Jump to content

Search the Community

Showing results for tags 'pup.optional.pushnotifications'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 20 results

  1. What is File Conversion Now? The Malwarebytes research team has determined that File Conversion Now is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by File Conversion Now? You may see this browser extension: this warning during install: You may see this icon in your browsers menu-bar: this new startpage: and these new settings: How did File Conversion Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove File Conversion Now? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of File Conversion Now? No, Malwarebytes' Anti-Malware removes File Conversion Now completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the File Conversion Now hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://hp.hfileconversionnow.com; hxxps://pdfconverterguru.com CHR NewTab: Default -> Active:"chrome-extension://ocemooeilogfefcknbhnjlofcfnhohcb/newtabhtml/newtabpage.html" CHR Extension: (File Conversion Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb [2020-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0 Adds the file central.js"="4/14/2020 1:50 PM, 2344 bytes, A Adds the file icon.png"="6/25/2020 8:50 AM, 3456 bytes, A Adds the file manifest.json"="6/25/2020 8:50 AM, 1333 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_locales\en Adds the file messages.json"="6/25/2020 8:50 AM, 210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_metadata Adds the file computed_hashes.json"="6/25/2020 8:50 AM, 1350 bytes, A Adds the file verified_contents.json"="4/14/2020 1:50 PM, 2912 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\html\bAction Adds the file about.html"="4/14/2020 1:50 PM, 3742 bytes, A Adds the file newtabpage.html"="4/14/2020 1:50 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\js Adds the file browseraction.js"="4/14/2020 1:50 PM, 1004 bytes, A Adds the file config.js"="4/14/2020 1:50 PM, 1018 bytes, A Adds the file dailyFeature.js"="4/14/2020 1:50 PM, 3487 bytes, A Adds the file log.js"="4/14/2020 1:50 PM, 896 bytes, A Adds the file newTab.js"="4/14/2020 1:50 PM, 1523 bytes, A Adds the file search.js"="4/14/2020 1:50 PM, 1027 bytes, A Adds the file store.js"="4/14/2020 1:50 PM, 235 bytes, A Adds the file utility.js"="4/14/2020 1:50 PM, 2546 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\newtabhtml Adds the file newtabpage.html"="4/14/2020 1:50 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb Adds the file 000003.log"="6/25/2020 8:50 AM, 488 bytes, A Adds the file CURRENT"="6/25/2020 8:50 AM, 16 bytes, A Adds the file LOCK"="6/25/2020 8:50 AM, 0 bytes, A Adds the file LOG"="6/25/2020 9:07 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/25/2020 8:50 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocemooeilogfefcknbhnjlofcfnhohcb"="REG_SZ", "F0884C4E76A1BBDCF08F189A10AD3EE0B891E4C36E135C5510A80D0CC7D6D3A4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/20 Scan Time: 9:18 AM Log File: 1ea2335a-b6b4-11ea-9d88-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25999 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232200 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 10 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\000003.log, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\CURRENT, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOCK, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOG, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\MANIFEST-000001, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCEMOOEILOGFEFCKNBHNJLOFCFNHOHCB\2.0_0\JS\DAILYFEATURE.JS, Quarantined, 200, 752296, 1.0.25999, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 834481, 1.0.25999, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is SearchConverterz? The Malwarebytes research team has determined that SearchConverterz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchConverterz? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchConverterz get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchConverterz? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchConverterz? No, Malwarebytes removes SearchConverterz completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchConverterz hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchconverterz.com/?q={searchTerms}&publisher=searchconverterz&barcodeid=574940000000000 CHR DefaultSearchKeyword: Default -> SearchConverterz CHR DefaultSuggestURL: Default -> hxxps://api.searchconverterz.com/suggest/get?q={searchTerms} CHR Extension: (SearchConverterz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo [2020-06-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0 Adds the file manifest.json"="6/18/2020 8:52 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/18/2020 8:52 AM, 6255 bytes, A Adds the file verified_contents.json"="6/9/2020 9:05 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images Adds the file logo-white-text.png"="6/9/2020 9:05 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\images\icons Adds the file 128x128.png"="6/18/2020 8:52 AM, 9377 bytes, A Adds the file 16x16.png"="6/18/2020 8:52 AM, 593 bytes, A Adds the file 64x64.png"="6/18/2020 8:52 AM, 4016 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcffpojcmpdmhnaeolghbpcebkaccbmo\1.1.0_0\scripts Adds the file background.js"="6/9/2020 9:05 AM, 514642 bytes, A Adds the file sitecontent.js"="6/9/2020 9:05 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file 000003.log"="6/18/2020 8:54 AM, 768 bytes, A Adds the file CURRENT"="6/18/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="6/18/2020 8:52 AM, 0 bytes, A Adds the file LOG"="6/18/2020 8:55 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/18/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bcffpojcmpdmhnaeolghbpcebkaccbmo Adds the file SearchConverterz.ico"="6/18/2020 8:52 AM, 194854 bytes, A Adds the file SearchConverterz.ico.md5"="6/18/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bcffpojcmpdmhnaeolghbpcebkaccbmo"="REG_SZ", "366D152B09925B61272A21CDD0F80F94D56309BDB27FBF014556C136D97779C1" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/18/20 Scan Time: 9:00 AM Log File: 71bea88a-b131-11ea-8e15-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25676 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231803 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO, Quarantined, 15202, 799722, 1.0.25676, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\000003.log, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\CURRENT, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOCK, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\LOG, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bcffpojcmpdmhnaeolghbpcebkaccbmo\MANIFEST-000001, Quarantined, 15202, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCFFPOJCMPDMHNAEOLGHBPCEBKACCBMO\1.1.0_0\MANIFEST.JSON, Quarantined, 15202, 799722, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 832188, 1.0.25676, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Vista Search? The Malwarebytes research team has determined that Vista Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Vista Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Vista Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Vista Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Vista Search? No, Malwarebytes removes Vista Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Vista Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.vista-search.com CHR DefaultSearchURL: Default -> hxxps://feed.vista-search.com/?q={searchTerms}&publisher=vistasearch&barcodeid=568590000000000 CHR DefaultSearchKeyword: Default -> VistaSearch CHR DefaultSuggestURL: Default -> hxxps://api.vista-search.com/suggest/get?q={searchTerms} CHR Extension: (VistaSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn [2020-06-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0 Adds the file manifest.json"="6/15/2020 10:26 AM, 2070 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/15/2020 10:26 AM, 11681 bytes, A Adds the file verified_contents.json"="2/25/2020 3:12 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\images\icons Adds the file 128x128.png"="6/15/2020 10:26 AM, 7368 bytes, A Adds the file 16x16.png"="6/15/2020 10:26 AM, 626 bytes, A Adds the file 64x64.png"="6/15/2020 10:26 AM, 3223 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaggjnlkeofmlmbhdbblcblillgnonfn\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:12 PM, 998819 bytes, A Adds the file sitecontent.js"="2/25/2020 3:12 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn Adds the file 000003.log"="6/15/2020 10:30 AM, 806 bytes, A Adds the file CURRENT"="6/15/2020 10:26 AM, 16 bytes, A Adds the file LOCK"="6/15/2020 10:26 AM, 0 bytes, A Adds the file LOG"="6/15/2020 10:31 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/15/2020 10:26 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gaggjnlkeofmlmbhdbblcblillgnonfn Adds the file Vista Search.ico"="6/15/2020 10:27 AM, 195930 bytes, A Adds the file Vista Search.ico.md5"="6/15/2020 10:27 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gaggjnlkeofmlmbhdbblcblillgnonfn"="REG_SZ", "C769C89FC23760C2A1A7821AE220875425D662AFD9F5D42110E66A3F7E6C92F8" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/15/20 Scan Time: 10:36 AM Log File: 4b53b65e-aee3-11ea-bd53-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25510 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 231974 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 3 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.VistaSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gaggjnlkeofmlmbhdbblcblillgnonfn, Quarantined, 15225, 790795, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GAGGJNLKEOFMLMBHDBBLCBLILLGNONFN, Quarantined, 15225, 790795, 1.0.25510, , ame, File: 11 PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\000003.log, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\CURRENT, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\LOCK, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\LOG, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gaggjnlkeofmlmbhdbblcblillgnonfn\MANIFEST-000001, Quarantined, 15225, 790795, , , , PUP.Optional.VistaSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GAGGJNLKEOFMLMBHDBBLCBLILLGNONFN\1.1.0_0\MANIFEST.JSON, Quarantined, 15225, 790795, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 789484, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789484, 1.0.25510, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789484, 1.0.25510, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is SearchZone? The Malwarebytes research team has determined that SearchZone is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by SearchZone? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did SearchZone get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchZone? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchZone? No, Malwarebytes removes SearchZone completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchZone hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-zone.com/?q={searchTerms}&publisher=searchzone&barcodeid=571400000000000 CHR DefaultSearchKeyword: Default -> SearchZone CHR DefaultSuggestURL: Default -> hxxps://api.search-zone.com/suggest/get?q={searchTerms} CHR Extension: (SearchZone) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca [2020-06-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0 Adds the file manifest.json"="6/11/2020 8:55 AM, 2066 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\_metadata Adds the file computed_hashes.json"="6/11/2020 8:55 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 10:59 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 10:59 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\images\icons Adds the file 128x128.png"="6/11/2020 8:55 AM, 9964 bytes, A Adds the file 16x16.png"="6/11/2020 8:55 AM, 638 bytes, A Adds the file 64x64.png"="6/11/2020 8:55 AM, 3951 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pffnooppclkbdcgfimcnlejkomocahca\1.1.0_0\scripts Adds the file background.js"="3/30/2020 10:59 AM, 514547 bytes, A Adds the file sitecontent.js"="3/30/2020 10:59 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca Adds the file 000003.log"="6/11/2020 8:58 AM, 507 bytes, A Adds the file CURRENT"="6/11/2020 8:55 AM, 16 bytes, A Adds the file LOCK"="6/11/2020 8:55 AM, 0 bytes, A Adds the file LOG"="6/11/2020 8:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/11/2020 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pffnooppclkbdcgfimcnlejkomocahca Adds the file SearchZone.ico"="6/11/2020 8:55 AM, 194220 bytes, A Adds the file SearchZone.ico.md5"="6/11/2020 8:55 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pffnooppclkbdcgfimcnlejkomocahca"="REG_SZ", "BC732C83AA4E5896DA1D1719B9C521E69C1839D4E0674486609F0E6F99DEEF1B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/11/20 Scan Time: 9:12 AM Log File: f2e8fb74-abb2-11ea-aee9-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25354 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232127 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 2 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA, Quarantined, 15185, 799722, 1.0.25354, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\000003.log, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\CURRENT, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOCK, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\LOG.old, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pffnooppclkbdcgfimcnlejkomocahca\MANIFEST-000001, Quarantined, 15185, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PFFNOOPPCLKBDCGFIMCNLEJKOMOCAHCA\1.1.0_0\MANIFEST.JSON, Quarantined, 15185, 799722, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813373, 1.0.25354, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Searchaize? The Malwarebytes research team has determined that Searchaize is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Searchaize? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Searchaize get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Searchaize? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Searchaize? No, Malwarebytes removes Searchaize completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Searchaize hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.searchaize.com CHR DefaultSearchURL: Default -> hxxps://feed.searchaize.com/?q={searchTerms}&publisher=searchaize&barcodeid=569950000000000 CHR DefaultSearchKeyword: Default -> Searchaize CHR DefaultSuggestURL: Default -> hxxps://api.searchaize.com/suggest/get?q={searchTerms} CHR Extension: (Searchaize) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd [2020-05-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0 Adds the file manifest.json"="5/29/2020 10:09 AM, 2060 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/29/2020 10:09 AM, 6255 bytes, A Adds the file verified_contents.json"="3/3/2020 10:20 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\images Adds the file logo-white-text.png"="3/3/2020 10:20 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\images\icons Adds the file 128x128.png"="5/29/2020 10:09 AM, 4531 bytes, A Adds the file 16x16.png"="5/29/2020 10:09 AM, 465 bytes, A Adds the file 64x64.png"="5/29/2020 10:09 AM, 2222 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkifhjaeoboadpienekpppidodbakmfd\1.1.0_0\scripts Adds the file background.js"="3/3/2020 10:20 AM, 514539 bytes, A Adds the file sitecontent.js"="3/3/2020 10:20 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd Adds the file 000003.log"="5/29/2020 10:12 AM, 800 bytes, A Adds the file CURRENT"="5/29/2020 10:09 AM, 16 bytes, A Adds the file LOCK"="5/29/2020 10:09 AM, 0 bytes, A Adds the file LOG"="5/29/2020 10:13 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/29/2020 10:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gkifhjaeoboadpienekpppidodbakmfd Adds the file Searchaize.ico"="5/29/2020 10:09 AM, 179004 bytes, A Adds the file Searchaize.ico.md5"="5/29/2020 10:09 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gkifhjaeoboadpienekpppidodbakmfd"="REG_SZ", "4D5B5DD614F445830EF314DE7347FD27CEBC8456D647D0091E208E435E4C09CE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/29/20 Scan Time: 10:20 AM Log File: 48de9b98-a185-11ea-b4d5-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24646 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232440 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 2 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gkifhjaeoboadpienekpppidodbakmfd, Quarantined, 15183, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GKIFHJAEOBOADPIENEKPPPIDODBAKMFD, Quarantined, 15183, 799722, 1.0.24646, , ame, File: 12 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\000003.log, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\CURRENT, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOCK, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOG, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\LOG.old, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gkifhjaeoboadpienekpppidodbakmfd\MANIFEST-000001, Quarantined, 15183, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GKIFHJAEOBOADPIENEKPPPIDODBAKMFD\1.1.0_0\MANIFEST.JSON, Quarantined, 15183, 799722, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 803876, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 803876, 1.0.24646, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 803876, 1.0.24646, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Sealoid?The Malwarebytes research team has determined that Sealoid is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Sealoid?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:You may have noticed these warnings during install:How did Sealoid get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Sealoid?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Sealoid? No, Malwarebytes removes Sealoid completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Sealoid hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.sealoid.com/?q={searchTerms}&publisher=sealoid&barcodeid=571460000000000 CHR DefaultSearchKeyword: Default -> Sealoid CHR DefaultSuggestURL: Default -> hxxps://api.sealoid.com/suggest/get?q={searchTerms} CHR Extension: (Sealoid) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp [2020-05-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0 Adds the file manifest.json"="5/25/2020 8:37 AM, 2024 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/25/2020 8:37 AM, 11801 bytes, A Adds the file verified_contents.json"="3/31/2020 2:36 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\images Adds the file logo-white-text.png"="3/31/2020 2:36 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\images\icons Adds the file 128x128.png"="5/25/2020 8:37 AM, 4281 bytes, A Adds the file 16x16.png"="5/25/2020 8:37 AM, 566 bytes, A Adds the file 64x64.png"="5/25/2020 8:37 AM, 2100 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\1.1.0_0\scripts Adds the file background.js"="3/31/2020 2:36 PM, 998710 bytes, A Adds the file sitecontent.js"="3/31/2020 2:36 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp Adds the file 000003.log"="5/25/2020 8:40 AM, 786 bytes, A Adds the file CURRENT"="5/25/2020 8:37 AM, 16 bytes, A Adds the file LOCK"="5/25/2020 8:37 AM, 0 bytes, A Adds the file LOG"="5/25/2020 8:40 AM, 184 bytes, A Adds the file MANIFEST-000001"="5/25/2020 8:37 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ipicdjgcbnamkkpmhakmcmgfkkfkebmp Adds the file Sealoid.ico"="5/25/2020 8:37 AM, 180445 bytes, A Adds the file Sealoid.ico.md5"="5/25/2020 8:37 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipicdjgcbnamkkpmhakmcmgfkkfkebmp"="REG_SZ", "19CB838E148C5EC1E0712E431ABC869C6E4087578FC029F7D996B45CB143C68F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/25/20 Scan Time: 8:58 AM Log File: 2ad565b0-9e55-11ea-8507-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24404 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232611 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 7 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipicdjgcbnamkkpmhakmcmgfkkfkebmp, Quarantined, 15166, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPICDJGCBNAMKKPMHAKMCMGFKKFKEBMP, Quarantined, 15166, 799722, 1.0.24404, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\000003.log, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\CURRENT, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOCK, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOG, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\LOG.old, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ipicdjgcbnamkkpmhakmcmgfkkfkebmp\MANIFEST-000001, Quarantined, 15166, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPICDJGCBNAMKKPMHAKMCMGFKKFKEBMP\1.1.0_0\MANIFEST.JSON, Quarantined, 15166, 799722, 1.0.24404, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813369, 1.0.24404, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813369, 1.0.24404, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is GalaxySpin? The Malwarebytes research team has determined that GalaxySpin is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by GalaxySpin? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did GalaxySpin get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove GalaxySpin? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of GalaxySpin? No, Malwarebytes removes GalaxySpin completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard would have protected you against the GalaxySpin hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.galaxyspin.com/?q={searchTerms}&publisher=galaxyspin&barcodeid=571480000000000 CHR DefaultSearchKeyword: Default -> GalaxySpin CHR DefaultSuggestURL: Default -> hxxps://api.galaxyspin.com/suggest/get?q={searchTerms} CHR Extension: (GalaxySpin) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm [2020-05-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0 Adds the file manifest.json"="5/18/2020 8:45 AM, 2060 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/18/2020 8:45 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:44 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:44 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\images\icons Adds the file 128x128.png"="5/18/2020 8:45 AM, 5609 bytes, A Adds the file 16x16.png"="5/18/2020 8:45 AM, 643 bytes, A Adds the file 64x64.png"="5/18/2020 8:45 AM, 2753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epomcijmabolmbnhceelaahjnnophfbm\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:44 PM, 514546 bytes, A Adds the file sitecontent.js"="3/30/2020 1:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm Adds the file 000003.log"="5/18/2020 8:48 AM, 789 bytes, A Adds the file CURRENT"="5/18/2020 8:45 AM, 16 bytes, A Adds the file LOCK"="5/18/2020 8:45 AM, 0 bytes, A Adds the file LOG"="5/18/2020 8:48 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/18/2020 8:45 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_epomcijmabolmbnhceelaahjnnophfbm Adds the file GalaxySpin.ico"="5/18/2020 8:45 AM, 186720 bytes, A Adds the file GalaxySpin.ico.md5"="5/18/2020 8:45 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "epomcijmabolmbnhceelaahjnnophfbm"="REG_SZ", "3AE518037D3F55F3D0DF51AC0D04BF85804199DDF8D5115B9B214491DB19E2B9" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/18/20 Scan Time: 8:55 AM Log File: 941516dc-98d4-11ea-92b1-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.24028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233001 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|epomcijmabolmbnhceelaahjnnophfbm, Quarantined, 15170, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPOMCIJMABOLMBNHCEELAAHJNNOPHFBM, Quarantined, 15170, 799722, 1.0.24028, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\000003.log, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\CURRENT, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\LOCK, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\LOG, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\epomcijmabolmbnhceelaahjnnophfbm\MANIFEST-000001, Quarantined, 15170, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPOMCIJMABOLMBNHCEELAAHJNNOPHFBM\1.1.0_0\MANIFEST.JSON, Quarantined, 15170, 799722, 1.0.24028, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813371, 1.0.24028, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813371, 1.0.24028, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Safeplex Search?The Malwarebytes research team has determined that Safeplex Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by Safeplex Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Safeplex Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Safeplex Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Safeplex Search? No, Malwarebytes removes Safeplex Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes as well as Browser Guard would have protected you against the Safeplex Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://safeplexsearch.com/hapi/omniSearch?q={searchTerms}&acTypeId=1 CHR DefaultSearchKeyword: Default -> Safeplex Search CHR DefaultSuggestURL: Default -> hxxps://safeplexsearch.com/apps/keywordSuggestion?q={searchTerms}&acTypeId=1&browser=0 CHR Extension: (Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang [2020-05-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0 Adds the file background.js"="4/15/2020 10:59 AM, 11549 bytes, A Adds the file contentScript.js"="4/15/2020 10:59 AM, 6335 bytes, A Adds the file manifest.json"="5/14/2020 9:00 AM, 2274 bytes, A Adds the file misc.js"="4/15/2020 10:59 AM, 1458 bytes, A Adds the file safeplexLogo.css"="4/15/2020 10:59 AM, 12894 bytes, A Adds the file specificBackground.js"="4/15/2020 10:59 AM, 6136 bytes, A Adds the file specificContentScript.js"="4/15/2020 10:59 AM, 3735 bytes, A Adds the file util.js"="4/15/2020 10:59 AM, 4753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0\_metadata Adds the file computed_hashes.json"="5/14/2020 9:00 AM, 4215 bytes, A Adds the file verified_contents.json"="4/15/2020 10:59 AM, 3299 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0\distJs Adds the file constants.js"="4/15/2020 10:59 AM, 5357 bytes, A Adds the file distribution.js"="4/15/2020 10:59 AM, 1331 bytes, A Adds the file helper.js"="4/15/2020 10:59 AM, 15433 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0\icons Adds the file icon128.png"="5/14/2020 9:00 AM, 14672 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0\popup Adds the file popup.html"="4/15/2020 10:59 AM, 15485 bytes, A Adds the file popup.js"="4/15/2020 10:59 AM, 3057 bytes, A Adds the file safe_threat.css"="4/15/2020 10:59 AM, 74217 bytes, A Adds the file unsafe_threat.css"="4/15/2020 10:59 AM, 74233 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahbhfkcegahoanifckinmmakdanlang\1.0.0.1_0\specificUtil Adds the file apiResUtil.js"="4/15/2020 10:59 AM, 2543 bytes, A Adds the file polyFill.js"="4/15/2020 10:59 AM, 1433 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bahbhfkcegahoanifckinmmakdanlang"="REG_SZ", "9B401181C74DF410627FB7D37D0A88519802C8D89E2B0DCFF1EDDBD1FEABE5BD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/14/20 Scan Time: 9:15 AM Log File: b87bbece-95b2-11ea-aee1-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23800 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233043 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 2 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchHijacker.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bahbhfkcegahoanifckinmmakdanlang, Quarantined, 269, 814209, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BAHBHFKCEGAHOANIFCKINMMAKDANLANG, Quarantined, 269, 814209, 1.0.23800, , ame, File: 5 PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 269, 814209, , , , PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 269, 814209, , , , PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BAHBHFKCEGAHOANIFCKINMMAKDANLANG\1.0.0.1_0\BACKGROUND.JS, Quarantined, 269, 814209, 1.0.23800, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 814212, 1.0.23800, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 814212, 1.0.23800, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is SearchAholic? The Malwarebytes research team has determined that SearchAholic is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchAholic? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did SearchAholic get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchAholic? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchAholic? No, Malwarebytes removes SearchAholic completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the SearchAholic hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-aholic.com/?q={searchTerms}&publisher=searchaholic&barcodeid=571450000000000 CHR DefaultSearchKeyword: Default -> SearchAholic CHR DefaultSuggestURL: Default -> hxxps://api.search-aholic.com/suggest/get?q={searchTerms} CHR Extension: (SearchAholic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg [2020-05-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0 Adds the file manifest.json"="5/13/2020 10:20 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/13/2020 10:20 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:19 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:19 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\images\icons Adds the file 128x128.png"="5/13/2020 10:20 AM, 6568 bytes, A Adds the file 16x16.png"="5/13/2020 10:20 AM, 694 bytes, A Adds the file 64x64.png"="5/13/2020 10:20 AM, 3361 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\offhihkplcdcegfhcmoiicdfoplmoafg\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:19 PM, 514579 bytes, A Adds the file sitecontent.js"="3/30/2020 1:19 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg Adds the file 000003.log"="5/13/2020 10:25 AM, 526 bytes, A Adds the file CURRENT"="5/13/2020 10:21 AM, 16 bytes, A Adds the file LOCK"="5/13/2020 10:21 AM, 0 bytes, A Adds the file LOG"="5/13/2020 10:25 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/13/2020 10:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_offhihkplcdcegfhcmoiicdfoplmoafg Adds the file SearchAholic.ico"="5/13/2020 10:21 AM, 192874 bytes, A Adds the file SearchAholic.ico.md5"="5/13/2020 10:21 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "offhihkplcdcegfhcmoiicdfoplmoafg"="REG_SZ", "DD9AD30F50AC2BB70A60B63C120AAC8A2BD2C18B29026BB598DFBB75CEF7F1DC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/13/20 Scan Time: 10:45 AM Log File: 2152e610-94f6-11ea-b338-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23752 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233222 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|offhihkplcdcegfhcmoiicdfoplmoafg, Quarantined, 15159, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFFHIHKPLCDCEGFHCMOIICDFOPLMOAFG, Quarantined, 15159, 799722, 1.0.23752, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\000003.log, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\CURRENT, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\LOCK, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\LOG, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\offhihkplcdcegfhcmoiicdfoplmoafg\MANIFEST-000001, Quarantined, 15159, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFFHIHKPLCDCEGFHCMOIICDFOPLMOAFG\1.1.0_0\MANIFEST.JSON, Quarantined, 15159, 799722, 1.0.23752, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813374, 1.0.23752, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813374, 1.0.23752, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is SearchOpedia?The Malwarebytes research team has determined that SearchOpedia is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SearchOpedia?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:You may have noticed these warnings during install:How did SearchOpedia get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SearchOpedia?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchOpedia? No, Malwarebytes removes SearchOpedia completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the SearchOpedia hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.search-opedia.com/?q={searchTerms}&publisher=searchopedia&barcodeid=571440000000000 CHR DefaultSearchKeyword: Default -> SearchOpedia CHR DefaultSuggestURL: Default -> hxxps://api.search-opedia.com/suggest/get?q={searchTerms} CHR Extension: (SearchOpedia) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio [2020-05-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0 Adds the file manifest.json"="5/12/2020 8:44 AM, 2090 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/12/2020 8:44 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:16 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:16 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\images\icons Adds the file 128x128.png"="5/12/2020 8:44 AM, 5062 bytes, A Adds the file 16x16.png"="5/12/2020 8:44 AM, 573 bytes, A Adds the file 64x64.png"="5/12/2020 8:44 AM, 2443 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbhmaipbpjlechbpeifgjhojnhohiio\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:16 PM, 514579 bytes, A Adds the file sitecontent.js"="3/30/2020 1:16 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio Adds the file 000003.log"="5/12/2020 8:48 AM, 772 bytes, A Adds the file CURRENT"="5/12/2020 8:45 AM, 16 bytes, A Adds the file LOCK"="5/12/2020 8:45 AM, 0 bytes, A Adds the file LOG"="5/12/2020 8:49 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/12/2020 8:45 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_cjbhmaipbpjlechbpeifgjhojnhohiio Adds the file SearchOpedia.ico"="5/12/2020 8:45 AM, 183529 bytes, A Adds the file SearchOpedia.ico.md5"="5/12/2020 8:45 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cjbhmaipbpjlechbpeifgjhojnhohiio"="REG_SZ", "77240CA4183E456BDE3648CBBFA07614C9AF34C7412F52A67DFE15F26D8CEBAB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/12/20 Scan Time: 8:55 AM Log File: 8a1f91e0-941d-11ea-b5c0-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23702 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233238 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cjbhmaipbpjlechbpeifgjhojnhohiio, Quarantined, 15158, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJBHMAIPBPJLECHBPEIFGJHOJNHOHIIO, Quarantined, 15158, 799722, 1.0.23702, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\000003.log, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\CURRENT, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\LOCK, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\LOG, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjbhmaipbpjlechbpeifgjhojnhohiio\MANIFEST-000001, Quarantined, 15158, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJBHMAIPBPJLECHBPEIFGJHOJNHOHIIO\1.1.0_0\MANIFEST.JSON, Quarantined, 15158, 799722, 1.0.23702, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813372, 1.0.23702, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813372, 1.0.23702, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Spinyon? The Malwarebytes research team has determined that Spinyon is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Spinyon? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: You may have noticed these warnings during install: How did Spinyon get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Spinyon? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Spinyon? No, Malwarebytes removes Spinyon completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Spinyon hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.spinyon.com/?q={searchTerms}&publisher=spinyon&barcodeid=571470000000000 CHR DefaultSearchKeyword: Default -> Spinyon CHR DefaultSuggestURL: Default -> hxxps://api.spinyon.com/suggest/get?q={searchTerms} CHR Extension: (Spinyon) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll [2020-05-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0 Adds the file manifest.json"="5/8/2020 9:53 AM, 2024 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\_metadata Adds the file computed_hashes.json"="5/8/2020 9:53 AM, 6255 bytes, A Adds the file verified_contents.json"="3/30/2020 1:40 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\images Adds the file logo-white-text.png"="3/30/2020 1:40 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\images\icons Adds the file 128x128.png"="5/8/2020 9:53 AM, 12069 bytes, A Adds the file 16x16.png"="5/8/2020 9:53 AM, 690 bytes, A Adds the file 64x64.png"="5/8/2020 9:53 AM, 4993 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckcmjkakmgfccahbhniegnfaefljbpll\1.1.0_0\scripts Adds the file background.js"="3/30/2020 1:40 PM, 514498 bytes, A Adds the file sitecontent.js"="3/30/2020 1:40 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll Adds the file 000003.log"="5/8/2020 9:57 AM, 526 bytes, A Adds the file CURRENT"="5/8/2020 9:53 AM, 16 bytes, A Adds the file LOCK"="5/8/2020 9:53 AM, 0 bytes, A Adds the file LOG"="5/8/2020 9:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="5/8/2020 9:53 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ckcmjkakmgfccahbhniegnfaefljbpll Adds the file Spinyon.ico"="5/8/2020 9:53 AM, 214187 bytes, A Adds the file Spinyon.ico.md5"="5/8/2020 9:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ckcmjkakmgfccahbhniegnfaefljbpll"="REG_SZ", "2789FDADB5CBB246CED2D2C9D48AD0675E4077C5B1797F5921AC33519F680C8F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/8/20 Scan Time: 10:02 AM Log File: 4fc618de-9102-11ea-91f3-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.896 Update Package Version: 1.0.23612 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233265 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ckcmjkakmgfccahbhniegnfaefljbpll, Quarantined, 15155, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CKCMJKAKMGFCCAHBHNIEGNFAEFLJBPLL, Quarantined, 15155, 799722, 1.0.23612, , ame, File: 10 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\000003.log, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\CURRENT, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\LOCK, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\LOG, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ckcmjkakmgfccahbhniegnfaefljbpll\MANIFEST-000001, Quarantined, 15155, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CKCMJKAKMGFCCAHBHNIEGNFAEFLJBPLL\1.1.0_0\MANIFEST.JSON, Quarantined, 15155, 799722, 1.0.23612, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813367, 1.0.23612, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 813367, 1.0.23612, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Cranchit? The Malwarebytes research team has determined that Cranchit is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Cranchit? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Cranchit get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Cranchit? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Cranchit? No, Malwarebytes removes Cranchit completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Cranchit hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.cranchit.com CHR DefaultSearchURL: Default -> hxxps://feed.cranchit.com/?q={searchTerms}&publisher=cranchit&barcodeid=568610000000000 CHR DefaultSearchKeyword: Default -> Cranchit CHR DefaultSuggestURL: Default -> hxxps://api.cranchit.com/suggest/get?q={searchTerms} CHR Extension: (Cranchit) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijolklmkkccgnicbgehainefpijfhmlc [2020-04-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijolklmkkccgnicbgehainefpijfhmlc\1.1.0_0 Adds the file manifest.json"="4/30/2020 9:16 AM, 2026 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijolklmkkccgnicbgehainefpijfhmlc\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/30/2020 9:16 AM, 11681 bytes, A Adds the file verified_contents.json"="2/25/2020 3:09 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijolklmkkccgnicbgehainefpijfhmlc\1.1.0_0\images\icons Adds the file 128x128.png"="4/30/2020 9:16 AM, 8542 bytes, A Adds the file 16x16.png"="4/30/2020 9:16 AM, 619 bytes, A Adds the file 64x64.png"="4/30/2020 9:16 AM, 3870 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijolklmkkccgnicbgehainefpijfhmlc\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:09 PM, 998737 bytes, A Adds the file sitecontent.js"="2/25/2020 3:09 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc Adds the file 000003.log"="4/30/2020 9:19 AM, 834 bytes, A Adds the file CURRENT"="4/30/2020 9:16 AM, 16 bytes, A Adds the file LOCK"="4/30/2020 9:16 AM, 0 bytes, A Adds the file LOG"="4/30/2020 9:20 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/30/2020 9:16 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ijolklmkkccgnicbgehainefpijfhmlc Adds the file Cranchit.ico"="4/30/2020 9:16 AM, 192534 bytes, A Adds the file Cranchit.ico.md5"="4/30/2020 9:16 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ijolklmkkccgnicbgehainefpijfhmlc"="REG_SZ", "1C881E992DA489F159362772920966EBA7F20A16F0F6B3BFAA2D39B0401F16E2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/30/20 Scan Time: 9:27 AM Log File: fae4c08a-8ab3-11ea-a9bd-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.23192 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233309 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 4 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PushNotifications, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ijolklmkkccgnicbgehainefpijfhmlc, Quarantined, 203, 789864, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IJOLKLMKKCCGNICBGEHAINEFPIJFHMLC, Quarantined, 203, 789864, 1.0.23192, , ame, File: 11 PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789864, , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 789864, , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc\000003.log, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc\CURRENT, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc\LOCK, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc\LOG, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ijolklmkkccgnicbgehainefpijfhmlc\MANIFEST-000001, Quarantined, 203, 789864, , , , PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IJOLKLMKKCCGNICBGEHAINEFPIJFHMLC\1.1.0_0\MANIFEST.JSON, Quarantined, 203, 789864, 1.0.23192, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789436, 1.0.23192, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 789436, 1.0.23192, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 203, 789436, 1.0.23192, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Shield My Searches? The Malwarebytes research team has determined that Shield My Searches is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Shield My Searches? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: this heading above your search results: and this changed setting: How did Shield My Searches get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Shield My Searches? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Shield My Searches? No, Malwarebytes removes Shield My Searches completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Shield My Searches hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://shieldmysearches.com CHR DefaultSearchURL: Default -> hxxps://shieldmysearches.com/search.html?appId=13120&q={searchTerms}&acTypeId=1 CHR DefaultSearchKeyword: Default -> Shield my Searches CHR DefaultSuggestURL: Default -> hxxps://shieldmysearches.com/apps/keywordSuggestion?q={searchTerms}&acTypeId=1&browser=0 CHR Extension: (Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd [2020-04-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd\1.0.0.7_0 Adds the file background.js"="3/26/2020 3:15 PM, 11110 bytes, A Adds the file contentGoogle.js"="3/26/2020 3:15 PM, 11608 bytes, A Adds the file contentScript.js"="3/26/2020 3:15 PM, 6298 bytes, A Adds the file manifest.json"="4/23/2020 9:21 AM, 2246 bytes, A Adds the file misc.js"="3/26/2020 3:15 PM, 3533 bytes, A Adds the file specificBackground.js"="3/26/2020 3:15 PM, 2347 bytes, A Adds the file util.js"="3/26/2020 3:15 PM, 4753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd\1.0.0.7_0\_metadata Adds the file computed_hashes.json"="4/23/2020 9:21 AM, 1806 bytes, A Adds the file verified_contents.json"="3/26/2020 3:15 PM, 2784 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd\1.0.0.7_0\distJs Adds the file constants.js"="3/26/2020 3:15 PM, 5332 bytes, A Adds the file distribution.js"="3/26/2020 3:15 PM, 1331 bytes, A Adds the file helper.js"="3/26/2020 3:15 PM, 15433 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd\1.0.0.7_0\html Adds the file popup.css"="3/26/2020 3:15 PM, 2971 bytes, A Adds the file popup.html"="3/26/2020 3:15 PM, 2250 bytes, A Adds the file popup.js"="3/26/2020 3:15 PM, 1179 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bklnbnjkogjcjoegbgoaijghlokobddd\1.0.0.7_0\icons Adds the file icon128.png"="4/23/2020 9:21 AM, 5980 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bklnbnjkogjcjoegbgoaijghlokobddd"="REG_SZ", "77C62540F7E8E5295F832683FB572048CB2D0B649616108A66BAE9D9D556C9C0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/23/20 Scan Time: 9:34 AM Log File: e91014ce-8534-11ea-abef-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22802 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233615 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchHijacker.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bklnbnjkogjcjoegbgoaijghlokobddd, Quarantined, 269, 814207, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKLNBNJKOGJCJOEGBGOAIJGHLOKOBDDD, Quarantined, 269, 814207, 1.0.22802, , ame, File: 6 PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 269, 814207, , , , PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 269, 814207, , , , PUP.Optional.SearchHijacker.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKLNBNJKOGJCJOEGBGOAIJGHLOKOBDDD\1.0.0.7_0\BACKGROUND.JS, Quarantined, 269, 814207, 1.0.22802, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 212, 814211, 1.0.22802, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 212, 814211, 1.0.22802, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 212, 814211, 1.0.22802, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Twisted Search? The Malwarebytes research team has determined that Twisted Search is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Twisted Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Twisted Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Twisted Search? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Twisted Search? No, Malwarebytes removes Twisted Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Twisted Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.twistedsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.twistedsearch.com/?q={searchTerms}&publisher=twistedsearch&barcodeid=569880000000000 CHR DefaultSearchKeyword: Default -> TwistedSearch CHR DefaultSuggestURL: Default -> hxxps://api.twistedsearch.com/suggest/get?q={searchTerms} CHR Extension: (TwistedSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb [2020-04-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0 Adds the file manifest.json"="4/17/2020 8:53 AM, 2098 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/17/2020 8:53 AM, 6255 bytes, A Adds the file verified_contents.json"="2/27/2020 2:12 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\images Adds the file logo-white-text.png"="2/27/2020 2:12 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\images\icons Adds the file 128x128.png"="4/17/2020 8:53 AM, 5623 bytes, A Adds the file 16x16.png"="4/17/2020 8:53 AM, 484 bytes, A Adds the file 64x64.png"="4/17/2020 8:53 AM, 2597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbljakmmigjklochficjpgfcmhcdekb\1.1.0_0\scripts Adds the file background.js"="2/27/2020 2:12 PM, 514587 bytes, A Adds the file sitecontent.js"="2/27/2020 2:12 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb Adds the file 000003.log"="4/17/2020 8:58 AM, 854 bytes, A Adds the file CURRENT"="4/17/2020 8:53 AM, 16 bytes, A Adds the file LOCK"="4/17/2020 8:53 AM, 0 bytes, A Adds the file LOG"="4/17/2020 8:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/17/2020 8:53 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_lbbljakmmigjklochficjpgfcmhcdekb Adds the file Twisted Search.ico"="4/17/2020 8:53 AM, 184125 bytes, A Adds the file Twisted Search.ico.md5"="4/17/2020 8:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lbbljakmmigjklochficjpgfcmhcdekb"="REG_SZ", "0EEDED1358DC3F5A1830A6A27C191032BEBE34F00A22D47AB0AD76DB6ABD53E4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/20 Scan Time: 9:06 AM Log File: ebcbece8-8079-11ea-8599-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.867 Update Package Version: 1.0.22566 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233727 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 18 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lbbljakmmigjklochficjpgfcmhcdekb, Quarantined, 15116, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBBLJAKMMIGJKLOCHFICJPGFCMHCDEKB, Quarantined, 15116, 799722, 1.0.22566, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\000003.log, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\CURRENT, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\LOCK, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\LOG, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lbbljakmmigjklochficjpgfcmhcdekb\MANIFEST-000001, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBBLJAKMMIGJKLOCHFICJPGFCMHCDEKB\1.1.0_0\MANIFEST.JSON, Quarantined, 15116, 799722, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 213, 806228, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 213, 806228, 1.0.22566, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 213, 806228, 1.0.22566, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is FileConvertPro? The Malwarebytes research team has determined that FileConvertPro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by FileConvertPro? You may see this browser extension: these warnings during install: You may see this icon in your browsers menu-bar: this new startpage: and this new setting: How did FileConvertPro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove FileConvertPro? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FileConvertPro? No, Malwarebytes' Anti-Malware removes FileConvertPro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the FileConvertPro hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://www.fileconvertpro.co CHR NewTab: Default -> Active:"chrome-extension://adfinhnnapfmlodkdnjmljfacfggelgb/index.html" CHR Extension: (FileConvertPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb [2020-04-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0 Adds the file index.html"="2/21/2020 5:22 PM, 240 bytes, A Adds the file manifest.json"="4/15/2020 8:34 AM, 1390 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\_metadata Adds the file computed_hashes.json"="4/15/2020 8:34 AM, 5665 bytes, A Adds the file verified_contents.json"="2/21/2020 5:22 PM, 2605 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\core Adds the file content.js"="2/21/2020 5:22 PM, 359 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\icons Adds the file icon128.png"="4/15/2020 8:34 AM, 1834 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\js Adds the file background.js"="2/21/2020 5:22 PM, 7570 bytes, A Adds the file common.js"="2/21/2020 5:22 PM, 1591 bytes, A Adds the file index.js"="2/21/2020 5:22 PM, 336 bytes, A Adds the file jquery-3.2.1.min.js"="2/21/2020 5:22 PM, 86574 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\permission Adds the file fetch.js"="2/21/2020 5:22 PM, 6662 bytes, A Adds the file index.html"="2/21/2020 5:22 PM, 13675 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adfinhnnapfmlodkdnjmljfacfggelgb\2.9.1.11_0\permission\img Adds the file faviconfinal.ico"="2/21/2020 5:22 PM, 101036 bytes, A Adds the file hyper-pp.jpg"="2/21/2020 5:22 PM, 188901 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb Adds the file 000003.log"="4/15/2020 8:34 AM, 193 bytes, A Adds the file CURRENT"="4/15/2020 8:34 AM, 16 bytes, A Adds the file LOCK"="4/15/2020 8:34 AM, 0 bytes, A Adds the file LOG"="4/15/2020 8:39 AM, 183 bytes, A Adds the file MANIFEST-000001"="4/15/2020 8:34 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "adfinhnnapfmlodkdnjmljfacfggelgb"="REG_SZ", "0F1866C572D7FFCD3072800A12ABD49A0CBD311D0CB5A32EFCB529AE61DD859D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/15/20 Scan Time: 8:45 AM Log File: b8b78c54-7ee4-11ea-8bbb-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.867 Update Package Version: 1.0.22494 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233451 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 11 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FileConverterPro, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|adfinhnnapfmlodkdnjmljfacfggelgb, Quarantined, 15128, 810929, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.FileConverterPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ADFINHNNAPFMLODKDNJMLJFACFGGELGB, Quarantined, 15128, 810929, 1.0.22494, , ame, File: 10 PUP.Optional.FileConverterPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\000003.log, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\CURRENT, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\LOCK, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\LOG, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\LOG.old, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\adfinhnnapfmlodkdnjmljfacfggelgb\MANIFEST-000001, Quarantined, 15128, 810929, , , , PUP.Optional.FileConverterPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ADFINHNNAPFMLODKDNJMLJFACFGGELGB\2.9.1.11_0\MANIFEST.JSON, Quarantined, 15128, 810929, 1.0.22494, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 213, 791445, 1.0.22494, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is Logic Search? The Malwarebytes research team has determined that Logic Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Logic Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Logic Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Logic Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Logic Search? No, Malwarebytes removes Logic Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Logic Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.logic-search.com CHR DefaultSearchURL: Default -> hxxps://feed.logic-search.com/?q={searchTerms}&publisher=logicsearch&barcodeid=568600000000000 CHR DefaultSearchKeyword: Default -> LogicSearch CHR DefaultSuggestURL: Default -> hxxps://api.logic-search.com/suggest/get?q={searchTerms} CHR Extension: (LogicSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfkbcpmpalppapmblbdjjjbnjkpokmhn [2020-04-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfkbcpmpalppapmblbdjjjbnjkpokmhn\1.1.0_0 Adds the file manifest.json"="4/14/2020 8:54 AM, 2069 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfkbcpmpalppapmblbdjjjbnjkpokmhn\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/14/2020 8:54 AM, 11681 bytes, A Adds the file verified_contents.json"="2/25/2020 3:10 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfkbcpmpalppapmblbdjjjbnjkpokmhn\1.1.0_0\images\icons Adds the file 128x128.png"="4/14/2020 8:54 AM, 6189 bytes, A Adds the file 16x16.png"="4/14/2020 8:54 AM, 731 bytes, A Adds the file 64x64.png"="4/14/2020 8:54 AM, 3006 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfkbcpmpalppapmblbdjjjbnjkpokmhn\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:10 PM, 998819 bytes, A Adds the file sitecontent.js"="2/25/2020 3:10 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn Adds the file 000003.log"="4/14/2020 8:57 AM, 816 bytes, A Adds the file CURRENT"="4/14/2020 8:54 AM, 16 bytes, A Adds the file LOCK"="4/14/2020 8:54 AM, 0 bytes, A Adds the file LOG"="4/14/2020 8:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="4/14/2020 8:54 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hfkbcpmpalppapmblbdjjjbnjkpokmhn Adds the file Logic Search.ico"="4/14/2020 8:54 AM, 187617 bytes, A Adds the file Logic Search.ico.md5"="4/14/2020 8:54 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hfkbcpmpalppapmblbdjjjbnjkpokmhn"="REG_SZ", "AED394B986434E8B27B1E055A583F5593C75DEC54678AD9E24C2C1293D4ACBB7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/14/20 Scan Time: 9:05 AM Log File: 63346b7e-7e1e-11ea-8af4-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.867 Update Package Version: 1.0.22436 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233481 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 11 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.LogicSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hfkbcpmpalppapmblbdjjjbnjkpokmhn, Quarantined, 15131, 790796, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.LogicSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HFKBCPMPALPPAPMBLBDJJJBNJKPOKMHN, Quarantined, 15131, 790796, 1.0.22436, , ame, File: 11 PUP.Optional.LogicSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn\000003.log, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn\CURRENT, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn\LOCK, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn\LOG, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hfkbcpmpalppapmblbdjjjbnjkpokmhn\MANIFEST-000001, Quarantined, 15131, 790796, , , , PUP.Optional.LogicSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HFKBCPMPALPPAPMBLBDJJJBNJKPOKMHN\1.1.0_0\MANIFEST.JSON, Quarantined, 15131, 790796, 1.0.22436, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 214, 789449, 1.0.22436, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 789449, 1.0.22436, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 789449, 1.0.22436, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is Rolling Search? The Malwarebytes research team has determined that Rolling Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Rolling Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: How did Rolling Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Rolling Search? Our program Malwarebytes can detect and remove this adware. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Rolling Search? No, Malwarebytes removes Rolling Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Rolling Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.rollingsearch.com CHR DefaultSearchURL: Default -> hxxps://feed.rollingsearch.com/?q={searchTerms}&publisher=rollingsearch&barcodeid=569890000000000 CHR DefaultSearchKeyword: Default -> RollingSearch CHR DefaultSuggestURL: Default -> hxxps://api.rollingsearch.com/suggest/get?q={searchTerms} CHR Extension: (RollingSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij [2020-04-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0 Adds the file manifest.json"="4/6/2020 8:47 AM, 2098 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\_metadata Adds the file computed_hashes.json"="4/6/2020 8:47 AM, 6255 bytes, A Adds the file verified_contents.json"="3/1/2020 10:21 AM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\images Adds the file logo-white-text.png"="3/1/2020 10:21 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\images\icons Adds the file 128x128.png"="4/6/2020 8:47 AM, 4055 bytes, A Adds the file 16x16.png"="4/6/2020 8:47 AM, 470 bytes, A Adds the file 64x64.png"="4/6/2020 8:47 AM, 2105 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcncoofdjajjmofplbdieeoieapjhgij\1.1.0_0\scripts Adds the file background.js"="3/1/2020 10:21 AM, 514587 bytes, A Adds the file sitecontent.js"="3/1/2020 10:21 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij Adds the file 000003.log"="4/6/2020 8:51 AM, 835 bytes, A Adds the file CURRENT"="4/6/2020 8:47 AM, 16 bytes, A Adds the file LOCK"="4/6/2020 8:47 AM, 0 bytes, A Adds the file LOG"="4/6/2020 8:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/6/2020 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dcncoofdjajjmofplbdieeoieapjhgij Adds the file Rolling Search.ico"="4/6/2020 8:47 AM, 177147 bytes, A Adds the file Rolling Search.ico.md5"="4/6/2020 8:47 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dcncoofdjajjmofplbdieeoieapjhgij"="REG_SZ", "6159505CD847AE8099AE07E9DB4B4D7E0629A29A665857442A9D4EDDD1FC8597" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/6/20 Scan Time: 8:56 AM Log File: b2604f3e-77d3-11ea-a56d-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.859 Update Package Version: 1.0.21998 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233786 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 12 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dcncoofdjajjmofplbdieeoieapjhgij, Quarantined, 15116, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DCNCOOFDJAJJMOFPLBDIEEOIEAPJHGIJ, Quarantined, 15116, 799722, 1.0.21998, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\000003.log, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\CURRENT, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\LOCK, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\LOG, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcncoofdjajjmofplbdieeoieapjhgij\MANIFEST-000001, Quarantined, 15116, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DCNCOOFDJAJJMOFPLBDIEEOIEAPJHGIJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15116, 799722, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 802211, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 214, 802211, 1.0.21998, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 214, 802211, 1.0.21998, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is SearchStreams? The Malwarebytes research team has determined that SearchStreams is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one hijacks your search results. How do I know if my computer is affected by SearchStreams? You may see these warnings during install: This entry in your list of installed Chrome extensions: this icon in your browsers' menu bar: and this changed setting: How did SearchStreams get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchStreams? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchStreams? No, Malwarebytes removes SearchStreams completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the SearchStreams adware. It would have blocked their domain. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchstreams.com/?q={searchTerms}&publisher=searchstreams&barcodeid=569870000000000 CHR DefaultSearchKeyword: Default -> SearchStreams CHR DefaultSuggestURL: Default -> hxxps://api.searchstreams.com/suggest/get?q={searchTerms} CHR Extension: (SearchStreams) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj [2020-03-23] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0 Adds the file manifest.json"="3/23/2020 8:52 AM, 2096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\_metadata Adds the file computed_hashes.json"="3/23/2020 8:52 AM, 11801 bytes, A Adds the file verified_contents.json"="2/25/2020 3:11 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\images Adds the file logo-white-text.png"="2/25/2020 3:11 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\images\icons Adds the file 128x128.png"="3/23/2020 8:52 AM, 7212 bytes, A Adds the file 16x16.png"="3/23/2020 8:52 AM, 585 bytes, A Adds the file 64x64.png"="3/23/2020 8:52 AM, 3354 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdgmalcknocffegnfogakhfakkhgjkdj\1.1.0_0\scripts Adds the file background.js"="2/25/2020 3:11 PM, 998868 bytes, A Adds the file sitecontent.js"="2/25/2020 3:11 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj Adds the file 000003.log"="3/23/2020 8:54 AM, 778 bytes, A Adds the file CURRENT"="3/23/2020 8:52 AM, 16 bytes, A Adds the file LOCK"="3/23/2020 8:52 AM, 0 bytes, A Adds the file LOG"="3/23/2020 8:54 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/23/2020 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pdgmalcknocffegnfogakhfakkhgjkdj Adds the file SearchStreams.ico"="3/23/2020 8:52 AM, 189195 bytes, A Adds the file SearchStreams.ico.md5"="3/23/2020 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pdgmalcknocffegnfogakhfakkhgjkdj"="REG_SZ", "825763FF885576CF8E3FA2AD12F43E1F5983C44D4945208DA2F8BE13EBF6055B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/23/20 Scan Time: 9:02 AM Log File: 9b785a34-6cdc-11ea-93cc-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.835 Update Package Version: 1.0.21216 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234587 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 9 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pdgmalcknocffegnfogakhfakkhgjkdj, Quarantined, 15078, 799722, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PDGMALCKNOCFFEGNFOGAKHFAKKHGJKDJ, Quarantined, 15078, 799722, 1.0.21216, , ame, File: 11 Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\000003.log, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\CURRENT, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOCK, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOG, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\LOG.old, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pdgmalcknocffegnfogakhfakkhgjkdj\MANIFEST-000001, Quarantined, 15078, 799722, , , , Adware.SearchEngineHijack.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PDGMALCKNOCFFEGNFOGAKHFAKKHGJKDJ\1.1.0_0\MANIFEST.JSON, Quarantined, 15078, 799722, 1.0.21216, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 216, 802150, 1.0.21216, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 216, 802150, 1.0.21216, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is TinyChill? The Malwarebytes research team has determined that TinyChill is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by TinyChill? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: and if you have allowed notifications you may see popups like this one: How did TinyChill get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TinyChill? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TinyChill? No, Malwarebytes removes TinyChill completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the TinyChill hijacker. They would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.tinychill.com CHR DefaultSearchURL: Default -> hxxps://feed.tinychill.com/?q={searchTerms}&publisher=tinychill&barcodeid=568620000000000 CHR DefaultSearchKeyword: Default -> TinyChill CHR DefaultSuggestURL: Default -> hxxps://api.tinychill.com/suggest/get?q={searchTerms} CHR Extension: (TinyChill) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac [2020-02-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0 Adds the file manifest.json"="2/20/2020 9:13 AM, 2038 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/20/2020 9:13 AM, 6135 bytes, A Adds the file verified_contents.json"="1/21/2020 10:49 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\images\icons Adds the file 128x128.png"="2/20/2020 9:13 AM, 9616 bytes, A Adds the file 16x16.png"="2/20/2020 9:13 AM, 703 bytes, A Adds the file 64x64.png"="2/20/2020 9:13 AM, 4415 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\scripts Adds the file background.js"="1/21/2020 10:49 AM, 513868 bytes, A Adds the file sitecontent.js"="1/21/2020 10:49 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_djlopnkmcpkkdnhgpffbnllnpinagcac Adds the file TinyChill.ico"="2/20/2020 9:13 AM, 202567 bytes, A Adds the file TinyChill.ico.md5"="2/20/2020 9:13 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "djlopnkmcpkkdnhgpffbnllnpinagcac"="REG_SZ", "FB8C6BEA0FCE4428CA8080CAF7ED4521D682EFDAA84AA0DA090D197E99C2F880" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/20/20 Scan Time: 9:26 AM Log File: a4494b36-53ba-11ea-be46-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19482 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235874 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 30 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TinyChill, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|djlopnkmcpkkdnhgpffbnllnpinagcac, Quarantined, 15071, 790797, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC, Quarantined, 15071, 790797, 1.0.19482, , ame, File: 6 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC\1.0.0_0\MANIFEST.JSON, Quarantined, 15071, 790797, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789477, 1.0.19482, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is SearchYA? The Malwarebytes research team has determined that SearchYA is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchYA? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did SearchYA get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchYA? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchYA? No, Malwarebytes removes SearchYA completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the SearchYA hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.search-ya.com CHR DefaultSearchURL: Default -> hxxps://feed.search-ya.com/?q={searchTerms}&publisher=searchya&barcodeid=568630000000000 CHR DefaultSearchKeyword: Default -> SearchYA CHR DefaultSuggestURL: Default -> hxxps://api.search-ya.com/suggest/get?q={searchTerms} CHR Extension: (SearchYA) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd [2020-02-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0 Adds the file manifest.json"="2/19/2020 8:59 AM, 2032 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/19/2020 8:59 AM, 6135 bytes, A Adds the file verified_contents.json"="1/20/2020 10:15 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\images\icons Adds the file 128x128.png"="2/19/2020 8:59 AM, 4365 bytes, A Adds the file 16x16.png"="2/19/2020 8:59 AM, 544 bytes, A Adds the file 64x64.png"="2/19/2020 8:59 AM, 2224 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\scripts Adds the file background.js"="1/20/2020 10:15 AM, 513853 bytes, A Adds the file sitecontent.js"="1/20/2020 10:15 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hleencoclkeflkjlikhldjhafcpdgjjd Adds the file SearchYA.ico"="2/19/2020 8:59 AM, 178477 bytes, A Adds the file SearchYA.ico.md5"="2/19/2020 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hleencoclkeflkjlikhldjhafcpdgjjd"="REG_SZ", "0DD3C99E34CC2F160E4CD8AE8CF7CA1EF12BD63E355675C19850F799320FDE5B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/19/20 Scan Time: 9:09 AM Log File: 1e3656fe-52ef-11ea-9658-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19438 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235896 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 3 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchYa, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hleencoclkeflkjlikhldjhafcpdgjjd, Quarantined, 411, 791984, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD, Quarantined, 411, 791984, 1.0.19438, , ame, File: 6 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD\1.0.0_0\MANIFEST.JSON, Quarantined, 411, 791984, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789466, 1.0.19438, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.