Search the Community

What is Quick Search Tool? The Malwarebytes research team has determined that Quick Search Tool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one changes your default search engine. How do I know if my computer is affected by Quick Search Tool? You may see this entry in your list of installed Chrome extensions: and this changed setting: You may have noticed these warnings during install: How did Quick Search Tool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Quick Search Tool? Our program Malwarebytes can detect and remove this search hijacker. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Quick Search Tool? No, Malwarebytes removes Quick Search Tool completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Quick Search Tool hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.quicksearchtool.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qst CHR DefaultSuggestURL: Default -> hxxps://search.quicksearchtool.com/autosuggest?query={searchTerms} CHR Extension: (QuickSearchTool) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa [2020-12-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa\3.3.1_0 Adds the file background.js"="11/30/2020 11:34 AM, 11954 bytes, A Adds the file icon.png"="12/18/2020 8:58 AM, 5491 bytes, A Adds the file manifest.json"="12/18/2020 8:58 AM, 1635 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa\3.3.1_0\_locales\en Adds the file messages.json"="12/18/2020 8:58 AM, 258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa\3.3.1_0\_metadata Adds the file computed_hashes.json"="12/18/2020 8:58 AM, 732 bytes, A Adds the file verified_contents.json"="11/30/2020 11:30 AM, 1896 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa\3.3.1_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlpenjcbjaocajkajjklmfomhohiodfa\3.3.1_0\html\popup Adds the file description.html"="2/18/2020 5:37 PM, 239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa Adds the file 000003.log"="12/18/2020 8:58 AM, 140 bytes, A Adds the file CURRENT"="12/18/2020 8:58 AM, 16 bytes, A Adds the file LOCK"="12/18/2020 8:58 AM, 0 bytes, A Adds the file LOG"="12/18/2020 8:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="12/18/2020 8:58 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jlpenjcbjaocajkajjklmfomhohiodfa"="REG_SZ", "DC1F0565C24CB9343B43FF07875BA2CBB885A76C926B70FC7D9070C6A6890054" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/18/20 Scan Time: 9:10 AM Log File: 7f7c6374-4108-11eb-9421-080027235d76.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1130 Update Package Version: 1.0.34479 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232271 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 3 min, 20 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jlpenjcbjaocajkajjklmfomhohiodfa, Quarantined, 8440, 774169, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa, Quarantined, 8440, 774169, , , , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLPENJCBJAOCAJKAJJKLMFOMHOHIODFA, Quarantined, 8440, 774169, 1.0.34479, , ame, , , File: 8 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 8440, 774169, , , , , 5719DEA6BB3D11E1A5E24EB8B88F41BE, 1C99A7BB410DD33E8163E0747A244F23DC4DA10685CE8C83F4B01E3B5B922D62 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 8440, 774169, , , , , 3BA1E92E36B96B47E1E78BE014A5B939, BFDC85BBC3B5F4EAF20358C208B92F7BCFCB0567B95588DBFFCFA2E047932E22 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa\000003.log, Quarantined, 8440, 774169, , , , , 2DF1B231B8DAEBB74E7E66CF61A33DA6, AD462B228A055C1969DD7CA34838C23C6479A6ECAD9C5A6647BD096027C9B8A9 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa\CURRENT, Quarantined, 8440, 774169, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa\LOCK, Quarantined, 8440, 774169, , , , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa\LOG, Quarantined, 8440, 774169, , , , , 935FE0D8B323D268140A0FFC8735BC59, CF8D53229672AFF4E05F1466A91D10BEC54B6449917A5E8AFDDDCCB7FBC73F46 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlpenjcbjaocajkajjklmfomhohiodfa\MANIFEST-000001, Quarantined, 8440, 774169, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLPENJCBJAOCAJKAJJKLMFOMHOHIODFA\3.3.1_0\BACKGROUND.JS, Quarantined, 8440, 774169, 1.0.34479, , ame, , C9F817DAA487D6914691A6FAB952F423, F9EAC6841F1D597A8D133B292ECFE91BC57A421982EDF19C176FF2C26996BF0F Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is My Recipe Finder? The Malwarebytes research team has determined that My Recipe Finder is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by My Recipe Finder? You may see this browser extension: these warnings during install: You may see this new startpage: and these new settings: How did My Recipe Finder get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove My Recipe Finder? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of My Recipe Finder? No, Malwarebytes' Anti-Malware removes My Recipe Finder completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My Recipe Finder hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://printmyrecipes.com CHR NewTab: Default -> Active:"chrome-extension://afibfmggjaicolcdflippmefidkngmga/newtabhtml/newtabpage.html" CHR Extension: (My Recipe Finder) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga [2020-12-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0 Adds the file central.js"="8/20/2020 11:13 AM, 2344 bytes, A Adds the file icon.png"="12/10/2020 8:48 AM, 3837 bytes, A Adds the file manifest.json"="12/10/2020 8:48 AM, 1293 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\_locales\en Adds the file messages.json"="12/10/2020 8:48 AM, 205 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\_metadata Adds the file computed_hashes.json"="12/10/2020 8:48 AM, 2269 bytes, A Adds the file verified_contents.json"="8/20/2020 11:13 AM, 3620 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\html\bAction Adds the file about.html"="8/20/2020 11:13 AM, 3734 bytes, A Adds the file newtabpage.html"="8/20/2020 11:13 AM, 214 bytes, A Adds the file recipesAction.html"="8/20/2020 11:13 AM, 2963 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\html\bAction\BAimg Adds the file foodnetwork_icon.jpg"="8/20/2020 11:13 AM, 5082 bytes, A Adds the file Keto_icon.jpg"="8/20/2020 11:13 AM, 3710 bytes, A Adds the file recipesLand_icon.jpg"="8/20/2020 11:13 AM, 2816 bytes, A Adds the file totalrecipes_icon.jpg"="8/20/2020 11:13 AM, 3605 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\js Adds the file browseraction.js"="8/20/2020 11:13 AM, 996 bytes, A Adds the file config.js"="8/20/2020 11:13 AM, 1016 bytes, A Adds the file dailyFeature.js"="8/20/2020 11:13 AM, 3481 bytes, A Adds the file log.js"="8/20/2020 11:13 AM, 884 bytes, A Adds the file newTab.js"="8/20/2020 11:13 AM, 1515 bytes, A Adds the file search.js"="8/20/2020 11:13 AM, 1033 bytes, A Adds the file store.js"="8/20/2020 11:13 AM, 235 bytes, A Adds the file utility.js"="8/20/2020 11:13 AM, 2534 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\afibfmggjaicolcdflippmefidkngmga\1.2_0\newtabhtml Adds the file newtabpage.html"="8/20/2020 11:13 AM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga Adds the file 000003.log"="12/10/2020 8:48 AM, 486 bytes, A Adds the file CURRENT"="12/10/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="12/10/2020 8:48 AM, 0 bytes, A Adds the file LOG"="12/10/2020 8:48 AM, 183 bytes, A Adds the file MANIFEST-000001"="12/10/2020 8:48 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "afibfmggjaicolcdflippmefidkngmga"="REG_SZ", "E7FD6301567C3E9770A6B8914C49E338E9E92CFA292799210403408D37C14337" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/10/20 Scan Time: 9:01 AM Log File: ef5c0e48-3abd-11eb-98e0-080027235d76.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.34141 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232170 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|afibfmggjaicolcdflippmefidkngmga, Quarantined, 199, 752296, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\afibfmggjaicolcdflippmefidkngmga, Quarantined, 199, 752296, , , , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga, Quarantined, 199, 752296, , , , , , File: 8 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 199, 752296, , , , , 8E3C3C836670B35F399E6262EA8A0C21, 17773B9B23DD57855F816DEC894FD4542ECD731AB6B29D139742B3A84ADEBB6D PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 199, 752296, , , , , 34CC8D86404F55E10668828927A224FB, D4FFA22937BFBCF19A08B27002CC83BB7F15C3D2A0F234EE7D0E30D511E8AE28 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga\000003.log, Quarantined, 199, 752296, , , , , 3E1B4C7D58989C564845683BD75281D9, 422948A3E528415D2367761B6F001465412DFDEA86EEC5209DF18DFF099C2E82 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga\CURRENT, Quarantined, 199, 752296, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga\LOCK, Quarantined, 199, 752296, , , , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga\LOG, Quarantined, 199, 752296, , , , , 47C9661BC25BEEB7809E5899ED57B130, BEA5E49E0905079C1B234774F86F5C0E3F2E4FFA50B15A6146449DD8942A856C PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afibfmggjaicolcdflippmefidkngmga\MANIFEST-000001, Quarantined, 199, 752296, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AFIBFMGGJAICOLCDFLIPPMEFIDKNGMGA\1.2_0\JS\DAILYFEATURE.JS, Quarantined, 199, 752296, 1.0.34141, , ame, , EC73CE6E8BC424289472E8EC317D5B50, 86EF51EC042FE095305ECC2B4F86BA62C7181153FEAF39441C418770A29D61C2 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is File Conversion Now? The Malwarebytes research team has determined that File Conversion Now is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by File Conversion Now? You may see this browser extension: this warning during install: You may see this icon in your browsers menu-bar: this new startpage: and these new settings: How did File Conversion Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove File Conversion Now? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of File Conversion Now? No, Malwarebytes' Anti-Malware removes File Conversion Now completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the File Conversion Now hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://hp.hfileconversionnow.com; hxxps://pdfconverterguru.com CHR NewTab: Default -> Active:"chrome-extension://ocemooeilogfefcknbhnjlofcfnhohcb/newtabhtml/newtabpage.html" CHR Extension: (File Conversion Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb [2020-06-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0 Adds the file central.js"="4/14/2020 1:50 PM, 2344 bytes, A Adds the file icon.png"="6/25/2020 8:50 AM, 3456 bytes, A Adds the file manifest.json"="6/25/2020 8:50 AM, 1333 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_locales\en Adds the file messages.json"="6/25/2020 8:50 AM, 210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\_metadata Adds the file computed_hashes.json"="6/25/2020 8:50 AM, 1350 bytes, A Adds the file verified_contents.json"="4/14/2020 1:50 PM, 2912 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\html\bAction Adds the file about.html"="4/14/2020 1:50 PM, 3742 bytes, A Adds the file newtabpage.html"="4/14/2020 1:50 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\js Adds the file browseraction.js"="4/14/2020 1:50 PM, 1004 bytes, A Adds the file config.js"="4/14/2020 1:50 PM, 1018 bytes, A Adds the file dailyFeature.js"="4/14/2020 1:50 PM, 3487 bytes, A Adds the file log.js"="4/14/2020 1:50 PM, 896 bytes, A Adds the file newTab.js"="4/14/2020 1:50 PM, 1523 bytes, A Adds the file search.js"="4/14/2020 1:50 PM, 1027 bytes, A Adds the file store.js"="4/14/2020 1:50 PM, 235 bytes, A Adds the file utility.js"="4/14/2020 1:50 PM, 2546 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb\2.0_0\newtabhtml Adds the file newtabpage.html"="4/14/2020 1:50 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb Adds the file 000003.log"="6/25/2020 8:50 AM, 488 bytes, A Adds the file CURRENT"="6/25/2020 8:50 AM, 16 bytes, A Adds the file LOCK"="6/25/2020 8:50 AM, 0 bytes, A Adds the file LOG"="6/25/2020 9:07 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/25/2020 8:50 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocemooeilogfefcknbhnjlofcfnhohcb"="REG_SZ", "F0884C4E76A1BBDCF08F189A10AD3EE0B891E4C36E135C5510A80D0CC7D6D3A4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/25/20 Scan Time: 9:18 AM Log File: 1ea2335a-b6b4-11ea-9d88-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.25999 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232200 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 10 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb, Quarantined, 200, 752296, , , , File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\000003.log, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\CURRENT, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOCK, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\LOG, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocemooeilogfefcknbhnjlofcfnhohcb\MANIFEST-000001, Quarantined, 200, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCEMOOEILOGFEFCKNBHNJLOFCFNHOHCB\2.0_0\JS\DAILYFEATURE.JS, Quarantined, 200, 752296, 1.0.25999, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 203, 834481, 1.0.25999, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Email Search Tools? The Malwarebytes research team has determined that Email Search Tools is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Email Search Tools? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Email Search Tools get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Email Search Tools? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Email Search Tools? No, Malwarebytes removes Email Search Tools completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Email Search Tools hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.emailsearchtools.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qs CHR Extension: (EmailSearchTools) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb [2020-02-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0 Adds the file background.js"="9/18/2019 1:42 PM, 14032 bytes, A Adds the file icon.png"="2/18/2020 9:27 AM, 5491 bytes, A Adds the file manifest.json"="2/18/2020 9:27 AM, 1540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_locales\en Adds the file messages.json"="2/18/2020 9:27 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_metadata Adds the file computed_hashes.json"="2/18/2020 9:27 AM, 630 bytes, A Adds the file verified_contents.json"="1/8/2020 4:17 PM, 1893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\html\popup Adds the file description.html"="9/5/2019 2:07 PM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb Adds the file 000003.log"="2/18/2020 9:27 AM, 141 bytes, A Adds the file CURRENT"="2/18/2020 9:27 AM, 16 bytes, A Adds the file LOCK"="2/18/2020 9:27 AM, 0 bytes, A Adds the file LOG"="2/18/2020 9:30 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/18/2020 9:27 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jghejomglpmejfcphjbfeplpdndfccbb"="REG_SZ", "97E0F3A7AB704677C53A02393F770EDAD534C32F242AD71AAE6161493AF5A4A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/20 Scan Time: 9:49 AM Log File: a112250e-522b-11ea-b7ee-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19396 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235882 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 33 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB, Quarantined, 205, 774169, 1.0.19396, , ame, File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\000003.log, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\CURRENT, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOCK, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOG, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\MANIFEST-000001, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB\1.3_0\BACKGROUND.JS, Quarantined, 205, 774169, 1.0.19396, , ame, PUP.Optional.Spigot.PN, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 220, 786325, 1.0.19396, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Access Gov Docs Tab? The Malwarebytes research team has determined that Access Gov Docs Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Access Gov Docs Tab? You may see this browser extension: these warnings during install: You may see this new startpage: and this new setting: How did Access Gov Docs Tab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website. How do I remove Access Gov Docs Tab? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Access Gov Docs Tab? No, Malwarebytes' Anti-Malware removes Access Gov Docs Tab completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Access Gov Docs Tab hijacker. It blocks their domains: Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://accessgovdocs.net CHR NewTab: Default -> Active:"chrome-extension://pkcbnkckeahemigpmionfaiclhdeellf/newtabhtml/newtabpage.html" CHR Extension: (Access Gov Docs Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf [2020-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0 Adds the file central.js"="11/4/2019 4:54 PM, 2612 bytes, A Adds the file icon.png"="2/12/2020 8:57 AM, 5222 bytes, A Adds the file manifest.json"="2/12/2020 8:57 AM, 1363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_locales\en Adds the file messages.json"="2/12/2020 8:57 AM, 206 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_metadata Adds the file computed_hashes.json"="2/12/2020 8:57 AM, 1609 bytes, A Adds the file verified_contents.json"="11/4/2019 4:54 PM, 3027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\html\bAction Adds the file about.html"="11/4/2019 4:54 PM, 4050 bytes, A Adds the file newtabpage.html"="11/4/2019 4:54 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\js Adds the file browseraction.js"="11/4/2019 4:54 PM, 992 bytes, A Adds the file config.js"="11/4/2019 4:54 PM, 1014 bytes, A Adds the file dailyFeature.js"="11/4/2019 4:54 PM, 3479 bytes, A Adds the file diagnostic.js"="11/4/2019 4:54 PM, 874 bytes, A Adds the file log.js"="11/4/2019 4:54 PM, 880 bytes, A Adds the file newTab.js"="11/4/2019 4:54 PM, 2418 bytes, A Adds the file search.js"="11/4/2019 4:54 PM, 857 bytes, A Adds the file store.js"="11/4/2019 4:54 PM, 235 bytes, A Adds the file utility.js"="11/4/2019 4:54 PM, 2534 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\newtabhtml Adds the file newtabpage.html"="11/4/2019 4:54 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf Adds the file 000003.log"="2/12/2020 8:57 AM, 436 bytes, A Adds the file CURRENT"="2/12/2020 8:57 AM, 16 bytes, A Adds the file LOCK"="2/12/2020 8:57 AM, 0 bytes, A Adds the file LOG"="2/12/2020 9:03 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/12/2020 8:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pkcbnkckeahemigpmionfaiclhdeellf"="REG_SZ", "1EC6E39BCCAD8954D53C75484C0712E68018C6906F0131AD4AEEA10CD5CC19FC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/20 Scan Time: 9:08 AM Log File: e61a4dbe-4d6e-11ea-9609-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19088 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235857 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 11 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , File: 8 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\000003.log, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\CURRENT, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOCK, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOG, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\MANIFEST-000001, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PKCBNKCKEAHEMIGPMIONFAICLHDEELLF\1.0_0\JS\DAILYFEATURE.JS, Quarantined, 205, 752296, 1.0.19088, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is My Login Hub?The Malwarebytes research team has determined that My Login Hub is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a newtab hijacker and uses web push notifications.How do I know if my computer is affected by My Login Hub?You may see this browser extension:these warnings during install:Despite this last notification you may see this icon in your browsers menu-bar:and this new setting:How did My Login Hub get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove My Login Hub?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of My Login Hub? No, Malwarebytes' Anti-Malware removes My Login Hub completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the My Login Hub hijacker. Both Malwarebytes Premium and Browser Guard would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://cgbimlhbabmglaamekacddnjhdloknme/newtabhtml/newtabpage.html" CHR Extension: (My Login Hub) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme [2019-12-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0 Adds the file central.js"="10/28/2019 3:45 PM, 2612 bytes, A Adds the file icon.png"="12/17/2019 8:57 AM, 17075 bytes, A Adds the file manifest.json"="12/17/2019 8:57 AM, 1359 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_locales\en Adds the file messages.json"="12/17/2019 8:57 AM, 199 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_metadata Adds the file computed_hashes.json"="12/17/2019 8:57 AM, 1507 bytes, A Adds the file verified_contents.json"="10/28/2019 3:45 PM, 3027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\html\bAction Adds the file about.html"="10/28/2019 3:45 PM, 4176 bytes, A Adds the file newtabpage.html"="10/28/2019 3:45 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js Adds the file browseraction.js"="10/28/2019 3:45 PM, 988 bytes, A Adds the file config.js"="10/28/2019 3:45 PM, 1014 bytes, A Adds the file dailyFeature.js"="10/28/2019 3:45 PM, 3475 bytes, A Adds the file diagnostic.js"="10/28/2019 3:45 PM, 874 bytes, A Adds the file log.js"="10/28/2019 3:45 PM, 872 bytes, A Adds the file newTab.js"="10/28/2019 3:45 PM, 2443 bytes, A Adds the file search.js"="10/28/2019 3:45 PM, 857 bytes, A Adds the file store.js"="10/28/2019 3:45 PM, 235 bytes, A Adds the file utility.js"="10/28/2019 3:45 PM, 2522 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\newtabhtml Adds the file newtabpage.html"="10/28/2019 3:45 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme Adds the file 000003.log"="12/17/2019 8:58 AM, 466 bytes, A Adds the file CURRENT"="12/17/2019 8:58 AM, 16 bytes, A Adds the file LOCK"="12/17/2019 8:58 AM, 0 bytes, A Adds the file LOG"="12/17/2019 8:58 AM, 183 bytes, A Adds the file MANIFEST-000001"="12/17/2019 8:58 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cgbimlhbabmglaamekacddnjhdloknme"="REG_SZ", "2EAD79FF084CC24A86786571101318B6CD4AE6C55AF35246677687F872564595" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/17/19 Scan Time: 9:09 AM Log File: 862853c0-20a4-11ea-9e94-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.770 Update Package Version: 1.0.16308 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236141 Threats Detected: 36 Threats Quarantined: 36 Time Elapsed: 18 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cgbimlhbabmglaamekacddnjhdloknme, Quarantined, 206, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\html\bAction, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_locales\en, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\newtabhtml, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_metadata, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_locales, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\html, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CGBIMLHBABMGLAAMEKACDDNJHDLOKNME\1.0_0, Quarantined, 206, 752296, 1.0.16308, , ame, File: 25 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme\000003.log, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme\CURRENT, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme\LOCK, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme\LOG, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cgbimlhbabmglaamekacddnjhdloknme\MANIFEST-000001, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CGBIMLHBABMGLAAMEKACDDNJHDLOKNME\1.0_0\JS\DAILYFEATURE.JS, Quarantined, 206, 752296, 1.0.16308, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\html\bAction\about.html, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\html\bAction\newtabpage.html, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\browseraction.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\config.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\diagnostic.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\log.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\newTab.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\search.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\store.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\js\utility.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\newtabhtml\newtabpage.html, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_locales\en\messages.json, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_metadata\computed_hashes.json, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\_metadata\verified_contents.json, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\central.js, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\icon.png, Quarantined, 206, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbimlhbabmglaamekacddnjhdloknme\1.0_0\manifest.json, Quarantined, 206, 752296, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Email Search Tools?The Malwarebytes research team has determined that Email Search Tools is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Email Search Tools?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Email Search Tools get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Email Search Tools?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Email Search Tools? No, Malwarebytes removes Email Search Tools completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Email Search Tools hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.emailsearchtools.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> email CHR Extension: (EmailSearchTools) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb [2019-11-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0 Adds the file background.js"="9/18/2019 1:42 PM, 14032 bytes, A Adds the file icon.png"="11/15/2019 9:12 AM, 5491 bytes, A Adds the file manifest.json"="11/15/2019 9:12 AM, 1554 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en Adds the file messages.json"="11/15/2019 9:12 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata Adds the file computed_hashes.json"="11/15/2019 9:12 AM, 630 bytes, A Adds the file verified_contents.json"="9/18/2019 11:23 AM, 1893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup Adds the file description.html"="9/5/2019 2:07 PM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb Adds the file 000003.log"="11/15/2019 9:12 AM, 168 bytes, A Adds the file CURRENT"="11/15/2019 9:12 AM, 16 bytes, A Adds the file LOCK"="11/15/2019 9:12 AM, 0 bytes, A Adds the file LOG"="11/15/2019 9:12 AM, 183 bytes, A Adds the file MANIFEST-000001"="11/15/2019 9:12 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jghejomglpmejfcphjbfeplpdndfccbb"="REG_SZ", "A9322B76617230A96887AEEB8993C10B62005A0728B26F171B4E0708000AC09C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/15/19 Scan Time: 9:22 AM Log File: 20bbffdc-0781-11ea-8ad9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14948 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233906 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 4 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 208, 575422, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB, Quarantined, 208, 575422, 1.0.14948, , ame, File: 15 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\000003.log, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\CURRENT, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOCK, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOG, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\MANIFEST-000001, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB\1.1_0\BACKGROUND.JS, Quarantined, 208, 575422, 1.0.14948, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css\description.css, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup\description.html, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en\messages.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata\computed_hashes.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata\verified_contents.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\icon.png, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\manifest.json, Quarantined, 208, 575422, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Free Live Radio?The Malwarebytes research team has determined that Free Live Radio is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Free Live Radio?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did Free Live Radio get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:How do I remove Free Live Radio?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Free Live Radio? No, Malwarebytes' Anti-Malware removes Free Live Radio completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes and Malwarebytes Browser Guard would have protected you against the Free Live Radio hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://pacogkibldhicojmklpbapiilaleilbp/newtabfile/fastesttab.html" CHR Extension: (Free Live Radio) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp [2019-10-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0 Adds the file after.js"="7/16/2019 3:49 PM, 1264 bytes, A Adds the file bg.js"="7/16/2019 3:49 PM, 15172 bytes, A Adds the file contentscript.js"="7/16/2019 3:49 PM, 1247 bytes, A Adds the file icon.png"="10/31/2019 8:28 AM, 2449 bytes, A Adds the file manifest.json"="10/31/2019 8:28 AM, 1442 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en Adds the file messages.json"="10/31/2019 8:28 AM, 274 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata Adds the file computed_hashes.json"="10/31/2019 8:28 AM, 1195 bytes, A Adds the file verified_contents.json"="7/16/2019 3:49 PM, 2613 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css Adds the file browserAction.css"="7/16/2019 3:49 PM, 95 bytes, A Adds the file description.css"="7/16/2019 3:49 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction Adds the file browserAction.html"="7/16/2019 3:49 PM, 230 bytes, A Adds the file description.html"="7/16/2019 3:49 PM, 264 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js Adds the file newTab.js"="7/16/2019 3:49 PM, 1720 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile Adds the file fastesttab.html"="7/16/2019 3:49 PM, 208 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp Adds the file 000003.log"="10/31/2019 8:28 AM, 234 bytes, A Adds the file CURRENT"="10/31/2019 8:28 AM, 16 bytes, A Adds the file LOCK"="10/31/2019 8:28 AM, 0 bytes, A Adds the file LOG"="10/31/2019 8:28 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/31/2019 8:28 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pacogkibldhicojmklpbapiilaleilbp"="REG_SZ", "4D051C639B48ED7E29B08E2845AB4CC7F2AA46F4775F75186BC4F68E5DF81F71" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/31/19 Scan Time: 8:40 AM Log File: bf66dd55-fbb1-11e9-9600-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.13123 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234128 Threats Detected: 33 Threats Quarantined: 33 Time Elapsed: 7 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pacogkibldhicojmklpbapiilaleilbp, Quarantined, [209], [754439],1.0.13123 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOGKIBLDHICOJMKLPBAPIILALEILBP, Quarantined, [209], [754439],1.0.13123 File: 21 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\000003.log, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\CURRENT, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\LOCK, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\LOG, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\MANIFEST-000001, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOGKIBLDHICOJMKLPBAPIILALEILBP\4.1_0\BG.JS, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css\browserAction.css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css\description.css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction\browserAction.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction\description.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js\newTab.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile\fastesttab.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en\messages.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata\computed_hashes.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata\verified_contents.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\after.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\contentscript.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\icon.png, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\manifest.json, Quarantined, [209], [754439],1.0.13123 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

Hi I have a couple of issues. Malwarebytes stopped running scheduled scans for a few months. When I ran a scan yesterday, it had multiple infections that needed to be cleaned. It cleaned them but I have read online sometimes you have to to more. I have attached the infected scan, a scan after cleaning, and Farbar reports. So my questions are: -Why are scheduled scans not running? -Do the Farbar reports show that I am still infected? Thanks. cleaned.txt infected.txt Addition.txt FRST.txt

What is TubeTab? The Malwarebytes research team has determined that TubeTab is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. TubeTab is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by TubeTab? You may see this Chrome extension: this icon in your Chrome toolbar: and these warnings when you open Chrome during or after the install: and this new startpage in the affected browser(s): How did TubeTab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove TubeTab? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TubeTab? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the TubeTab entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the TubeTab hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: CHR DefaultSearchURL: Default -> hxxp://search.searchytdvta.com/s?remove=remove&query={searchTerms} CHR DefaultSearchKeyword: Default -> ut CHR Extension: (TubeTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce [2017-08-14] CHR HKCU\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlhpijolpcimadhjingadnbcjncmjdce] - hxxps://clients2.google.com/service/update2/crx The changes made by the installer: File system details [View: All details] (Selection) Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0 Adds the file background.js"="7/12/2017 2:29 PM, 16416 bytes, A Adds the file contentscript.js"="7/12/2017 2:29 PM, 1540 bytes, A Adds the file icon.png"="8/14/2017 9:10 AM, 6164 bytes, A Adds the file manifest.json"="8/14/2017 9:10 AM, 1794 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en Adds the file messages.json"="8/14/2017 9:10 AM, 269 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata Adds the file computed_hashes.json"="8/14/2017 9:10 AM, 1223 bytes, A Adds the file verified_contents.json"="7/12/2017 2:29 PM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css Adds the file description.css"="7/12/2017 2:29 PM, 1008 bytes, A Adds the file popup.css"="7/12/2017 2:29 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup Adds the file description.html"="7/12/2017 2:29 PM, 259 bytes, A Adds the file popup.html"="7/12/2017 2:29 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js Adds the file userNewTab.js"="7/12/2017 2:29 PM, 2587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup Adds the file popup.js"="7/12/2017 2:29 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab Adds the file newtab.html"="7/12/2017 2:29 PM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlhpijolpcimadhjingadnbcjncmjdce Adds the file 000003.log"="8/14/2017 9:10 AM, 268 bytes, A Adds the file CURRENT"="8/14/2017 9:10 AM, 16 bytes, A Adds the file LOCK"="8/14/2017 9:10 AM, 0 bytes, A Adds the file LOG"="8/14/2017 9:10 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/14/2017 9:10 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\jlhpijolpcimadhjingadnbcjncmjdce] "update_url"="REG_SZ", "https://clients2.google.com/service/update2/crx" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/14/17 Scan Time: 9:24 AM Log File: mbamTubeTab.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2581 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321366 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 1 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLHPIJOLPCIMADHJINGADNBCJNCMJDCE, Quarantined, [1902], [362981],1.0.2581 File: 14 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLHPIJOLPCIMADHJINGADNBCJNCMJDCE\2.4_0\BACKGROUND.JS, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css\description.css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css\popup.css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup\description.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup\popup.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup\popup.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\userNewTab.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab\newtab.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en\messages.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata\computed_hashes.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata\verified_contents.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\contentscript.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\icon.png, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\manifest.json, Quarantined, [1902], [362981],1.0.2581 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is GetMaps? The Malwarebytes research team has determined that GetMaps is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetMaps is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by GetMaps? You may see this browser extension/add-on: and these changed search settings: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did GetMaps get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetMaps? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetMaps? No, Malwarebytes removes GetMaps completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetMaps hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30 SearchScopes: HKCU -> DefaultScope {AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308} URL = hxxp://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms} SearchScopes: HKCU -> {AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308} URL = hxxp://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms} FF Homepage: hxxp://search.getmaps.co?uid=e3ebc9c6-6b70-4592-a4b5-cfdd69bf4336&uc=20170523&ap=appfocus43&source=tt-bb8&page=homepage&implementation_id=maps_4.0.0 FF Extension: Maps - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\Extensions\@Maps.xpi [2017-05-23] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Get Maps (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.7.0.2 - Cloud Installer) The most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Mozilla Firefox\updated\browser\extensions Adds the file {972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi"="5/23/2017 10:33 AM, 1717 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="5/23/2017 10:30 AM, 264704 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\extensions Adds the file @Maps.xpi"="5/23/2017 10:33 AM, 19297 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage Adds the file store.json"="5/23/2017 10:34 AM, 323 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Get Maps" "DisplayVersion"="REG_SZ", "2.7.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}" "UninstallHomepage"="REG_SZ", "http://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30" "UninstallImpression"="REG_SZ", "http://imp.getmaps.co/impression.do?source=-bb8&sub_id=20170523&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus43&user_id=45ed69a3-6505-4be3-870c-a19578b69198&implementation_id=maps__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/23/17 Scan Time: 10:42 AM Log File: mbamGetMaps.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.122 Update Package Version: 1.0.2001 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 332097 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}, Delete-on-Reboot, [2022], [368913],1.0.2001 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}|URL, Delete-on-Reboot, [2022], [368913],1.0.2001 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage, Delete-on-Reboot, [2054], [348731],1.0.2001 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\JETPACK\@MAPS, Delete-on-Reboot, [2054], [348731],1.0.2001 File: 5 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage\store.json, Delete-on-Reboot, [2054], [348731],1.0.2001 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\PREFS.JS, Replaced, [2022], [361537],1.0.2001 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\GETMAPS.EXE, Delete-on-Reboot, [648], [372110],1.0.2001 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\EXTENSIONS\@MAPS.XPI, Delete-on-Reboot, [2054], [348742],1.0.2001 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.