What is TigerPDF?
The Malwarebytes research team has determined that TigerPDF is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
How do I know if my computer is affected by TigerPDF?
You may see this entry in your list of installed Chrome extensions:
this icon in the Chrome menu-bar:
this changed setting:
You may have noticed these warnings during install:
How did TigerPDF get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:
How do I remove TigerPDF?
Our program Malwarebytes can detect and remove this potentially unwanted program.
- Please download Malwarebytes for Windows to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- When the scan is finished click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
- No, Malwarebytes removes TigerPDF completely.
We hope our application and this guide have helped you eradicate this hijacker.
Technical details for experts
Possible signs in FRST logs:
CHR DefaultSearchURL: Default -> hxxps://www.tigerpdf-search.com/search/?category=web&s=w3ds&vert=pdf&q={searchTerms} CHR DefaultSearchKeyword: Default -> Tiger PDF CHR DefaultSuggestURL: Default -> hxxps://sug.tigerpdf-search.com/v1/sug/?yid=w3ds&vert=pdf&q={searchTerms} CHR Extension: (Tiger PDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop [2020-06-02]Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0 Adds the file config.js"="4/6/2020 4:45 PM, 1142 bytes, A Adds the file manifest.json"="6/2/2020 9:00 AM, 1941 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\_metadata Adds the file computed_hashes.json"="6/2/2020 9:00 AM, 6819 bytes, A Adds the file verified_contents.json"="4/6/2020 4:33 PM, 4729 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\bg Adds the file background.html"="4/6/2020 4:21 PM, 146 bytes, A Adds the file background.js"="4/6/2020 4:26 PM, 1652 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\browser_action Adds the file popup.html"="8/29/2019 3:35 PM, 1006 bytes, A Adds the file popup.js"="4/6/2020 4:45 PM, 677 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\content_script Adds the file onInstallCallback.js"="4/6/2020 4:21 PM, 718 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\img Adds the file icon128.png"="6/2/2020 9:00 AM, 3677 bytes, A Adds the file icon16.png"="6/2/2020 9:00 AM, 528 bytes, A Adds the file icon48.png"="6/2/2020 9:00 AM, 1476 bytes, A Adds the file loader.svg"="8/19/2019 2:32 PM, 1722 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery Adds the file jquery.cookie.js"="5/27/2019 11:10 AM, 4341 bytes, A Adds the file jquery.min.js"="5/27/2019 11:10 AM, 84249 bytes, A Adds the file jquery-ui.custom.min.js"="5/27/2019 11:10 AM, 228088 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery\css Adds the file jquery-ui.custom.css"="5/27/2019 11:10 AM, 20579 bytes, A Adds the file override-page.css"="5/27/2019 11:10 AM, 5513 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cammhfbdgikheoieimmcemheeingdiop\3.0.0_0\jquery\css\images Adds the file ui-bg_flat_55_999999_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_flat_75_aaaaaa_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_glass_45_0078ae_1x400.png"="5/27/2019 11:10 AM, 136 bytes, A Adds the file ui-bg_glass_55_f8da4e_1x400.png"="5/27/2019 11:10 AM, 131 bytes, A Adds the file ui-bg_glass_75_79c9ec_1x400.png"="5/27/2019 11:10 AM, 132 bytes, A Adds the file ui-bg_gloss-wave_50_38cfff_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_gloss-wave_75_2191c0_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_inset-hard_100_fcfdfd_1x100.png"="5/27/2019 11:10 AM, 88 bytes, A Adds the file ui-icons_056b93_256x240.png"="5/27/2019 11:10 AM, 5355 bytes, A Adds the file ui-icons_d8e7f3_256x240.png"="5/27/2019 11:10 AM, 4369 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cammhfbdgikheoieimmcemheeingdiop"="REG_SZ", "C0787210C552259AC00A31677DA734F8DE04165010AE91D74AC1CCEFEB4256BC"Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/2/20 Scan Time: 9:08 AM Log File: e5f2fa1a-a49f-11ea-9804-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.920 Update Package Version: 1.0.24880 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 232275 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 2 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TigerPDF, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cammhfbdgikheoieimmcemheeingdiop, Quarantined, 452, 826123, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CAMMHFBDGIKHEOIEIMMCEMHEEINGDIOP, Quarantined, 452, 826123, 1.0.24880, , ame, File: 5 PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826123, , , , PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 452, 826123, , , , PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CAMMHFBDGIKHEOIEIMMCEMHEEINGDIOP\3.0.0_0\MANIFEST.JSON, Quarantined, 452, 826123, 1.0.24880, , ame, PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826124, 1.0.24880, , ame, PUP.Optional.TigerPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 452, 826124, 1.0.24880, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes protects your computer against threats.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention