What is Search Power+?
The Malwarebytes research team has determined that Search Power+ is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
How do I know if my computer is affected by Search Power+?
You may see this entry in your list of installed Chrome extensions:
this changed setting:
You may have noticed these warnings during install:
How did Search Power+ get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:
after a redirect from their website:
How do I remove Search Power+?
Our program Malwarebytes can detect and remove this potentially unwanted program.
- Please download Malwarebytes for Windows to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- When the scan is finished click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
- No, Malwarebytes removes Search Power+ completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the Search Power+ hijacker. It would have blocked their website, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:
CHR DefaultSearchURL: Default -> hxxps://searchpowerapp.com/results.php?p=9146&v=402&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> spa CHR DefaultSuggestURL: Default -> hxxps://searchpowerapp.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd [2020-04-08]Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0 Adds the file background.js"="4/1/2020 11:16 PM, 6655 bytes, A Adds the file manifest.json"="4/8/2020 11:46 AM, 1622 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0\_metadata Adds the file computed_hashes.json"="4/8/2020 11:46 AM, 294 bytes, A Adds the file verified_contents.json"="4/1/2020 11:15 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0\icons Adds the file icon128.png"="4/8/2020 11:46 AM, 2188 bytes, A Adds the file icon48.png"="4/8/2020 11:46 AM, 88 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd Adds the file 000003.log"="4/8/2020 11:49 AM, 99 bytes, A Adds the file CURRENT"="4/8/2020 11:46 AM, 16 bytes, A Adds the file LOCK"="4/8/2020 11:46 AM, 0 bytes, A Adds the file LOG"="4/8/2020 11:49 AM, 183 bytes, A Adds the file MANIFEST-000001"="4/8/2020 11:46 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nphdhklkeifbgkekgnjfocjbahfiilkd Adds the file Search Power+.ico"="4/8/2020 11:49 AM, 162813 bytes, A Adds the file Search Power+.ico.md5"="4/8/2020 11:49 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nphdhklkeifbgkekgnjfocjbahfiilkd"="REG_SZ", "98F5D59F10B88C141CB014DCEF719DFBD54B846B901157819E097E17086E7B23"Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/8/20 Scan Time: 12:28 PM Log File: b8600a26-7983-11ea-a919-00ffdcc6fdfc.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.867 Update Package Version: 1.0.22122 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233820 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 11 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchPowerApp.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nphdhklkeifbgkekgnjfocjbahfiilkd, Quarantined, 15068, 770853, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NPHDHKLKEIFBGKEKGNJFOCJBAHFIILKD, Quarantined, 15068, 770853, 1.0.22122, , ame, File: 15 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\000003.log, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\CURRENT, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\LOCK, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\LOG, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\MANIFEST-000001, Quarantined, 15068, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NPHDHKLKEIFBGKEKGNJFOCJBAHFIILKD\9.0.9_0\BACKGROUND.JS, Quarantined, 15068, 770853, 1.0.22122, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 235, 763703, 1.0.22122, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 235, 763703, 1.0.22122, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 235, 763703, 1.0.22122, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 235, 763703, 1.0.22122, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention