Removal instructions for WebSecurerr Browser Protection

Content is republished with permission from Malwarebytes.

What is WebSecurerr Browser Protection?

The Malwarebytes research team has determined that WebSecurerr Browser Protection is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This particular one changes your default search engine.

How do I know if my computer is affected by WebSecurerr Browser Protection?

You may see this entry in your list of installed Chrome extensions:

and this changed setting:

You may have noticed these warnings during install:

How did WebSecurerr Browser Protection get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:

after a redirect from their website:

How do I remove WebSecurerr Browser Protection?

Our program Malwarebytes can detect and remove this search hijacker.

Please download Malwarebytes for Windows to your desktop.
Double-click MBSetup.exe and follow the prompts to install the program.
When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
Click on the Get started button.
Click Scan to start a Threat Scan.
When the scan is finished click Quarantine to remove the found threats.
Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of WebSecurerr Browser Protection?

No, Malwarebytes removes WebSecurerr Browser Protection completely.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes would have protected you against the WebSecurerr Browser Protection hijacker. It would have blocked their servers, giving you a chance to stop it before it became too late.

Technical details for experts

Possible signs in FRST logs:

CHR DefaultSearchURL: Default -> hxxps://go.searchsecurer.com/?a=gsp_stra_00_00&q={searchTerms}
CHR DefaultSearchKeyword: Default -> keyword.WebSecurerr
CHR DefaultSuggestURL: Default -> hxxps://go.searchsecurer.com/suggest?a=gsp_stra_00_00&q={searchTerms}
CHR Extension: (WebSecurerr) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna [2020-12-17]

Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna\1.1.1_0
       Adds the file 404.png"="5/6/2020 8:28 PM, 2685 bytes, A
       Adds the file background.html"="6/8/2020 4:02 PM, 460 bytes, A
       Adds the file b-s.png"="4/28/2020 12:26 PM, 1587 bytes, A
       Adds the file b-x.png"="4/28/2020 12:22 PM, 1082 bytes, A
       Adds the file error.html"="5/21/2020 2:33 PM, 2084 bytes, A
       Adds the file icon_search.png"="4/28/2020 2:37 PM, 1707 bytes, A
       Adds the file icon128.png"="12/17/2020 8:55 AM, 3286 bytes, A
       Adds the file icon16.png"="12/17/2020 8:55 AM, 452 bytes, A
       Adds the file icon48.png"="12/17/2020 8:55 AM, 1318 bytes, A
       Adds the file manifest.json"="12/17/2020 8:55 AM, 2265 bytes, A
       Adds the file newtab.html"="5/21/2020 2:33 PM, 1791 bytes, A
       Adds the file popup.html"="6/3/2020 3:02 AM, 253 bytes, A
       Adds the file warning.html"="6/3/2020 3:02 AM, 1226 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna\1.1.1_0\_metadata
       Adds the file computed_hashes.json"="12/17/2020 8:55 AM, 4764 bytes, A
       Adds the file verified_contents.json"="11/10/2020 12:35 PM, 4883 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna\1.1.1_0\assets
       Adds the file close_btn.png"="4/11/2020 3:06 PM, 564 bytes, A
       Adds the file logo.svg"="4/18/2020 6:59 PM, 2695 bytes, A
       Adds the file safe_icon.svg"="4/18/2020 7:00 PM, 1655 bytes, A
       Adds the file search_icon.svg"="4/18/2020 6:56 PM, 1859 bytes, A
       Adds the file unsafe_icon.svg"="4/18/2020 7:00 PM, 1655 bytes, A
       Adds the file warning.svg"="4/18/2020 6:54 PM, 3295 bytes, A
       Adds the file warning_icon.svg"="4/18/2020 6:55 PM, 951 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna\1.1.1_0\js
       Adds the file eventPage.js"="11/8/2020 3:00 AM, 6598 bytes, A
       Adds the file newtab.js"="11/8/2020 3:00 AM, 3740 bytes, A
       Adds the file notFoundPage.js"="11/8/2020 3:00 AM, 1598 bytes, A
       Adds the file popup.css"="11/8/2020 3:00 AM, 2846 bytes, A
       Adds the file popup.js"="11/8/2020 3:00 AM, 133786 bytes, A
       Adds the file warningPage.css"="11/8/2020 3:00 AM, 2797 bytes, A
       Adds the file warningPage.js"="11/8/2020 3:00 AM, 1811 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlnghcomkeenpeblhddfpacdncfjmna\1.1.1_0\rc
       Adds the file 404.png"="5/6/2020 8:28 PM, 2685 bytes, A
       Adds the file b-s.png"="4/28/2020 12:26 PM, 1587 bytes, A
       Adds the file b-x.png"="4/28/2020 12:22 PM, 1082 bytes, A
       Adds the file icon_search.png"="4/28/2020 2:37 PM, 1707 bytes, A
       Adds the file icon16.png"="4/10/2020 12:54 PM, 473 bytes, A
       Adds the file styles.css"="6/3/2020 3:02 AM, 5638 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_odlnghcomkeenpeblhddfpacdncfjmna_0.indexeddb.leveldb
       Adds the file 000003.log"="12/17/2020 8:55 AM, 26518 bytes, A
       Adds the file CURRENT"="12/17/2020 8:55 AM, 16 bytes, A
       Adds the file LOCK"="12/17/2020 8:55 AM, 0 bytes, A
       Adds the file LOG"="12/17/2020 8:55 AM, 206 bytes, A
       Adds the file MANIFEST-000001"="12/17/2020 8:55 AM, 23 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
       "odlnghcomkeenpeblhddfpacdncfjmna"="REG_SZ", "F22D42361972A7468423EECB1B3146C1261550FB706BFA42A8829062E7EC16B1"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/17/20
Scan Time: 9:05 AM
Log File: af3159be-403e-11eb-bca3-080027235d76.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34445
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 232229
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 3 min, 41 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|odlnghcomkeenpeblhddfpacdncfjmna, Quarantined, 9628, 888593, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ODLNGHCOMKEENPEBLHDDFPACDNCFJMNA, Quarantined, 9628, 888593, 1.0.34445, , ame, , , 

File: 3
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 9628, 888593, , , , , 77B2012A3938A3CE1EB0979EB1FC503A, A06C7B6FBA72520B2040F7F0E757F3D4CDCAF4A39773E3C2852EBE9758F8B3E8
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 9628, 888593, , , , , 316984A04796149E3A1B181C92B600EA, C03BF65BE470A018B52271B0DE32B4D127D4786714DB97D7C0B53032AA9E43BD
PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ODLNGHCOMKEENPEBLHDDFPACDNCFJMNA\1.1.1_0\MANIFEST.JSON, Quarantined, 9628, 888593, 1.0.34445, , ame, , BC49A97D1372C636260AF8CF82DDC78B, A1E4C8375FB5E8A32F368104C9784E94A58F18117334637E4D8D62D04116BD84

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention

Save yourself the hassle and get protected.

#1
Metallica

Posted 17 December 2020 - 05:32 AM

Advertisements

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us