What is TigerPDF?
The Malwarebytes research team has determined that TigerPDF is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
How do I know if my computer is affected by TigerPDF?
You may see this entry in your list of installed Chrome extensions:
this icon in the Chrome menu-bar:
this changed setting:
You may have noticed these warnings during install:
How did TigerPDF get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:
How do I remove TigerPDF?
Our program Malwarebytes can detect and remove this potentially unwanted program.
- Please download Malwarebytes for Windows to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- When the scan is finished click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
- No, Malwarebytes removes TigerPDF completely.
We hope our application and this guide have helped you eradicate this hijacker.
Technical details for experts
Possible signs in FRST logs:
CHR DefaultSearchURL: Default -> hxxps://www.tigerpdf-search.com/search/?category=web&s=w3ds&vert=pdf&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Tiger PDF
CHR DefaultSuggestURL: Default -> hxxps://sug.tigerpdf-search.com/v1/sug/?yid=w3ds&vert=pdf&q={searchTerms}
CHR Extension: (Tiger PDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop [2020-06-02]Alterations made by the installer:File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0
Adds the file config.js"="4/6/2020 4:45 PM, 1142 bytes, A
Adds the file manifest.json"="6/2/2020 9:00 AM, 1941 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\_metadata
Adds the file computed_hashes.json"="6/2/2020 9:00 AM, 6819 bytes, A
Adds the file verified_contents.json"="4/6/2020 4:33 PM, 4729 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\bg
Adds the file background.html"="4/6/2020 4:21 PM, 146 bytes, A
Adds the file background.js"="4/6/2020 4:26 PM, 1652 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\browser_action
Adds the file popup.html"="8/29/2019 3:35 PM, 1006 bytes, A
Adds the file popup.js"="4/6/2020 4:45 PM, 677 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\content_script
Adds the file onInstallCallback.js"="4/6/2020 4:21 PM, 718 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\img
Adds the file icon128.png"="6/2/2020 9:00 AM, 3677 bytes, A
Adds the file icon16.png"="6/2/2020 9:00 AM, 528 bytes, A
Adds the file icon48.png"="6/2/2020 9:00 AM, 1476 bytes, A
Adds the file loader.svg"="8/19/2019 2:32 PM, 1722 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery
Adds the file jquery.cookie.js"="5/27/2019 11:10 AM, 4341 bytes, A
Adds the file jquery.min.js"="5/27/2019 11:10 AM, 84249 bytes, A
Adds the file jquery-ui.custom.min.js"="5/27/2019 11:10 AM, 228088 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery\css
Adds the file jquery-ui.custom.css"="5/27/2019 11:10 AM, 20579 bytes, A
Adds the file override-page.css"="5/27/2019 11:10 AM, 5513 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery\css\images
Adds the file ui-bg_flat_55_999999_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A
Adds the file ui-bg_flat_75_aaaaaa_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A
Adds the file ui-bg_glass_45_0078ae_1x400.png"="5/27/2019 11:10 AM, 136 bytes, A
Adds the file ui-bg_glass_55_f8da4e_1x400.png"="5/27/2019 11:10 AM, 131 bytes, A
Adds the file ui-bg_glass_75_79c9ec_1x400.png"="5/27/2019 11:10 AM, 132 bytes, A
Adds the file ui-bg_gloss-wave_50_38cfff_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A
Adds the file ui-bg_gloss-wave_75_2191c0_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A
Adds the file ui-bg_inset-hard_100_fcfdfd_1x100.png"="5/27/2019 11:10 AM, 88 bytes, A
Adds the file ui-icons_056b93_256x240.png"="5/27/2019 11:10 AM, 5355 bytes, A
Adds the file ui-icons_d8e7f3_256x240.png"="5/27/2019 11:10 AM, 4369 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"cammhfbdgikheoieimmcemheeingdiop"="REG_SZ", "C0787210C552259AC00A31677DA734F8DE04165010AE91D74AC1CCEFEB4256BC"Malwarebytes log:Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 6/2/20
Scan Time: 9:08 AM
Log File: e5f2fa1a-a49f-11ea-9804-00ffdcc6fdfc.json
-Software Information-
Version: 4.1.0.56
Components Version: 1.0.920
Update Package Version: 1.0.24880
License: Premium
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 232275
Threats Detected: 7
Threats Quarantined: 7
Time Elapsed: 2 min, 52 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 1
PUP.Optional.TigerPDF, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cammhfbdgikheoieimmcemheeingdiop, Quarantined, 452, 826123, , , ,
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CAMMHFBDGIKHEOIEIMMCEMHEEINGDIOP, Quarantined, 452, 826123, 1.0.24880, , ame,
File: 5
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826123, , , ,
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 452, 826123, , , ,
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CAMMHFBDGIKHEOIEIMMCEMHEEINGDIOP\3.0.0_0\MANIFEST.JSON, Quarantined, 452, 826123, 1.0.24880, , ame,
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826124, 1.0.24880, , ame,
PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826124, 1.0.24880, , ame,
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)As mentioned before the full version of Malwarebytes protects your computer against threats.We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
