Jump to content

Recommended Posts

  • Staff

What is Ad Avenger?

The Malwarebytes research team has determined that Ad Avenger is a browser hijacker and forced Chrome extension.

How do I know if my computer is affected by Ad Avenger?

You may see these warnings during install:

warning1.png

warning2.png

And this entry in your list of installed extensions:

main.png

How did Ad Avenger get on my computer?
Forced extensions use typical methods for distributing themselves.
This particular one was promoted by a site mimicking a BSOD:

website.png

and the extension was available in the webstore.

webstore.png

How do I remove Ad Avenger?

Our program Malwarebytes can detect and remove this unwanted program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of Ad Avenger?

  • No, Malwarebytes removes Ad Avenger completely.

How would the full version of Malwarebytes help protect me?

We protect our customers from these extensions by blocking the domains that spread them:

protection1.png

protection2.png

Technical details for experts

Possible signs in FRST logs:


 

CHR Extension: (Ad Avenger) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp [2021-11-23]

Alterations made by the installer:
 

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0
       Adds the file 52e286516679b6c2d008.svg"="9/21/2021 1:45 AM, 4463 bytes, A
       Adds the file 9dfe622de6dc7a5cdc2e.svg"="9/21/2021 1:45 AM, 2941 bytes, A
       Adds the file background.bundle.js"="9/24/2021 3:39 AM, 25398 bytes, A
       Adds the file db58c24b4bfbd18676af.svg"="9/21/2021 1:45 AM, 502 bytes, A
       Adds the file e3c2c7bee71bc670f6a5.svg"="9/21/2021 1:45 AM, 2804 bytes, A
       Adds the file e9879ccc8df45d3edffe.svg"="9/21/2021 1:45 AM, 502 bytes, A
       Adds the file f4e52e839adc286566c4.svg"="9/21/2021 1:45 AM, 7834 bytes, A
       Adds the file firstAdBlockedPopup.bundle.js"="9/22/2021 6:11 AM, 29717 bytes, A
       Adds the file manifest.json"="11/23/2021 10:43 AM, 1604 bytes, A
       Adds the file popup.bundle.js"="9/24/2021 3:39 AM, 3282 bytes, A
       Adds the file popup.css"="9/22/2021 6:11 AM, 2186 bytes, A
       Adds the file popup.html"="9/22/2021 6:11 AM, 3282 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\de
       Adds the file messages.json"="11/23/2021 10:43 AM, 1748 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\en
       Adds the file messages.json"="11/23/2021 10:43 AM, 1632 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\es
       Adds the file messages.json"="11/23/2021 10:43 AM, 1782 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\fr
       Adds the file messages.json"="11/23/2021 10:43 AM, 1866 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\it
       Adds the file messages.json"="11/23/2021 10:43 AM, 1753 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\nl
       Adds the file messages.json"="11/23/2021 10:43 AM, 1738 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\pt_PT
       Adds the file messages.json"="11/23/2021 10:43 AM, 1799 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_metadata
       Adds the file computed_hashes.json"="11/23/2021 10:43 AM, 39269 bytes, A
       Adds the file verified_contents.json"="9/21/2021 1:45 AM, 6553 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard
       Adds the file adguard-api.js"="9/21/2021 3:00 AM, 1432010 bytes, A
       Adds the file adguard-assistant.js"="9/21/2021 1:45 AM, 9951 bytes, A
       Adds the file adguard-content.js"="9/21/2021 1:45 AM, 235507 bytes, A
       Adds the file filters.json"="9/21/2021 1:45 AM, 52213 bytes, A
       Adds the file filters_i18n.json"="9/21/2021 1:45 AM, 786872 bytes, A
       Adds the file redirects.yml"="9/21/2021 1:45 AM, 69056 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard\assistant
       Adds the file assistant.js"="9/22/2021 6:11 AM, 476881 bytes, A
       Adds the file assistant.js.LICENSE.txt"="9/22/2021 6:11 AM, 66 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\disabled
       Adds the file 128x128.png"="9/21/2021 1:45 AM, 2082 bytes, A
       Adds the file 16x16.png"="9/21/2021 1:45 AM, 386 bytes, A
       Adds the file 24x24.png"="9/21/2021 1:45 AM, 1320 bytes, A
       Adds the file 32x32.png"="9/21/2021 1:45 AM, 617 bytes, A
       Adds the file 48x48.png"="9/21/2021 1:45 AM, 910 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\enabled
       Adds the file 128x128.png"="11/23/2021 10:43 AM, 2279 bytes, A
       Adds the file 16x16.png"="11/23/2021 10:43 AM, 394 bytes, A
       Adds the file 24x24.png"="11/23/2021 10:43 AM, 978 bytes, A
       Adds the file 300x300.png"="9/21/2021 1:45 AM, 5342 bytes, A
       Adds the file 32x32.png"="11/23/2021 10:43 AM, 657 bytes, A
       Adds the file 48x48.png"="11/23/2021 10:43 AM, 967 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\paused
       Adds the file 128x128.png"="9/21/2021 1:45 AM, 2106 bytes, A
       Adds the file 16x16.png"="9/21/2021 1:45 AM, 411 bytes, A
       Adds the file 24x24.png"="9/21/2021 1:45 AM, 1514 bytes, A
       Adds the file 32x32.png"="9/21/2021 1:45 AM, 630 bytes, A
       Adds the file 48x48.png"="9/21/2021 1:45 AM, 915 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp
       Adds the file 000004.log"="11/23/2021 10:43 AM, 47 bytes, A
       Adds the file 000005.ldb"="11/23/2021 10:43 AM, 3187284 bytes, A
       Adds the file CURRENT"="11/23/2021 10:43 AM, 16 bytes, A
       Adds the file LOCK"="11/23/2021 10:43 AM, 0 bytes, A
       Adds the file LOG"="11/23/2021 10:43 AM, 528 bytes, A
       Adds the file MANIFEST-000001"="11/23/2021 10:43 AM, 106 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
       "aabcnnmihfbpfblmeflmggaccdjlpfpp"="REG_SZ", "9BE250A1FB13FF810B53080319E2E28A2F7753C1BA7B85E32602EC3C6CD4D30B"

Malwarebytes log:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/23/21
Scan Time: 10:51 AM
Log File: fcf03380-4c42-11ec-a06d-080027235d76.json

-Software Information-
Version: 4.4.11.149
Components Version: 1.0.1513
Update Package Version: 1.0.47539
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}-PC\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 243147
Threats Detected: 11
Threats Quarantined: 11
Time Elapsed: 0 min, 57 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , 
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, 1.0.47539, , ame, , , 

File: 8
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 290, 999753, , , , , F88F08FFCF4016B6F561F7BE6D69917D, 08F79CF373A3A0973CC3254B059DC7F442B4938B7EA054D320CA51D9974436F8
PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 290, 999753, , , , , 5D97162A5404EFBFC1CB01305EDF7181, 51FB74C1F45AAFF2316DEFC3675851E30B2B7506C7CB30C0BC63D74DCE0564A3
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000004.log, Quarantined, 290, 999753, , , , , 4282EA14DF01A55AB2687A81A9633D89, FED16FB5E294C1022BE4212041BA4CF5FCEEC73978B736EDD4ED4A4C312A0B66
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000005.ldb, Quarantined, 290, 999753, , , , , 7F157FA006DDE4EB5AD43046E0C1753D, A0017BF6FC0B37A824E5AE19C379C60F50AB2D69DA09AF56B3994FD78BF263ED
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\CURRENT, Quarantined, 290, 999753, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOCK, Quarantined, 290, 999753, , , , , , 
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOG, Quarantined, 290, 999753, , , , , D9241EA5893EBD1A0E7AA5D565570510, 4CA77E3B669897F7F41A89AAEA908E585000682B125E1733B1F7DBD6C4D4D6A5
PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\MANIFEST-000001, Quarantined, 290, 999753, , , , , A44370B5654C26C5F182A43733452105, 3406A540A4195A9FAE333C4946B98D81F1B1792E97392A33400974592F490408

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.