Jump to content

Recommended Posts

  • Staff

What is Screenshot Tool and Editor?

The Malwarebytes research team has determined that Screenshot Tool and Editor is a forced Chrome extension.
This particular extension was pushed through persistent pop-ups and opens connections to blocked domains.

How do I know if my computer is affected by Screenshot Tool and Editor?

You may see these warnings during install:

warning1.png

warning2.png

warning3.png

and this extension in the list of installed extensions:

main.png

After the install you may see this menu accessible from the browser menu-bar:

warning5.png

How did Screenshot Tool and Editor get on my computer?
Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore.

webstore.png

How do I remove Screenshot Tool and Editor?

Our program Malwarebytes can detect and remove this unwanted program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of Screenshot Tool and Editor?

  • No, Malwarebytes removes Screenshot Tool and Editor completely.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this forced extension.

We protect our customers from these extensions by blocking the sites that spread them and by alerting users about the connections to unwanted sites:

protection1.png

Technical details for experts

Possible signs in FRST logs:


 

CHR Extension: (Screenshot Tool and Editor) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal [2021-01-15]

Alterations made by the installer:
 

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0
       Adds the file index.html"="12/22/2020 4:37 AM, 354 bytes, A
       Adds the file manifest.json"="1/15/2021 9:18 AM, 1359 bytes, A
       Adds the file modal.html"="12/22/2020 4:37 AM, 611 bytes, A
       Adds the file settings.html"="12/22/2020 4:37 AM, 409 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\_locales
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\_metadata
       Adds the file computed_hashes.json"="1/15/2021 9:18 AM, 49382 bytes, A
       Adds the file verified_contents.json"="12/22/2020 4:37 AM, 14672 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets
       Adds the file 128.png"="1/15/2021 9:18 AM, 12226 bytes, A
       Adds the file 32.png"="1/15/2021 9:18 AM, 2327 bytes, A
       Adds the file 64.png"="1/15/2021 9:18 AM, 5654 bytes, A
       Adds the file f.js"="12/22/2020 4:37 AM, 296959 bytes, A
       Adds the file hot-reload.js"="12/22/2020 4:37 AM, 1291 bytes, A
       Adds the file jspdf.js"="12/22/2020 4:37 AM, 307591 bytes, A
       Adds the file konva.js"="12/22/2020 4:37 AM, 154759 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\css
       Adds the file didactgothic.css"="12/22/2020 4:37 AM, 180 bytes, A
       Adds the file hidescrollbar.css"="12/22/2020 4:37 AM, 83 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\css\fonts
       Adds the file DidactGothic-Regular.woff"="12/22/2020 4:37 AM, 94416 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\assets\images
       Adds the file 128_disabled.png"="12/22/2020 4:37 AM, 25143 bytes, A
       Adds the file 32_disabled.png"="12/22/2020 4:37 AM, 19168 bytes, A
       Adds the file 64_disabled.png"="12/22/2020 4:37 AM, 21454 bytes, A
       Adds the file add-page.svg"="12/22/2020 4:37 AM, 1619 bytes, A
       Adds the file arrow.png"="12/22/2020 4:37 AM, 17115 bytes, A
       Adds the file back.svg"="12/22/2020 4:37 AM, 1494 bytes, A
       Adds the file browser-window.svg"="12/22/2020 4:37 AM, 1760 bytes, A
       Adds the file circle.png"="12/22/2020 4:37 AM, 17443 bytes, A
       Adds the file circle.svg"="12/22/2020 4:37 AM, 864 bytes, A
       Adds the file cursor-image.svg"="12/22/2020 4:37 AM, 1278 bytes, A
       Adds the file cursor-imagen.svg"="12/22/2020 4:37 AM, 737 bytes, A
       Adds the file dotted-line.svg"="12/22/2020 4:37 AM, 752 bytes, A
       Adds the file download-entire-page.svg"="12/22/2020 4:37 AM, 2030 bytes, A
       Adds the file edit.png"="12/22/2020 4:37 AM, 17587 bytes, A
       Adds the file entire-page.svg"="12/22/2020 4:37 AM, 2043 bytes, A
       Adds the file line.svg"="12/22/2020 4:37 AM, 791 bytes, A
       Adds the file line-width.svg"="12/22/2020 4:37 AM, 1085 bytes, A
       Adds the file logo-vvvv.png"="12/22/2020 4:37 AM, 13972 bytes, A
       Adds the file message.svg"="12/22/2020 4:37 AM, 2284 bytes, A
       Adds the file new-arrow.svg"="12/22/2020 4:37 AM, 1326 bytes, A
       Adds the file new-double-arrow.svg"="12/22/2020 4:37 AM, 1138 bytes, A
       Adds the file new-zig-zag-arrow.svg"="12/22/2020 4:37 AM, 1394 bytes, A
       Adds the file next.svg"="12/22/2020 4:37 AM, 1577 bytes, A
       Adds the file not-working.png"="12/22/2020 4:37 AM, 8957 bytes, A
       Adds the file options.png"="12/22/2020 4:37 AM, 244206 bytes, A
       Adds the file remove.svg"="12/22/2020 4:37 AM, 457 bytes, A
       Adds the file selected-area.svg"="12/22/2020 4:37 AM, 2253 bytes, A
       Adds the file square.svg"="12/22/2020 4:37 AM, 890 bytes, A
       Adds the file text.png"="12/22/2020 4:37 AM, 16490 bytes, A
       Adds the file text-edit.png"="12/22/2020 4:37 AM, 18147 bytes, A
       Adds the file text-edit.svg"="12/22/2020 4:37 AM, 1932 bytes, A
       Adds the file triangle.svg"="12/22/2020 4:37 AM, 375 bytes, A
       Adds the file update-arrows.svg"="12/22/2020 4:37 AM, 2874 bytes, A
       Adds the file visible-page.svg"="12/22/2020 4:37 AM, 2048 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijejnggjjphlenbhmjhhgcdpehhacaal\3.1_0\js
       Adds the file background.js"="12/22/2020 4:37 AM, 132590 bytes, A
       Adds the file content-script.js"="12/22/2020 4:37 AM, 104706 bytes, A
       Adds the file modal.js"="12/22/2020 4:37 AM, 1859040 bytes, A
       Adds the file popup.js"="12/22/2020 4:37 AM, 114018 bytes, A
       Adds the file settings.js"="12/22/2020 4:37 AM, 315139 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal
       Adds the file 000003.log"="1/15/2021 9:18 AM, 929 bytes, A
       Adds the file CURRENT"="1/15/2021 9:18 AM, 16 bytes, A
       Adds the file LOCK"="1/15/2021 9:18 AM, 0 bytes, A
       Adds the file LOG"="1/15/2021 9:18 AM, 184 bytes, A
       Adds the file MANIFEST-000001"="1/15/2021 9:18 AM, 41 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
       "ijejnggjjphlenbhmjhhgcdpehhacaal"="REG_SZ", "3FDD3E3B7E75D0B00F8F3216E0408337D9EECF9C74464A60DFC2383719542DFE"

Malwarebytes log:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/15/21
Scan Time: 9:33 AM
Log File: 55b42454-570c-11eb-adb6-080027235d76.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.35775
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 232858
Threats Detected: 11
Threats Quarantined: 11
Time Elapsed: 3 min, 30 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, , , , , , 
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\ijejnggjjphlenbhmjhhgcdpehhacaal, Quarantined, 8634, 897256, 1.0.35775, , ame, , , 

File: 8
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 8634, 897256, , , , , 0EB3A57DF61F08DB108AF1FB8DD20794, 213643B03991F947863069FF185D2DA9F917EB15D92DBB4A6DCB97B900C872E9
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 8634, 897256, , , , , 5E674D532607383CD6921D4978C70733, 83E98A6BADDF6EBFF6677817328F04AF3E2EE589601683D5D89884DD9EA01B49
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\000003.log, Quarantined, 8634, 897256, , , , , 1F36C498B0B629A28FFC44D2FBFA7639, B455ECD2D976423F07C1DE1F1F877911878B0944D790DB1460DCEC46566077FA
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\CURRENT, Quarantined, 8634, 897256, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOCK, Quarantined, 8634, 897256, , , , , , 
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOG, Quarantined, 8634, 897256, , , , , 983D1B2AFD021613B393E9696C59FE43, 3B5CA9EEF93772305DE855FD914BAC438296BC1D1D32DF4DFAC9063B18146080
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\LOG.old, Quarantined, 8634, 897256, , , , , F5F8C9A1A9035D8EAB3F179679E5D3D9, 39F839F24EA7E4CE933E74214908782C89B7BBBD5EC9CFBE070A1E1773D3F562
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijejnggjjphlenbhmjhhgcdpehhacaal\MANIFEST-000001, Quarantined, 8634, 897256, , , , , 5AF87DFD673BA2115E2FCF5CFDB727AB, F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.