Jump to content

Recommended Posts

  • Staff

What is PopStop?

The Malwarebytes research team has determined that PopStop is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This particular one redirects your searches to search-7[.]com.

How do I know if my computer is affected by PopStop?

You may see this entry in your list of installed Chrome extensions:


You may have noticed these warnings during install:



How did PopStop get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:


where it is advertised as a pop-up blocker.

How do I remove PopStop?

Our program Malwarebytes can detect and remove this potentially unwanted program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of PopStop?

  • No, Malwarebytes removes PopStop completely.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the PopStop hijacker. It would have blocked their website, giving you a chance to stop it before it became too late.




Technical details for experts

Possible signs in FRST logs:

CHR Extension: (PopStop) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpnebmclcgcbggnhicpocghdhjmdgklf [2020-07-22]

Alterations made by the installer:

File system details [View: All details] (Selection)
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpnebmclcgcbggnhicpocghdhjmdgklf\1.2_0
       Adds the file app.js"="7/9/2020 6:40 PM, 3559 bytes, A
       Adds the file background.html"="5/7/2020 12:24 AM, 150 bytes, A
       Adds the file manifest.json"="7/22/2020 8:54 AM, 893 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpnebmclcgcbggnhicpocghdhjmdgklf\1.2_0\_metadata
       Adds the file computed_hashes.json"="7/22/2020 8:54 AM, 343 bytes, A
       Adds the file verified_contents.json"="7/9/2020 6:40 PM, 1736 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpnebmclcgcbggnhicpocghdhjmdgklf\1.2_0\img
       Adds the file icon.png"="7/22/2020 8:54 AM, 5343 bytes, A
       Adds the file tab.png"="7/22/2020 8:54 AM, 253 bytes, A

Registry details [View: All details] (Selection)
       "dpnebmclcgcbggnhicpocghdhjmdgklf"="REG_SZ", "2DDD5799036339CB1E72E6484BB617A917F647DC2A76DFE259D36C7E64D8F4B3"

Malwarebytes log:


-Log Details-
Scan Date: 7/22/20
Scan Time: 9:05 AM
Log File: abac86fc-cbe9-11ea-b643-00ffdcc6fdfc.json

-Software Information-
Components Version: 1.0.979
Update Package Version: 1.0.27207
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 231756
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 5 min, 28 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dpnebmclcgcbggnhicpocghdhjmdgklf, Quarantined, 332, 842400, , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1

File: 3
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 332, 842400, , , , 
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 332, 842400, , , , 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.