158F30221935F05E968B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blijkdeookckchojnjobhgninmepigni\MANIFEST-000001, Quarantined, 15232, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLIJKDEOOKCKCHOJNJOBHGNINMEPIGNI\1.1.0_0\MANIFEST.JSON, Quarantined, 15232, 799722, 1.0.36707, , ame, , A888534CF31EB9525F3693C1C95DB822, 500A9E8CE04D192A0E09183F62CF69D4E78B90862DDC8710F4BA76E0A1A657E6 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14953, 846248, 1.0.36707, , ame, , 7444E667A96044ECC4138EA10CAE81C5, 92255DD4AF7D1373DB557E556EA6D78F57385B48AC7B9A847411219D32A5495E Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is SmartStreamSearch? The Malwarebytes research team has determined that SmartStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches. How do I know if my computer is affected by SmartStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did SmartStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SmartStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SmartStreamSearch? No, Malwarebytes removes SmartStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SmartStreamSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.smartstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.smartstreamsearch.com/?q={searchTerms}&publisher=smartstreamsearch&barcodeid=584030000000000 CHR DefaultSearchKeyword: Default -> SmartStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.smartstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (SmartStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl [2021-01-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl\1.1.0_0 Adds the file manifest.json"="1/13/2021 8:46 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/13/2021 8:46 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 9:21 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 9:21 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl\1.1.0_0\images\icons Adds the file 128x128.png"="1/13/2021 8:46 AM, 8578 bytes, A Adds the file 16x16.png"="1/13/2021 8:46 AM, 721 bytes, A Adds the file 64x64.png"="1/13/2021 8:46 AM, 3487 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eplgeocjolljcekonmlblfdoeakklejl\1.1.0_0\scripts Adds the file background.js"="10/6/2020 9:21 AM, 514538 bytes, A Adds the file sitecontent.js"="10/6/2020 9:21 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl Adds the file 000003.log"="1/13/2021 8:46 AM, 0 bytes, A Adds the file CURRENT"="1/13/2021 8:46 AM, 16 bytes, A Adds the file LOCK"="1/13/2021 8:46 AM, 0 bytes, A Adds the file LOG"="1/13/2021 8:46 AM, 0 bytes, A Adds the file MANIFEST-000001"="1/13/2021 8:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_eplgeocjolljcekonmlblfdoeakklejl Adds the file SmartStreamSearch.ico"="1/13/2021 8:46 AM, 190161 bytes, A Adds the file SmartStreamSearch.ico.md5"="1/13/2021 8:46 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eplgeocjolljcekonmlblfdoeakklejl"="REG_SZ", "FD3B952368C0E9F5344AB08A3053B40AC30353CD8CB50E6DB1FA8AAE1A95DE6B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/13/21 Scan Time: 9:01 AM Log File: 7bd34996-5575-11eb-a560-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35667 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232786 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eplgeocjolljcekonmlblfdoeakklejl, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPLGEOCJOLLJCEKONMLBLFDOEAKKLEJL, Quarantined, 15230, 799722, 1.0.35667, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 23F372E0298B8B97539714E42BF4C289, A1C1CF679DB9F3A9DBB23E069EBEFB9E97BB5F7B9FE830D1FB56B562A8C4201D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , E1BA116175F1ABD85E41BF2AAC9DFF98, BC06D6117C885E87A7CAC1BB693E63DC3087F22E286F0AFF15EADDDDA12A73A8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl\000003.log, Quarantined, 15230, 799722, , , , , 3E93CA5E46C001B30CE94E0DEC8D12F4, D5586EE1363D37E2B1548BD005D6B2C4125011782EE673EEB6A4E0D7D634955A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl\LOG, Quarantined, 15230, 799722, , , , , E0C13E062AC0B7878AC483A8FAB929AE, 33463EBC25AF43E3E228D9E9CAB4CB5CC50CCE8196B295C925F0A8337D57059C Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eplgeocjolljcekonmlblfdoeakklejl\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPLGEOCJOLLJCEKONMLBLFDOEAKKLEJL\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35667, , ame, , 676BC1051BF99FF50824C5B51F661D89, 1A47FD2C4D5C0C42B3B38929A9A6E1E88C7795874049477CB754FADEF203C989 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14951, 846248, 1.0.35667, , ame, , E1BA116175F1ABD85E41BF2AAC9DFF98, BC06D6117C885E87A7CAC1BB693E63DC3087F22E286F0AFF15EADDDDA12A73A8 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is AnyMovieSearch?The Malwarebytes research team has determined that AnyMovieSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications. It also adds advertisements to your search results in the form of recommended searches.How do I know if my computer is affected by AnyMovieSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did AnyMovieSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove AnyMovieSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AnyMovieSearch? No, Malwarebytes removes AnyMovieSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below, the full version of Malwarebytes, as well as Browser Guard would have protected you against the AnyMovieSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://get.anymoviesearch.com CHR DefaultSearchURL: Default -> hxxps://feed.anymoviesearch.com/?q={searchTerms}&publisher=anymoviesearch&barcodeid=577130000000000 CHR DefaultSearchKeyword: Default -> AnyMovieSearch CHR DefaultSuggestURL: Default -> hxxps://api.anymoviesearch.com/suggest/get?q={searchTerms} CHR Extension: (AnyMovieSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb [2021-01-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb\1.1.0_0 Adds the file manifest.json"="1/5/2021 9:38 AM, 2108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb\1.1.0_0\_metadata Adds the file computed_hashes.json"="1/5/2021 9:38 AM, 6255 bytes, A Adds the file verified_contents.json"="7/14/2020 3:41 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb\1.1.0_0\images Adds the file logo-white-text.png"="7/14/2020 3:41 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb\1.1.0_0\images\icons Adds the file 128x128.png"="1/5/2021 9:38 AM, 6283 bytes, A Adds the file 16x16.png"="1/5/2021 9:38 AM, 631 bytes, A Adds the file 64x64.png"="1/5/2021 9:38 AM, 2999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmdliomlnjeapfckglfbdmandcajldjb\1.1.0_0\scripts Adds the file background.js"="7/14/2020 3:41 PM, 514610 bytes, A Adds the file sitecontent.js"="7/14/2020 3:41 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb Adds the file 000003.log"="1/5/2021 9:45 AM, 873 bytes, A Adds the file CURRENT"="1/5/2021 9:38 AM, 16 bytes, A Adds the file LOCK"="1/5/2021 9:38 AM, 0 bytes, A Adds the file LOG"="1/5/2021 9:38 AM, 183 bytes, A Adds the file MANIFEST-000001"="1/5/2021 9:38 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hmdliomlnjeapfckglfbdmandcajldjb Adds the file AnyMovieSearch.ico"="1/5/2021 9:38 AM, 189171 bytes, A Adds the file AnyMovieSearch.ico.md5"="1/5/2021 9:38 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hmdliomlnjeapfckglfbdmandcajldjb"="REG_SZ", "46D99F25261A6C4032E8C331F021AF7304E8910C7AF8B1D0FBE2377884613741" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/5/21 Scan Time: 9:53 AM Log File: 6f33b86c-4f33-11eb-9f29-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.35307 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232730 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hmdliomlnjeapfckglfbdmandcajldjb, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HMDLIOMLNJEAPFCKGLFBDMANDCAJLDJB, Quarantined, 15230, 799722, 1.0.35307, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 8EFAB3BB267A736F0A03A4D5F9717285, 477A29E0019BE838BF719C54717E54233F8F1D82782758BC8D59952943A88796 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , 2574E5B0AE76C27727976A29D130A278, 8DD2A5C57F99797AA8DEF23EF50324CE1B87A26388C7953930A5E66B9C294587 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb\000003.log, Quarantined, 15230, 799722, , , , , 30B5DA5482C124165AC1FB0DBA19DE43, A19865CAE0DA47FB535A99C2BD9A5FC847B00C636FA3ABEA1BB7DF3F29B1CCB7 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb\LOG, Quarantined, 15230, 799722, , , , , 563F7A8044546CFE30F1868C0D33C297, 3E44A132B87213C22D7768180A9672D465C72AE327E83976E20BCE1703317B7D Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmdliomlnjeapfckglfbdmandcajldjb\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HMDLIOMLNJEAPFCKGLFBDMANDCAJLDJB\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.35307, , ame, , 9DEEF4C90EF3298D6DE6B64A06275F7B, B86A599E2A16B052A10C6EE70565F4713EA4F0EA38AAFB88734616E6723E6508 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14951, 846248, 1.0.35307, , ame, , 2574E5B0AE76C27727976A29D130A278, 8DD2A5C57F99797AA8DEF23EF50324CE1B87A26388C7953930A5E66B9C294587 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is GameSearchMedia?The Malwarebytes research team has determined that GameSearchMedia is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by GameSearchMedia?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did GameSearchMedia get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove GameSearchMedia?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GameSearchMedia? No, Malwarebytes removes GameSearchMedia completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the GameSearchMedia hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://get.gamesearchmedia.com CHR DefaultSearchURL: Default -> hxxps://feed.gamesearchmedia.com/?q={searchTerms}&publisher=gamesearchmedia&barcodeid=585470000000000 CHR DefaultSearchKeyword: Default -> GameSearchMedia CHR DefaultSuggestURL: Default -> hxxps://api.gamesearchmedia.com/suggest/get?q={searchTerms} CHR Extension: (GameSearchMedia) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf [2020-12-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf\1.1.0_0 Adds the file manifest.json"="12/16/2020 9:26 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf\1.1.0_0\_metadata Adds the file computed_hashes.json"="12/16/2020 9:26 AM, 6725 bytes, A Adds the file verified_contents.json"="10/18/2020 2:28 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf\1.1.0_0\images Adds the file logo-white-text.png"="10/18/2020 2:28 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf\1.1.0_0\images\icons Adds the file 128x128.png"="12/16/2020 9:26 AM, 8237 bytes, A Adds the file 16x16.png"="12/16/2020 9:26 AM, 713 bytes, A Adds the file 64x64.png"="12/16/2020 9:26 AM, 3880 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcbnfpoaclbdkoleoamnfmnioecdbabf\1.1.0_0\scripts Adds the file background.js"="10/18/2020 2:28 PM, 553466 bytes, A Adds the file sitecontent.js"="10/18/2020 2:28 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf Adds the file 000003.log"="12/16/2020 9:29 AM, 828 bytes, A Adds the file CURRENT"="12/16/2020 9:26 AM, 16 bytes, A Adds the file LOCK"="12/16/2020 9:26 AM, 0 bytes, A Adds the file LOG"="12/16/2020 9:26 AM, 183 bytes, A Adds the file MANIFEST-000001"="12/16/2020 9:26 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_lcbnfpoaclbdkoleoamnfmnioecdbabf Adds the file GameSearchMedia.ico"="12/16/2020 9:26 AM, 199488 bytes, A Adds the file GameSearchMedia.ico.md5"="12/16/2020 9:26 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lcbnfpoaclbdkoleoamnfmnioecdbabf"="REG_SZ", "646BE4FA34E4899F0A0A32D8EDD86C0B65AC9B4B270FC44BDE5AA2F82FB9F968" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/16/20 Scan Time: 9:36 AM Log File: d7e205f4-3f79-11eb-aee8-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.34403 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232225 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lcbnfpoaclbdkoleoamnfmnioecdbabf, Quarantined, 15230, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LCBNFPOACLBDKOLEOAMNFMNIOECDBABF, Quarantined, 15230, 799722, 1.0.34403, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15230, 799722, , , , , 23C6267B2A8EBDB3AD23373A2907A091, 6767BEBB24C7D384DDF18F35CAEB7E3D395B44D2AD8653439BB494841B46B3CF Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15230, 799722, , , , , A896FD5B605FFB994855D0C94EAB9DA2, 6B0865C56688E819B66179F147B71889C0172DA42AAE508E845A4DE03AA9137B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf\000003.log, Quarantined, 15230, 799722, , , , , 67EF811D058A4069A230848E19D70D62, EFEBAA8DCE5FEFCA5581DE150FC654870754A86B37907C76857EADFD0D0301E5 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf\CURRENT, Quarantined, 15230, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf\LOCK, Quarantined, 15230, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf\LOG, Quarantined, 15230, 799722, , , , , 32046ADA080EAB4D1A017C0BA70E4FCD, C8983BDF28C2792DD2CA601EACC762677ED6FBE8D26F255B806BE0E4E03BE581 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lcbnfpoaclbdkoleoamnfmnioecdbabf\MANIFEST-000001, Quarantined, 15230, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LCBNFPOACLBDKOLEOAMNFMNIOECDBABF\1.1.0_0\MANIFEST.JSON, Quarantined, 15230, 799722, 1.0.34403, , ame, , C9ADE804C7D62853E5BF36A509B37359, 4919A3297F0324686499485668D2ACEF15E2E608D501F66E8380BED5765BA806 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14951, 858871, 1.0.34403, , ame, , A896FD5B605FFB994855D0C94EAB9DA2, 6B0865C56688E819B66179F147B71889C0172DA42AAE508E845A4DE03AA9137B Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is HDMusicStreamSearch? The Malwarebytes research team has determined that HDMusicStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by HDMusicStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did HDMusicStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove HDMusicStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of HDMusicStreamSearch? No, Malwarebytes removes HDMusicStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the HDMusicStreamSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.hdmusicstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.hdmusicstreamsearch.com/?q={searchTerms}&publisher=hdmusicstreamsearch&barcodeid=577220000000000 CHR DefaultSearchKeyword: Default -> HDMusicStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.hdmusicstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (HDMusicStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi [2020-11-27] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi\1.1.0_0 Adds the file manifest.json"="11/27/2020 10:33 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/27/2020 10:33 AM, 6255 bytes, A Adds the file verified_contents.json"="7/16/2020 3:47 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi\1.1.0_0\images Adds the file logo-white-text.png"="7/16/2020 3:47 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi\1.1.0_0\images\icons Adds the file 128x128.png"="11/27/2020 10:33 AM, 6753 bytes, A Adds the file 16x16.png"="11/27/2020 10:33 AM, 756 bytes, A Adds the file 64x64.png"="11/27/2020 10:33 AM, 3441 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbefaippdfpiclgpjcbdobhbnneldpi\1.1.0_0\scripts Adds the file background.js"="7/16/2020 3:47 PM, 514690 bytes, A Adds the file sitecontent.js"="7/16/2020 3:47 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi Adds the file 000003.log"="11/27/2020 10:37 AM, 814 bytes, A Adds the file CURRENT"="11/27/2020 10:33 AM, 16 bytes, A Adds the file LOCK"="11/27/2020 10:33 AM, 0 bytes, A Adds the file LOG"="11/27/2020 10:33 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/27/2020 10:33 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cpbefaippdfpiclgpjcbdobhbnneldpi Adds the file HDMusicStreamSearch.ico"="11/27/2020 10:33 AM, 198246 bytes, A Adds the file HDMusicStreamSearch.ico.md5"="11/27/2020 10:33 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpbefaippdfpiclgpjcbdobhbnneldpi"="REG_SZ", "FD4E0245DD9718EE63FC0B283A4A6D669C18A18879F4E812632A948CF850CF7C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/27/20 Scan Time: 10:43 AM Log File: 00c5b7a2-3095-11eb-9b87-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33486 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232086 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cpbefaippdfpiclgpjcbdobhbnneldpi, Quarantined, 15693, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi, Quarantined, 15693, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBEFAIPPDFPICLGPJCBDOBHBNNELDPI, Quarantined, 15693, 799722, 1.0.33486, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15693, 799722, , , , , F75D39CC1F669AA9DBA453B4A4A90F79, F4E55FA64D7E28085D8F00319ADA26EDA17B7D570D4CAF842DFC3BBF471AC207 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15693, 799722, , , , , 4B2D3FF9E84B4DFE22542ACF764EA529, A5994082095B4D845775613B033BA456EE54A31573BA69EAE0BF9669368A3793 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi\000003.log, Quarantined, 15693, 799722, , , , , 5187EE52D630BC07FCD0C858C034284B, 9297B9F4ABEA8DEF2F0CCA516AD10CC410683847C8B81FC84EA7B8EDEAFBC6D2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi\CURRENT, Quarantined, 15693, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi\LOCK, Quarantined, 15693, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi\LOG, Quarantined, 15693, 799722, , , , , FD091DC77F55766A8BBC5A2EBE364D23, 58C14A3CD0E69972CC4A23C60AC346732B25A7E7CABE148080B77CBF2BCF1736 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cpbefaippdfpiclgpjcbdobhbnneldpi\MANIFEST-000001, Quarantined, 15693, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBEFAIPPDFPICLGPJCBDOBHBNNELDPI\1.1.0_0\MANIFEST.JSON, Quarantined, 15693, 799722, 1.0.33486, , ame, , 8642A8AE1A586A0AA0AB11E8E7B1EF6C, 1B62FEB4B9CDC1EB259B31B6D6F47587D666AFCBC8EE982240E0EBE7FE6C6C52 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.33486, , ame, , 4B2D3FF9E84B4DFE22542ACF764EA529, A5994082095B4D845775613B033BA456EE54A31573BA69EAE0BF9669368A3793 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is FileConverterSearches? The Malwarebytes research team has determined that FileConverterSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by FileConverterSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did FileConverterSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove FileConverterSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FileConverterSearches? No, Malwarebytes removes FileConverterSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the FileConverterSearches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.fileconvertersearches.com CHR DefaultSearchURL: Default -> hxxps://feed.fileconvertersearches.com/?q={searchTerms}&publisher=fileconvertersearches&barcodeid=577270000000000 CHR DefaultSearchKeyword: Default -> FileConverterSearches CHR DefaultSuggestURL: Default -> hxxps://api.fileconvertersearches.com/suggest/get?q={searchTerms} CHR Extension: (FileConverterSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie [2020-11-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie\1.1.0_0 Adds the file manifest.json"="11/25/2020 9:19 AM, 2192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/25/2020 9:19 AM, 6255 bytes, A Adds the file verified_contents.json"="7/21/2020 11:06 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie\1.1.0_0\images Adds the file logo-white-text.png"="7/21/2020 11:06 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie\1.1.0_0\images\icons Adds the file 128x128.png"="11/25/2020 9:19 AM, 3740 bytes, A Adds the file 16x16.png"="11/25/2020 9:19 AM, 455 bytes, A Adds the file 64x64.png"="11/25/2020 9:19 AM, 1863 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacopnfmngmkhdlmedepfmoblolhiaie\1.1.0_0\scripts Adds the file background.js"="7/21/2020 11:06 AM, 514722 bytes, A Adds the file sitecontent.js"="7/21/2020 11:06 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie Adds the file 000003.log"="11/25/2020 9:22 AM, 800 bytes, A Adds the file CURRENT"="11/25/2020 9:19 AM, 16 bytes, A Adds the file LOCK"="11/25/2020 9:19 AM, 0 bytes, A Adds the file LOG"="11/25/2020 9:19 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/25/2020 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pacopnfmngmkhdlmedepfmoblolhiaie Adds the file FileConverterSearches.ico"="11/25/2020 9:19 AM, 173857 bytes, A Adds the file FileConverterSearches.ico.md5"="11/25/2020 9:19 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pacopnfmngmkhdlmedepfmoblolhiaie"="REG_SZ", "755FACE43C832EDCB83B3B4D3067FC90983017923E7F744257A6FE77336E9F36" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/25/20 Scan Time: 9:28 AM Log File: 28e21c9c-2ef8-11eb-a572-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1112 Update Package Version: 1.0.33388 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232033 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pacopnfmngmkhdlmedepfmoblolhiaie, Quarantined, 15674, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie, Quarantined, 15674, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOPNFMNGMKHDLMEDEPFMOBLOLHIAIE, Quarantined, 15674, 799722, 1.0.33388, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15674, 799722, , , , , 1563AF3F24B9EC24FB36A0772E45F40F, 15DA6B6D5AE33021FF1F3572B7A46B898D7BE0D51C37889B6F89BB7AB4319438 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15674, 799722, , , , , 9184E237018A554816BC3A0780A4F463, 47792FC459665D2C5C8E48DCB4D0A4B7A65A601264970D0DF52108FA11CDB1A8 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie\000003.log, Quarantined, 15674, 799722, , , , , C58D171D3D4D46F9B4931C5812D59CD7, D8A67675ED1FB9392A65D706EA06B6185DAB4C0C7CA95BAF95FE23A0AF51B66A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie\CURRENT, Quarantined, 15674, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie\LOCK, Quarantined, 15674, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie\LOG, Quarantined, 15674, 799722, , , , , 5BA6AD4EF2F4E5E93AA309F23B15A4C8, BB38B39A58A43FB5599104D0C59CD0CE83EEABB6AD8297BA231ACA27412561BC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacopnfmngmkhdlmedepfmoblolhiaie\MANIFEST-000001, Quarantined, 15674, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOPNFMNGMKHDLMEDEPFMOBLOLHIAIE\1.1.0_0\MANIFEST.JSON, Quarantined, 15674, 799722, 1.0.33388, , ame, , 284C794677A96C1E049B3ECEC7BE438D, 1F1E1184C4BDC864CAF62069057AF103A1C5EFB529ED55CD326BD20D7B8E9530 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 856479, 1.0.33388, , ame, , 9184E237018A554816BC3A0780A4F463, 47792FC459665D2C5C8E48DCB4D0A4B7A65A601264970D0DF52108FA11CDB1A8 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is StreamSiteSearch? The Malwarebytes research team has determined that StreamSiteSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by StreamSiteSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did StreamSiteSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove StreamSiteSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of StreamSiteSearch? No, Malwarebytes removes StreamSiteSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the StreamSiteSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.streamssitesearch.com CHR DefaultSearchURL: Default -> hxxps://feed.streamssitesearch.com/?q={searchTerms}&publisher=streamsitesearch&barcodeid=578210000000000 CHR DefaultSearchKeyword: Default -> StreamSiteSearch CHR DefaultSuggestURL: Default -> hxxps://api.streamssitesearch.com/suggest/get?q={searchTerms} CHR Extension: (StreamSiteSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp [2020-11-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp\1.1.0_0 Adds the file manifest.json"="11/19/2020 8:53 AM, 2138 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/19/2020 8:53 AM, 6255 bytes, A Adds the file verified_contents.json"="7/26/2020 9:32 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp\1.1.0_0\images Adds the file logo-white-text.png"="7/26/2020 9:32 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp\1.1.0_0\images\icons Adds the file 128x128.png"="11/19/2020 8:53 AM, 3983 bytes, A Adds the file 16x16.png"="11/19/2020 8:53 AM, 442 bytes, A Adds the file 64x64.png"="11/19/2020 8:53 AM, 2030 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfmpahmdncaiocgioclbgoahlfalfhnp\1.1.0_0\scripts Adds the file background.js"="7/26/2020 9:32 AM, 514641 bytes, A Adds the file sitecontent.js"="7/26/2020 9:32 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp Adds the file 000003.log"="11/19/2020 8:53 AM, 0 bytes, A Adds the file CURRENT"="11/19/2020 8:53 AM, 16 bytes, A Adds the file LOCK"="11/19/2020 8:53 AM, 0 bytes, A Adds the file LOG"="11/19/2020 8:53 AM, 0 bytes, A Adds the file MANIFEST-000001"="11/19/2020 8:53 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mfmpahmdncaiocgioclbgoahlfalfhnp Adds the file StreamSiteSearch.ico"="11/19/2020 8:53 AM, 173700 bytes, A Adds the file StreamSiteSearch.ico.md5"="11/19/2020 8:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mfmpahmdncaiocgioclbgoahlfalfhnp"="REG_SZ", "8CD0EB37C7FA601958F8929501077991B843D1E42AA5E8656F332D997F317D8A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/19/20 Scan Time: 9:06 AM Log File: 1e36cc5c-2a3e-11eb-846b-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1112 Update Package Version: 1.0.33088 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232008 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mfmpahmdncaiocgioclbgoahlfalfhnp, Quarantined, 15627, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp, Quarantined, 15627, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MFMPAHMDNCAIOCGIOCLBGOAHLFALFHNP, Quarantined, 15627, 799722, 1.0.33088, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15627, 799722, , , , , 3B74D8F8E71A524B3A1D0795C8D8A1F3, 8A9C700CA2BD1CE4EA6C951EC460414AD9353AECDB797D814502AA4A1224986B Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15627, 799722, , , , , 97C0BB878211660882CB900E620ED1DB, 193EBE9372B5A1C10DA088261DABB0D162B4B298D598FDFB451A30B245BF8684 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\000003.log, Quarantined, 15627, 799722, , , , , 2DEB2232413E453416F2178C08802A7C, 63BFEC4AEEB61D89D01498A40039CBFBF8853040A6ACBA587061B974EB0323DE Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\CURRENT, Quarantined, 15627, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\LOCK, Quarantined, 15627, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\LOG, Quarantined, 15627, 799722, , , , , 2D80310F594F5A7ED18B2DA7E5841399, 8CA46DA6D24FBD3EF6CCBE649902185104D471C4EC474CB1E5FD5DA127A3C6CD Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\LOG.old, Quarantined, 15627, 799722, , , , , 422D24977A09F33D44E22B2EBA84647D, ABB67C981596216D2E77098BB63BAD19FED39FC252E6A2F96AE9BE8FDD61CA3F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mfmpahmdncaiocgioclbgoahlfalfhnp\MANIFEST-000001, Quarantined, 15627, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MFMPAHMDNCAIOCGIOCLBGOAHLFALFHNP\1.1.0_0\MANIFEST.JSON, Quarantined, 15627, 799722, 1.0.33088, , ame, , 0A501CE912ACDCDE0A01C3E98D750299, F9F3001D23258B257E109AB840A588F4E4FD14C584AB904A784B4A2AB942C965 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.33088, , ame, , 97C0BB878211660882CB900E620ED1DB, 193EBE9372B5A1C10DA088261DABB0D162B4B298D598FDFB451A30B245BF8684 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is BestConverterSearch? The Malwarebytes research team has determined that BestConverterSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by BestConverterSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did BestConverterSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove BestConverterSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of BestConverterSearch? No, Malwarebytes removes BestConverterSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the BestConverterSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.bestconvertersearch.com CHR DefaultSearchURL: Default -> hxxps://feed.bestconvertersearch.com/?q={searchTerms}&publisher=bestconvertersearch&barcodeid=579650000000000 CHR DefaultSearchKeyword: Default -> BestConverterSearch CHR DefaultSuggestURL: Default -> hxxps://api.bestconvertersearch.com/suggest/get?q={searchTerms} CHR Extension: (BestConverterSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo [2020-11-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo\1.1.0_0 Adds the file manifest.json"="11/16/2020 9:10 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/16/2020 9:10 AM, 6255 bytes, A Adds the file verified_contents.json"="9/2/2020 8:29 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo\1.1.0_0\images Adds the file logo-white-text.png"="9/2/2020 8:29 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo\1.1.0_0\images\icons Adds the file 128x128.png"="11/16/2020 9:10 AM, 4611 bytes, A Adds the file 16x16.png"="11/16/2020 9:10 AM, 536 bytes, A Adds the file 64x64.png"="11/16/2020 9:10 AM, 2267 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgoncnbnoaglppfjhaplpaojgadfhmo\1.1.0_0\scripts Adds the file background.js"="9/2/2020 8:29 AM, 514556 bytes, A Adds the file sitecontent.js"="9/2/2020 8:29 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo Adds the file 000003.log"="11/16/2020 9:12 AM, 795 bytes, A Adds the file CURRENT"="11/16/2020 9:10 AM, 16 bytes, A Adds the file LOCK"="11/16/2020 9:10 AM, 0 bytes, A Adds the file LOG"="11/16/2020 9:10 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/16/2020 9:10 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_phgoncnbnoaglppfjhaplpaojgadfhmo Adds the file BestConverterSearch.ico"="11/16/2020 9:10 AM, 179568 bytes, A Adds the file BestConverterSearch.ico.md5"="11/16/2020 9:10 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "phgoncnbnoaglppfjhaplpaojgadfhmo"="REG_SZ", "09C781FF0F67E3366D91BDAFF1FA4CDB2403BC5C3DF8CCD794906081D9EA5B4C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/16/20 Scan Time: 9:18 AM Log File: 4d1c0f34-27e4-11eb-952b-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1104 Update Package Version: 1.0.32966 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231989 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|phgoncnbnoaglppfjhaplpaojgadfhmo, Quarantined, 15585, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo, Quarantined, 15585, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PHGONCNBNOAGLPPFJHAPLPAOJGADFHMO, Quarantined, 15585, 799722, 1.0.32966, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15585, 799722, , , , , 9B1018EB37CA894E788FF653D3F7DCBD, 9AF4E536E766C3B39FA2A7B7287BF51B0A055B919A5EA1DF44D577533A191219 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15585, 799722, , , , , 6CD5F68D9AC65B2B01577C362D057913, 12B2070DDC722362FEBC48B15FC68DF66FB4E2D749FFCB9727F5B09D629C5BC3 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo\000003.log, Quarantined, 15585, 799722, , , , , 778A9672702F9A0EB7A78878DB8FE330, 57526C85127B73BF7A7D710B19C5813F5D057F34E4C072BF7AA01BBF74F74017 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo\CURRENT, Quarantined, 15585, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo\LOCK, Quarantined, 15585, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo\LOG, Quarantined, 15585, 799722, , , , , B55368F2923B6537E3AA2B3BC2003FF2, E42F66A2386157EE053F259CF39248426C9B6F2CB0C6F0B55584EFCED5A50F14 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\phgoncnbnoaglppfjhaplpaojgadfhmo\MANIFEST-000001, Quarantined, 15585, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PHGONCNBNOAGLPPFJHAPLPAOJGADFHMO\1.1.0_0\MANIFEST.JSON, Quarantined, 15585, 799722, 1.0.32966, , ame, , 5D60B5C5898B618E1386A4C49D354F8F, E8D5830515F73F01B2140034A2DA03F4E2C85CA09D079158DF238E54139C2CA1 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.32966, , ame, , 6CD5F68D9AC65B2B01577C362D057913, 12B2070DDC722362FEBC48B15FC68DF66FB4E2D749FFCB9727F5B09D629C5BC3 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is IStreamingSearch? The Malwarebytes research team has determined that IStreamingSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by IStreamingSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did IStreamingSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove IStreamingSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of IStreamingSearch? No, Malwarebytes removes IStreamingSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the IStreamingSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.istreamingsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.istreamingsearch.com/?q={searchTerms}&publisher=istreamingsearch&barcodeid=583970000000000 CHR DefaultSearchKeyword: Default -> IStreamingSearch CHR DefaultSuggestURL: Default -> hxxps://api.istreamingsearch.com/suggest/get?q={searchTerms} CHR Extension: (IStreamingSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl [2020-11-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl\1.1.0_0 Adds the file manifest.json"="11/13/2020 9:02 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/13/2020 9:02 AM, 6255 bytes, A Adds the file verified_contents.json"="9/16/2020 4:56 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl\1.1.0_0\images Adds the file logo-white-text.png"="9/16/2020 4:56 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl\1.1.0_0\images\icons Adds the file 128x128.png"="11/13/2020 9:02 AM, 3557 bytes, A Adds the file 16x16.png"="11/13/2020 9:02 AM, 340 bytes, A Adds the file 64x64.png"="11/13/2020 9:02 AM, 1711 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdefphoeoephmaeacdemphagcghblbbl\1.1.0_0\scripts Adds the file background.js"="9/16/2020 4:56 PM, 514529 bytes, A Adds the file sitecontent.js"="9/16/2020 4:56 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl Adds the file 000003.log"="11/13/2020 9:05 AM, 839 bytes, A Adds the file CURRENT"="11/13/2020 9:02 AM, 16 bytes, A Adds the file LOCK"="11/13/2020 9:02 AM, 0 bytes, A Adds the file LOG"="11/13/2020 9:02 AM, 183 bytes, A Adds the file MANIFEST-000001"="11/13/2020 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hdefphoeoephmaeacdemphagcghblbbl Adds the file IStreamingSearch.ico"="11/13/2020 9:02 AM, 171329 bytes, A Adds the file IStreamingSearch.ico.md5"="11/13/2020 9:02 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hdefphoeoephmaeacdemphagcghblbbl"="REG_SZ", "4A9120BDB3AEA501E6FB8F54D5213862E6E9FA8E3A7DCE4AB5A5163F36922D83" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/13/20 Scan Time: 9:15 AM Log File: 6ff30b9c-2588-11eb-8148-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1104 Update Package Version: 1.0.32836 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231987 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hdefphoeoephmaeacdemphagcghblbbl, Quarantined, 15571, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl, Quarantined, 15571, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HDEFPHOEOEPHMAEACDEMPHAGCGHBLBBL, Quarantined, 15571, 799722, 1.0.32836, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15571, 799722, , , , , 06E4BAAD3C1EDE801A800AFA275F12D3, 8BB9F83CD73AD53766DAF7B50D214F24C868CFB5F8C0F3393F93E98AA3BEB475 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15571, 799722, , , , , 0D80FC7D376F9A44C2C2DB6696C685A0, 7FAF9AD37BB8A07CC675C61FD21C81629BB7D1680DF82160A7526833AA18FCAB Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl\000003.log, Quarantined, 15571, 799722, , , , , C1FCF821CB7B07191F48A6E38994560B, F2B7C40A7D60127A33EFC964B0E83A45CD83AA593DB5748A25F1A3FFF1CAD763 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl\CURRENT, Quarantined, 15571, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl\LOCK, Quarantined, 15571, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl\LOG, Quarantined, 15571, 799722, , , , , 40921EC791263856B84844639AC4AF1A, 205D869833D66E3CE257812C431CFA5F6EADB33EE0BC4C96BA038B48F8BE3D4F Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hdefphoeoephmaeacdemphagcghblbbl\MANIFEST-000001, Quarantined, 15571, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HDEFPHOEOEPHMAEACDEMPHAGCGHBLBBL\1.1.0_0\MANIFEST.JSON, Quarantined, 15571, 799722, 1.0.32836, , ame, , E7BDEB1D8D1DB086E59513E04064BD21, B867E45D66C0C27F5F91E5C1BEAD600E9D7507BE23A35BEBFF174DAB01D5216D PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.32836, , ame, , 0D80FC7D376F9A44C2C2DB6696C685A0, 7FAF9AD37BB8A07CC675C61FD21C81629BB7D1680DF82160A7526833AA18FCAB Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is ConverterSearchPlus? The Malwarebytes research team has determined that ConverterSearchPlus is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by ConverterSearchPlus? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did ConverterSearchPlus get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ConverterSearchPlus? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ConverterSearchPlus? No, Malwarebytes removes ConverterSearchPlus completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the ConverterSearchPlus hijacker. They would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.convertersearchplus.com CHR DefaultSearchURL: Default -> hxxps://feed.convertersearchplus.com/?q={searchTerms}&publisher=convertersearchplus&barcodeid=579770000000000 CHR DefaultSearchKeyword: Default -> ConverterSearchPlus CHR DefaultSuggestURL: Default -> hxxps://api.convertersearchplus.com/suggest/get?q={searchTerms} CHR Extension: (ConverterSearchPlus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk [2020-11-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk\1.1.0_0 Adds the file manifest.json"="11/3/2020 8:48 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk\1.1.0_0\_metadata Adds the file computed_hashes.json"="11/3/2020 8:48 AM, 6255 bytes, A Adds the file verified_contents.json"="9/2/2020 1:47 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk\1.1.0_0\images Adds the file logo-white-text.png"="9/2/2020 1:47 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk\1.1.0_0\images\icons Adds the file 128x128.png"="11/3/2020 8:48 AM, 9690 bytes, A Adds the file 16x16.png"="11/3/2020 8:48 AM, 591 bytes, A Adds the file 64x64.png"="11/3/2020 8:48 AM, 3798 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\imhjnjiiejomomgdaemekdcggpmjohnk\1.1.0_0\scripts Adds the file background.js"="9/2/2020 1:47 PM, 514556 bytes, A Adds the file sitecontent.js"="9/2/2020 1:47 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk Adds the file 000003.log"="11/3/2020 8:48 AM, 0 bytes, A Adds the file CURRENT"="11/3/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="11/3/2020 8:48 AM, 0 bytes, A Adds the file LOG"="11/3/2020 8:48 AM, 0 bytes, A Adds the file MANIFEST-000001"="11/3/2020 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_imhjnjiiejomomgdaemekdcggpmjohnk Adds the file ConverterSearchPlus.ico"="11/3/2020 8:50 AM, 191687 bytes, A Adds the file ConverterSearchPlus.ico.md5"="11/3/2020 8:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "imhjnjiiejomomgdaemekdcggpmjohnk"="REG_SZ", "C1745273B8E4DF9D3A7D1306B1561C19A0EFDCCDD1747EFD1D68D5D36AE59618" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/3/20 Scan Time: 8:56 AM Log File: 1130911e-1daa-11eb-84b4-080027235d76.json -Software Information- Version: 4.2.2.95 Components Version: 1.0.1096 Update Package Version: 1.0.32412 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231926 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|imhjnjiiejomomgdaemekdcggpmjohnk, Quarantined, 15516, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk, Quarantined, 15516, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IMHJNJIIEJOMOMGDAEMEKDCGGPMJOHNK, Quarantined, 15516, 799722, 1.0.32412, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15516, 799722, , , , , 0BF8556B49F021339B11DEE31EE66F89, D72D78933CFC5F149DBF8B738786DB6F9619A4127FB67F52F5434A0B59960BCA Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15516, 799722, , , , , BBE9805DF1B90C391131282D70A04CC5, CA0C2FD402A5D5075CDBF9B970CAF93605A13333B16B9C2B1ABE5DC3FE072AFA Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk\000003.log, Quarantined, 15516, 799722, , , , , BC1A9CC4873774B6E40A37925A235C3C, C506999A75BDB8F301CF7045FDEC05213B49F8E1363F6740FE93E05E4AF30C85 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk\CURRENT, Quarantined, 15516, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk\LOCK, Quarantined, 15516, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk\LOG, Quarantined, 15516, 799722, , , , , 3E298CC7185753D81662D290CD6D9155, 03A4FA1860044059CD576916806603340C3BE2F0D5B6009B1D59E1A86B9B4C26 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\imhjnjiiejomomgdaemekdcggpmjohnk\MANIFEST-000001, Quarantined, 15516, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IMHJNJIIEJOMOMGDAEMEKDCGGPMJOHNK\1.1.0_0\MANIFEST.JSON, Quarantined, 15516, 799722, 1.0.32412, , ame, , 74A08AD9A24346B393DBBD7C8DFFBEC4, 98DB6DCE3AC1BBB657EBFB20F23CFDE3C7B4A40832BC8CB339ED11720A9DAFEC PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 858871, 1.0.32412, , ame, , BBE9805DF1B90C391131282D70A04CC5, CA0C2FD402A5D5075CDBF9B970CAF93605A13333B16B9C2B1ABE5DC3FE072AFA Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is LiveSportSearch? The Malwarebytes research team has determined that LiveSportSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by LiveSportSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did LiveSportSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove LiveSportSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of LiveSportSearch? No, Malwarebytes removes LiveSportSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the LiveSportSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.livesportsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.livesportsearch.com/?q={searchTerms}&publisher=livesportsearch&barcodeid=584130000000000 CHR DefaultSearchKeyword: Default -> LiveSportSearch CHR DefaultSuggestURL: Default -> hxxps://api.livesportsearch.com/suggest/get?q={searchTerms} CHR Extension: (LiveSportSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff [2020-10-28] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff\1.1.0_0 Adds the file manifest.json"="10/28/2020 9:21 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/28/2020 9:21 AM, 6255 bytes, A Adds the file verified_contents.json"="9/24/2020 10:52 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff\1.1.0_0\images Adds the file logo-white-text.png"="9/24/2020 10:52 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff\1.1.0_0\images\icons Adds the file 128x128.png"="10/28/2020 9:21 AM, 8333 bytes, A Adds the file 16x16.png"="10/28/2020 9:21 AM, 779 bytes, A Adds the file 64x64.png"="10/28/2020 9:21 AM, 3894 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfnohpemnmceakhooelmeddmkdpbfnff\1.1.0_0\scripts Adds the file background.js"="9/24/2020 10:52 AM, 514520 bytes, A Adds the file sitecontent.js"="9/24/2020 10:52 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff Adds the file 000003.log"="10/28/2020 9:21 AM, 0 bytes, A Adds the file CURRENT"="10/28/2020 9:21 AM, 16 bytes, A Adds the file LOCK"="10/28/2020 9:21 AM, 0 bytes, A Adds the file LOG"="10/28/2020 9:21 AM, 0 bytes, A Adds the file MANIFEST-000001"="10/28/2020 9:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gfnohpemnmceakhooelmeddmkdpbfnff Adds the file LiveSportSearch.ico"="10/28/2020 9:21 AM, 198800 bytes, A Adds the file LiveSportSearch.ico.md5"="10/28/2020 9:21 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gfnohpemnmceakhooelmeddmkdpbfnff"="REG_SZ", "D5FE96BA5840EA5B88ADB5BEACD34AB10641BED1D6445E7EE289C11114F91D16" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/28/20 Scan Time: 9:30 AM Log File: cd06e940-18f7-11eb-9aec-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1070 Update Package Version: 1.0.32140 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231853 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gfnohpemnmceakhooelmeddmkdpbfnff, Quarantined, 15486, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff, Quarantined, 15486, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GFNOHPEMNMCEAKHOOELMEDDMKDPBFNFF, Quarantined, 15486, 799722, 1.0.32140, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15486, 799722, , , , , A428EFF83A5F5DC9CFFD45F75C2A113B, D953E12CF9B456DF3CA1CD7549D585780E26AEA5DCFE67C38F31CFFA4E95D247 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15486, 799722, , , , , F74BEE819F19F1475FD61D20543462D5, 943BDE3C5EED610F39C57E83DA8A1656335816E31BD5D53195567FA5B714D9C2 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff\000003.log, Quarantined, 15486, 799722, , , , , 2EEC565018481F5151C963938FDDB49D, BF357A0A0FCC737A6A3536781A266F9419554925B260C28F3EDB79F027C9C681 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff\CURRENT, Quarantined, 15486, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff\LOCK, Quarantined, 15486, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff\LOG, Quarantined, 15486, 799722, , , , , E63599536618AC494FE13D5FA626840D, 0FA8E6A9ECFA7A3EB957882D8E8349A978A941F3805A769277436F3B52789640 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gfnohpemnmceakhooelmeddmkdpbfnff\MANIFEST-000001, Quarantined, 15486, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GFNOHPEMNMCEAKHOOELMEDDMKDPBFNFF\1.1.0_0\MANIFEST.JSON, Quarantined, 15486, 799722, 1.0.32140, , ame, , 15B942A37F1D8E245EB68A950AC2AB58, 1AB69632FD075F22CCE28F2B569D41F4CDF6EE8B68EF20A93CC5253013237CDB PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.32140, , ame, , F74BEE819F19F1475FD61D20543462D5, 943BDE3C5EED610F39C57E83DA8A1656335816E31BD5D53195567FA5B714D9C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is AllStreamSearch? The Malwarebytes research team has determined that AllStreamSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by AllStreamSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did AllStreamSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllStreamSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllStreamSearch? No, Malwarebytes removes AllStreamSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the AllStreamSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allstreamsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.allstreamsearch.com/?q={searchTerms}&publisher=allstreamsearch&barcodeid=584010000000000 CHR DefaultSearchKeyword: Default -> AllStreamSearch CHR DefaultSuggestURL: Default -> hxxps://api.allstreamsearch.com/suggest/get?q={searchTerms} CHR Extension: (AllStreamSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja [2020-10-27] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja\1.1.0_0 Adds the file manifest.json"="10/27/2020 10:24 AM, 2120 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/27/2020 10:24 AM, 6255 bytes, A Adds the file verified_contents.json"="10/6/2020 9:13 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja\1.1.0_0\images Adds the file logo-white-text.png"="10/6/2020 9:13 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja\1.1.0_0\images\icons Adds the file 128x128.png"="10/27/2020 10:24 AM, 6990 bytes, A Adds the file 16x16.png"="10/27/2020 10:24 AM, 587 bytes, A Adds the file 64x64.png"="10/27/2020 10:24 AM, 3464 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aepienegbaakaighjebnjnhdhchmgcja\1.1.0_0\scripts Adds the file background.js"="10/6/2020 9:13 AM, 514520 bytes, A Adds the file sitecontent.js"="10/6/2020 9:13 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja Adds the file 000003.log"="10/27/2020 10:24 AM, 0 bytes, A Adds the file CURRENT"="10/27/2020 10:24 AM, 16 bytes, A Adds the file LOCK"="10/27/2020 10:24 AM, 0 bytes, A Adds the file LOG"="10/27/2020 10:24 AM, 0 bytes, A Adds the file MANIFEST-000001"="10/27/2020 10:24 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aepienegbaakaighjebnjnhdhchmgcja Adds the file AllStreamSearch.ico"="10/27/2020 10:24 AM, 191305 bytes, A Adds the file AllStreamSearch.ico.md5"="10/27/2020 10:24 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "aepienegbaakaighjebnjnhdhchmgcja"="REG_SZ", "2381083FC289DC1237BE58D81A37B9E9F622EEF90805A2EEF0681574A02E2DF7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/27/20 Scan Time: 10:32 AM Log File: 48cc133c-1837-11eb-8b37-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1070 Update Package Version: 1.0.32090 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231872 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aepienegbaakaighjebnjnhdhchmgcja, Quarantined, 15481, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja, Quarantined, 15481, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AEPIENEGBAAKAIGHJEBNJNHDHCHMGCJA, Quarantined, 15481, 799722, 1.0.32090, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15481, 799722, , , , , 1C35A615314EECB597FF15602F587A43, B3545817BE3FEFC28D55FE32170FC8B0C67C8507220FCDB033AB7B64CAD7E74E Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15481, 799722, , , , , 04134B6072690AB8B3E3EC9016CBFD19, 8D7F43DFCCD1E27EAF95ACDFBF7F2BFDD214D23413FCA0149F6C1B531B3F04E6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja\000003.log, Quarantined, 15481, 799722, , , , , F75A77571B0189710589135E4417FF4D, C48439B43F0AF7309DB0E904A119EFC7E7403E7F841EE87C4C6B9B55CFA75668 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja\CURRENT, Quarantined, 15481, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja\LOCK, Quarantined, 15481, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja\LOG, Quarantined, 15481, 799722, , , , , 19CB01C018BF2A3F8FF823B1AE6D9174, 736FBDFABAEC9F49CB165AE301BF11F806563FA9175176BE8A9DB933D8B32315 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\aepienegbaakaighjebnjnhdhchmgcja\MANIFEST-000001, Quarantined, 15481, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AEPIENEGBAAKAIGHJEBNJNHDHCHMGCJA\1.1.0_0\MANIFEST.JSON, Quarantined, 15481, 799722, 1.0.32090, , ame, , 0F2D108009B5036FD08995F7E5CF11F9, 2C82C3EA4E7B5AEDC766EFA35025902EF4E1BE64F433764C1BF720E43FAE56E7 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.32090, , ame, , 04134B6072690AB8B3E3EC9016CBFD19, 8D7F43DFCCD1E27EAF95ACDFBF7F2BFDD214D23413FCA0149F6C1B531B3F04E6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is VideosSearches? The Malwarebytes research team has determined that VideosSearches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by VideosSearches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did VideosSearches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove VideosSearches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of VideosSearches? No, Malwarebytes removes VideosSearches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the VideosSearches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.videos-searches.com CHR DefaultSearchURL: Default -> hxxps://feed.videos-searches.com/?q={searchTerms}&publisher=videossearches&barcodeid=573570000000000 CHR DefaultSearchKeyword: Default -> VideosSearches CHR DefaultSuggestURL: Default -> hxxps://api.videos-searches.com/suggest/get?q={searchTerms} CHR Extension: (VideosSearches) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb [2020-10-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0 Adds the file manifest.json"="10/26/2020 8:56 AM, 2115 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/26/2020 8:56 AM, 6255 bytes, A Adds the file verified_contents.json"="6/1/2020 4:16 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\images Adds the file logo-white-text.png"="6/1/2020 4:16 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\images\icons Adds the file 128x128.png"="10/26/2020 8:56 AM, 10724 bytes, A Adds the file 16x16.png"="10/26/2020 8:56 AM, 720 bytes, A Adds the file 64x64.png"="10/26/2020 8:56 AM, 4296 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\scripts Adds the file background.js"="6/1/2020 4:16 PM, 514611 bytes, A Adds the file sitecontent.js"="6/1/2020 4:16 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cghhceodiapmphkmijeghidkgiopbffb Adds the file 000003.log"="10/26/2020 8:58 AM, 812 bytes, A Adds the file CURRENT"="10/26/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="10/26/2020 8:56 AM, 0 bytes, A Adds the file LOG"="10/26/2020 8:56 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/26/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cghhceodiapmphkmijeghidkgiopbffb Adds the file VideosSearches.ico"="10/26/2020 8:56 AM, 199257 bytes, A Adds the file VideosSearches.ico.md5"="10/26/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cghhceodiapmphkmijeghidkgiopbffb"="REG_SZ", "B4F598E9590CDF6D46106E257EB2D828C3C68095C767215470BB9EE96C649BFF" Malwarebytes log: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0 Adds the file manifest.json"="10/26/2020 8:56 AM, 2115 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/26/2020 8:56 AM, 6255 bytes, A Adds the file verified_contents.json"="6/1/2020 4:16 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\images Adds the file logo-white-text.png"="6/1/2020 4:16 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\images\icons Adds the file 128x128.png"="10/26/2020 8:56 AM, 10724 bytes, A Adds the file 16x16.png"="10/26/2020 8:56 AM, 720 bytes, A Adds the file 64x64.png"="10/26/2020 8:56 AM, 4296 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cghhceodiapmphkmijeghidkgiopbffb\1.1.0_0\scripts Adds the file background.js"="6/1/2020 4:16 PM, 514611 bytes, A Adds the file sitecontent.js"="6/1/2020 4:16 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cghhceodiapmphkmijeghidkgiopbffb Adds the file 000003.log"="10/26/2020 8:58 AM, 812 bytes, A Adds the file CURRENT"="10/26/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="10/26/2020 8:56 AM, 0 bytes, A Adds the file LOG"="10/26/2020 8:56 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/26/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cghhceodiapmphkmijeghidkgiopbffb Adds the file VideosSearches.ico"="10/26/2020 8:56 AM, 199257 bytes, A Adds the file VideosSearches.ico.md5"="10/26/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cghhceodiapmphkmijeghidkgiopbffb"="REG_SZ", "B4F598E9590CDF6D46106E257EB2D828C3C68095C767215470BB9EE96C649BFF" As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is ConverterSearchTool? The Malwarebytes research team has determined that ConverterSearchTool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by ConverterSearchTool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did ConverterSearchTool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ConverterSearchTool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ConverterSearchTool? No, Malwarebytes removes ConverterSearchTool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the ConverterSearchTool hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.convertersearchtool.com CHR DefaultSearchURL: Default -> hxxps://feed.convertersearchtool.com/?q={searchTerms}&publisher=convertersearchtool&barcodeid=579760000000000 CHR DefaultSearchKeyword: Default -> ConverterSearchTool CHR DefaultSuggestURL: Default -> hxxps://api.convertersearchtool.com/suggest/get?q={searchTerms} (ConverterSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink [2020-10-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink\1.1.0_0 Adds the file manifest.json"="10/23/2020 9:21 AM, 2168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/23/2020 9:21 AM, 6255 bytes, A Adds the file verified_contents.json"="9/2/2020 1:27 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink\1.1.0_0\images Adds the file logo-white-text.png"="9/2/2020 1:27 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink\1.1.0_0\images\icons Adds the file 128x128.png"="10/23/2020 9:21 AM, 11245 bytes, A Adds the file 16x16.png"="10/23/2020 9:21 AM, 805 bytes, A Adds the file 64x64.png"="10/23/2020 9:21 AM, 4756 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbmcgifflnmhaeopanolgloogfhkink\1.1.0_0\scripts Adds the file background.js"="9/2/2020 1:27 PM, 514556 bytes, A Adds the file sitecontent.js"="9/2/2020 1:27 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink Adds the file 000003.log"="10/23/2020 9:26 AM, 838 bytes, A Adds the file CURRENT"="10/23/2020 9:21 AM, 16 bytes, A Adds the file LOCK"="10/23/2020 9:21 AM, 0 bytes, A Adds the file LOG"="10/23/2020 9:21 AM, 184 bytes, A Adds the file MANIFEST-000001"="10/23/2020 9:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_llbmcgifflnmhaeopanolgloogfhkink Adds the file ConverterSearchTool.ico"="10/23/2020 9:21 AM, 208589 bytes, A Adds the file ConverterSearchTool.ico.md5"="10/23/2020 9:21 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "llbmcgifflnmhaeopanolgloogfhkink"="REG_SZ", "6531867F5473E391BC91EDBA15CAD465FB7651ADDDBC39D987EB784C84053EB3" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/23/20 Scan Time: 9:33 AM Log File: faa4fdd2-1501-11eb-8939-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1070 Update Package Version: 1.0.31854 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231822 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|llbmcgifflnmhaeopanolgloogfhkink, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LLBMCGIFFLNMHAEOPANOLGLOOGFHKINK, Quarantined, 15231, 799722, 1.0.31854, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 83C2535014983389BB9C2C0E87E2625E, 977F6E5724354F6789E89897A309E941EEED8F8940CCE1507D78681D4463C102 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , A825EC6C77163E811B9863F8E9C0DA0C, 8C40A252928CB24FD92C655E0395D3A2923C15E207C6396EE9FF9E6DD74ED1E6 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink\000003.log, Quarantined, 15231, 799722, , , , , CC77BAAE2E6B5F6B4A611BA854D5AD9A, 7D3BCD57AA5A2A137E11B960209DBB9ACD1FE388749D10E941021346F566DF37 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink\LOG, Quarantined, 15231, 799722, , , , , 3E8B458BD143EF9F35441C5B8210720B, B75DDD25B4292A465488D937B0983FE917850A2E30CD4E08173F2898FF292D3A Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\llbmcgifflnmhaeopanolgloogfhkink\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LLBMCGIFFLNMHAEOPANOLGLOOGFHKINK\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.31854, , ame, , 8D86D7EE2FD9FBFBBB0ED3338446BB0F, BF7DE6A19E3A022CDEA1ACB00E25D297415525A95F70BBB183738FB27ADE5F0C PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14951, 858871, 1.0.31854, , ame, , A825EC6C77163E811B9863F8E9C0DA0C, 8C40A252928CB24FD92C655E0395D3A2923C15E207C6396EE9FF9E6DD74ED1E6 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is PDFConverterSearch4Free?The Malwarebytes research team has determined that PDFConverterSearch4Free is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by PDFConverterSearch4Free?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did PDFConverterSearch4Free get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove PDFConverterSearch4Free?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PDFConverterSearch4Free? No, Malwarebytes removes PDFConverterSearch4Free completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes Browser Guard, as well as Malwarbytes Premium would have protected you against the PDFConverterSearch4Free hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Notifications: Default -> hxxps://get.pdfconvertersearch4free.com CHR DefaultSearchURL: Default -> hxxps://feed.pdfconvertersearch4free.com/?q={searchTerms}&publisher=pdfconvertersearch4free&barcodeid=579870000000000 CHR DefaultSearchKeyword: Default -> PDFConverterSearch4Free CHR DefaultSuggestURL: Default -> hxxps://api.pdfconvertersearch4free.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterSearch4Free) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf [2020-10-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf\1.1.0_0 Adds the file manifest.json"="10/21/2020 9:08 AM, 2216 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/21/2020 9:08 AM, 6255 bytes, A Adds the file verified_contents.json"="9/1/2020 2:34 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf\1.1.0_0\images Adds the file logo-white-text.png"="9/1/2020 2:34 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf\1.1.0_0\images\icons Adds the file 128x128.png"="10/21/2020 9:08 AM, 3274 bytes, A Adds the file 16x16.png"="10/21/2020 9:08 AM, 544 bytes, A Adds the file 64x64.png"="10/21/2020 9:08 AM, 1653 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmogbdeelhhdhbcdfblpclejnlidoikf\1.1.0_0\scripts Adds the file background.js"="9/1/2020 2:34 PM, 514592 bytes, A Adds the file sitecontent.js"="9/1/2020 2:34 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf Adds the file 000003.log"="10/21/2020 9:08 AM, 0 bytes, A Adds the file CURRENT"="10/21/2020 9:08 AM, 16 bytes, A Adds the file LOCK"="10/21/2020 9:08 AM, 0 bytes, A Adds the file LOG"="10/21/2020 9:08 AM, 0 bytes, A Adds the file MANIFEST-000001"="10/21/2020 9:08 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jmogbdeelhhdhbcdfblpclejnlidoikf Adds the file PDFConverterSearch4Free.ico"="10/21/2020 9:08 AM, 169156 bytes, A Adds the file PDFConverterSearch4Free.ico.md5"="10/21/2020 9:08 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jmogbdeelhhdhbcdfblpclejnlidoikf"="REG_SZ", "A6ECC60A11D55C2EE6005466CFA01D3AABCDBCCA728D0CFC546B83C7AA0D4F55" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/21/20 Scan Time: 9:33 AM Log File: a7298b52-136f-11eb-a59f-080027235d76.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1070 Update Package Version: 1.0.31728 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231820 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jmogbdeelhhdhbcdfblpclejnlidoikf, Quarantined, 15231, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMOGBDEELHHDHBCDFBLPCLEJNLIDOIKF, Quarantined, 15231, 799722, 1.0.31728, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15231, 799722, , , , , 89816F12318E34328FBBC3BA9970EB8B, A1093332DCD17460196CCCE7F65473A8B7D3B286577FBA40B2742E21816D0F5E Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15231, 799722, , , , , 482A9E6B6D3AEC867ADFF5F1AA3EA14F, E5CBD6E7F72BAF4955122B0C48D8ED7F305DF08DD52AEE44B3D97FFB3857EBFC Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf\000003.log, Quarantined, 15231, 799722, , , , , 69B6CF723FC42530F8C17F87D85F3C67, C93ECE1CD394B9B31B2F79412D809C1BAC11C03D550BE7DCC7921C388AC2B1B1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf\CURRENT, Quarantined, 15231, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf\LOCK, Quarantined, 15231, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf\LOG, Quarantined, 15231, 799722, , , , , 0562C2A6067DCD93BE0C10380439FE37, 481422CDA77586B97B03A4FDE22B6931EA29A4EBE602AACA79FD9519C474E3A1 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmogbdeelhhdhbcdfblpclejnlidoikf\MANIFEST-000001, Quarantined, 15231, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMOGBDEELHHDHBCDFBLPCLEJNLIDOIKF\1.1.0_0\MANIFEST.JSON, Quarantined, 15231, 799722, 1.0.31728, , ame, , 10FA033C54B7D405043BD60EC0DD1AF3, 9F42CB1ACF2C9AF4CA8A4C093D7C4D4D80CC8876584511C9A7A0FD41864960FD PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14951, 858871, 1.0.31728, , ame, , 482A9E6B6D3AEC867ADFF5F1AA3EA14F, E5CBD6E7F72BAF4955122B0C48D8ED7F305DF08DD52AEE44B3D97FFB3857EBFC Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is ConverterSearchHD? The Malwarebytes research team has determined that ConverterSearchHD is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by ConverterSearchHD? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed setting: How did ConverterSearchHD get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove ConverterSearchHD? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ConverterSearchHD? No, Malwarebytes removes ConverterSearchHD completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard would have protected you against the ConverterSearchHD hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.convertersearchhd.com CHR DefaultSearchURL: Default -> hxxps://feed.convertersearchhd.com/?q={searchTerms}&publisher=convertersearchhd&barcodeid=579730000000000 CHR DefaultSearchKeyword: Default -> ConverterSearchHD CHR DefaultSuggestURL: Default -> hxxps://api.convertersearchhd.com/suggest/get?q={searchTerms} CHR Extension: (ConverterSearchHD) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm [2020-10-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm\1.1.0_0 Adds the file manifest.json"="10/1/2020 9:43 AM, 2144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm\1.1.0_0\_metadata Adds the file computed_hashes.json"="10/1/2020 9:43 AM, 6255 bytes, A Adds the file verified_contents.json"="9/2/2020 12:45 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm\1.1.0_0\images Adds the file logo-white-text.png"="9/2/2020 12:45 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm\1.1.0_0\images\icons Adds the file 128x128.png"="10/1/2020 9:43 AM, 10112 bytes, A Adds the file 16x16.png"="10/1/2020 9:43 AM, 738 bytes, A Adds the file 64x64.png"="10/1/2020 9:43 AM, 4248 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdnehodnbgcdjcofpkilmpleedcklnm\1.1.0_0\scripts Adds the file background.js"="9/2/2020 12:45 PM, 514538 bytes, A Adds the file sitecontent.js"="9/2/2020 12:45 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm Adds the file 000003.log"="10/1/2020 9:43 AM, 0 bytes, A Adds the file CURRENT"="10/1/2020 9:43 AM, 16 bytes, A Adds the file LOCK"="10/1/2020 9:43 AM, 0 bytes, A Adds the file LOG"="10/1/2020 9:43 AM, 0 bytes, A Adds the file MANIFEST-000001"="10/1/2020 9:43 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mkdnehodnbgcdjcofpkilmpleedcklnm Adds the file ConverterSearchHD.ico"="10/1/2020 9:43 AM, 199491 bytes, A Adds the file ConverterSearchHD.ico.md5"="10/1/2020 9:43 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mkdnehodnbgcdjcofpkilmpleedcklnm"="REG_SZ", "E70DBDFB81FC63D1AEFD6FA3C40295548F0A464242F49CC73B665A787CF70A62" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/1/20 Scan Time: 9:50 AM Log File: cd972c6e-03ba-11eb-901f-00ffdcc6fdfc.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30610 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231717 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 5 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mkdnehodnbgcdjcofpkilmpleedcklnm, Quarantined, 15377, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm, Quarantined, 15377, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDNEHODNBGCDJCOFPKILMPLEEDCKLNM, Quarantined, 15377, 799722, 1.0.30610, , ame, , , File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15377, 799722, , , , , 354551D8E48A0F5A0E7205BD2EFAAF38, E687526D7DBE1A4E2379B32B448CD2C5E187B81DA53CDA84E7132B363C94F2E0 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15377, 799722, , , , , E2864E7ECCD709A2D3493C2A819E76FF, 9EE3621CA254A65FD2ACB48C86631C5E636337B685878F6DEFA7F4E8ED589178 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\000003.log, Quarantined, 15377, 799722, , , , , 0E921055643A16CAC0F27940A51E5CDE, 95993A10C68A8CFAB6E364542D52E4F5AC77DA1C52451D7B560050009E76E17E Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\CURRENT, Quarantined, 15377, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\LOCK, Quarantined, 15377, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\LOG, Quarantined, 15377, 799722, , , , , 100168209912F5480A83C8FF47999FD2, 969549065196798FDDB58B75EFEDCA597B82FABD00CD2E6FA5066881F3C0855B Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\LOG.old, Quarantined, 15377, 799722, , , , , 6E41092A4088E71BEF93DF1AAAF04C38, 35204E6067BA1C35DC462C57A2B2FCEC535F782C840DD974EDECA90901736583 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdnehodnbgcdjcofpkilmpleedcklnm\MANIFEST-000001, Quarantined, 15377, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDNEHODNBGCDJCOFPKILMPLEEDCKLNM\1.1.0_0\MANIFEST.JSON, Quarantined, 15377, 799722, 1.0.30610, , ame, , F63E60F8548D0E3ECF861EE3C25FC340, 64DE2854B95EE2C0F2849811C142F2DB6896BB0897E2E8B072EF01275C2C2FFA PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 858871, 1.0.30610, , ame, , E2864E7ECCD709A2D3493C2A819E76FF, 9EE3621CA254A65FD2ACB48C86631C5E636337B685878F6DEFA7F4E8ED589178 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is AllRadioSearch? The Malwarebytes research team has determined that AllRadioSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by AllRadioSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this changed settings: How did AllRadioSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove AllRadioSearch? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of AllRadioSearch? No, Malwarebytes removes AllRadioSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard as well as the full version of Malwarebytes would have protected you against the AllRadioSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.allradiosearch.com CHR DefaultSearchURL: Default -> hxxps://feed.allradiosearch.com/?q={searchTerms}&publisher=allradiosearch&barcodeid=577070000000000 CHR DefaultSearchKeyword: Default -> AllRadioSearch CHR DefaultSuggestURL: Default -> hxxps://api.allradiosearch.com/suggest/get?q={searchTerms} CHR Extension: (AllRadioSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc [2020-09-28] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc\1.1.0_0 Adds the file manifest.json"="9/28/2020 8:54 AM, 2108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc\1.1.0_0\_metadata Adds the file computed_hashes.json"="9/28/2020 8:54 AM, 6255 bytes, A Adds the file verified_contents.json"="8/24/2020 12:07 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc\1.1.0_0\images Adds the file logo-white-text.png"="8/24/2020 12:07 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc\1.1.0_0\images\icons Adds the file 128x128.png"="9/28/2020 8:54 AM, 6889 bytes, A Adds the file 16x16.png"="9/28/2020 8:54 AM, 607 bytes, A Adds the file 64x64.png"="9/28/2020 8:54 AM, 3235 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cemlfceahlepfgdllhbhccjcdpblopjc\1.1.0_0\scripts Adds the file background.js"="8/24/2020 12:07 PM, 514511 bytes, A Adds the file sitecontent.js"="8/24/2020 12:07 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc Adds the file 000003.log"="9/28/2020 8:58 AM, 832 bytes, A Adds the file CURRENT"="9/28/2020 8:54 AM, 16 bytes, A Adds the file LOCK"="9/28/2020 8:54 AM, 0 bytes, A Adds the file LOG"="9/28/2020 8:54 AM, 184 bytes, A Adds the file MANIFEST-000001"="9/28/2020 8:54 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cemlfceahlepfgdllhbhccjcdpblopjc Adds the file AllRadioSearch.ico"="9/28/2020 8:54 AM, 187759 bytes, A Adds the file AllRadioSearch.ico.md5"="9/28/2020 8:54 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cemlfceahlepfgdllhbhccjcdpblopjc"="REG_SZ", "6A790C7ECDE09DDB4A3D2271D3EB1D1C64BC63D1AC3953E4082E9D41476AAF4C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/28/20 Scan Time: 9:04 AM Log File: daf25424-0158-11eb-94b5-00ffdcc6fdfc.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30516 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231674 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 5 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cemlfceahlepfgdllhbhccjcdpblopjc, Quarantined, 15364, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc, Quarantined, 15364, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CEMLFCEAHLEPFGDLLHBHCCJCDPBLOPJC, Quarantined, 15364, 799722, 1.0.30516, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15364, 799722, , , , , 7AFE08898F425172BC6F94871B2CC74A, 3E91A3B77A8488EAFAA880D5C8FCB4FAF222FC67EFD74BB36E8222C62D89F316 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15364, 799722, , , , , F20D4090379658608C667AE5DAE6A242, 0913C1058C4027E819B6164817388543A333529B2FD74987EA04AD975652ED93 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc\000003.log, Quarantined, 15364, 799722, , , , , E163704CE903EDAC8AC62DEE4FDB46B8, 41B297B2FA6B69550F220682B7871B73CCF3EE567F1289E6BEF0A07EA0219215 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc\CURRENT, Quarantined, 15364, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc\LOCK, Quarantined, 15364, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc\LOG, Quarantined, 15364, 799722, , , , , 8AF3A8DAE42CD5E332336B10855EDAA6, CE1940BC1D79E45E8334016B80C2B73283FDE78D10F3CE75388019A3AA25FFB4 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cemlfceahlepfgdllhbhccjcdpblopjc\MANIFEST-000001, Quarantined, 15364, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CEMLFCEAHLEPFGDLLHBHCCJCDPBLOPJC\1.1.0_0\MANIFEST.JSON, Quarantined, 15364, 799722, 1.0.30516, , ame, , 00E16A66ABD7C45C924185F7BC9D3A46, 0F0C1859465AA27D267FF4A9EC63C6B7B8AF12408C4F071FC7E4E8685FCA7BBB PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.30516, , ame, , F20D4090379658608C667AE5DAE6A242, 0913C1058C4027E819B6164817388543A333529B2FD74987EA04AD975652ED93 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is TopStreamsSearch? The Malwarebytes research team has determined that TopStreamsSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by TopStreamsSearch? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and these changed settings: How did TopStreamsSearch get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TopStreamsSearch? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TopStreamsSearch? No, Malwarebytes removes TopStreamsSearch completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as wel as the full version of Malwarebytes would have protected you against the TopStreamsSearch hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://get.topstreamssearch.com CHR DefaultSearchURL: Default -> hxxps://feed.topstreamssearch.com/?q={searchTerms}&publisher=topstreamssearch&barcodeid=579250000000000 CHR DefaultSearchKeyword: Default -> TopStreamsSearch CHR DefaultSuggestURL: Default -> hxxps://api.topstreamssearch.com/suggest/get?q={searchTerms} CHR Extension: (TopStreamsSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe [2020-08-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe\1.1.0_0 Adds the file manifest.json"="8/31/2020 8:31 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe\1.1.0_0\_metadata Adds the file computed_hashes.json"="8/31/2020 8:31 AM, 6255 bytes, A Adds the file verified_contents.json"="7/29/2020 9:14 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe\1.1.0_0\images Adds the file logo-white-text.png"="7/29/2020 9:14 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe\1.1.0_0\images\icons Adds the file 128x128.png"="8/31/2020 8:31 AM, 10590 bytes, A Adds the file 16x16.png"="8/31/2020 8:31 AM, 680 bytes, A Adds the file 64x64.png"="8/31/2020 8:31 AM, 4230 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fenocinnkcgbipcocnikejepddfdalpe\1.1.0_0\scripts Adds the file background.js"="7/29/2020 9:14 AM, 514640 bytes, A Adds the file sitecontent.js"="7/29/2020 9:14 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe Adds the file 000003.log"="8/31/2020 8:31 AM, 0 bytes, A Adds the file CURRENT"="8/31/2020 8:31 AM, 16 bytes, A Adds the file LOCK"="8/31/2020 8:31 AM, 0 bytes, A Adds the file LOG"="8/31/2020 8:31 AM, 0 bytes, A Adds the file MANIFEST-000001"="8/31/2020 8:31 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fenocinnkcgbipcocnikejepddfdalpe Adds the file TopStreamsSearch.ico"="8/31/2020 8:31 AM, 197278 bytes, A Adds the file TopStreamsSearch.ico.md5"="8/31/2020 8:31 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fenocinnkcgbipcocnikejepddfdalpe"="REG_SZ", "DDCEC61405FF58A765D44759C8843FD6FBC8E8A4F71D9329C7F51F09C7CF8965" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/31/20 Scan Time: 8:41 AM Log File: f90b6e9c-eb54-11ea-93b6-00ffdcc6fdfc.json -Software Information- Version: 4.2.0.82 Components Version: 1.0.1025 Update Package Version: 1.0.29251 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231345 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 6 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fenocinnkcgbipcocnikejepddfdalpe, Quarantined, 15245, 799722, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe, Quarantined, 15245, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FENOCINNKCGBIPCOCNIKEJEPDDFDALPE, Quarantined, 15245, 799722, 1.0.29251, , ame, , , File: 9 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15245, 799722, , , , , 1DB54A13138D857DB6D0E2AFBBFB0FAA, 4DD374B5056972D042819CC1F09752507AEFEA8697ED77D4AA2315C6AB1DD48D Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15245, 799722, , , , , 1D3F3F3B6F6A6857A635DB619D256452, 4A2051B8C904639C4770C2D2EB9C9AC69AC61B7AD5D1F34C3A8B561E02EE0D09 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe\000003.log, Quarantined, 15245, 799722, , , , , 07A574C2CE8DC1CF138A192398C40375, 137F3F7DC826A79300B4F167B9DC5FB8C9FF8FC25068ACD97768458A4414C370 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe\CURRENT, Quarantined, 15245, 799722, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe\LOCK, Quarantined, 15245, 799722, , , , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe\LOG, Quarantined, 15245, 799722, , , , , 801E29B6F00FDA58E5AF10936A496DE8, EE99F4F346885FA5A5E1317D22D5265EA28C2F8DC83E05F472F8FB4604D5E6FD Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fenocinnkcgbipcocnikejepddfdalpe\MANIFEST-000001, Quarantined, 15245, 799722, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FENOCINNKCGBIPCOCNIKEJEPDDFDALPE\1.1.0_0\MANIFEST.JSON, Quarantined, 15245, 799722, 1.0.29251, , ame, , 65FB0CED0A706B675D9E14295D4F2F2B, 9EB6C0382C8BACE785507CB5C3A4B583F2A0252FB7421606FDA8F00C4A8B757A PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 846248, 1.0.29251, , ame, , 1D3F3F3B6F6A6857A635DB619D256452, 4A2051B8C904639C4770C2D2EB9C9AC69AC61B7AD5D1F34C3A8B561E02EE0D09 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.