Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Search Power+

- - - - - searchpowerapp

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Content is republished with permission from Malwarebytes.

What is Search Power+?

The Malwarebytes research team has determined that Search Power+ is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.

How do I know if my computer is affected by Search Power+?

You may see this entry in your list of installed Chrome extensions:

main.png

this changed setting:

warning5.png

You may have noticed these warnings during install:

warning1.png

warning2.png

warning3.png

How did Search Power+ get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:

webstore.png

after a redirect from their website:

website.png

How do I remove Search Power+?

Our program Malwarebytes can detect and remove this potentially unwanted program.
  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.
Is there anything else I need to do to get rid of Search Power+?
  • No, Malwarebytes removes Search Power+ completely.
How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes would have protected you against the Search Power+ hijacker. It would have blocked their website, giving you a chance to stop it before it became too late.

protection2.png


Technical details for experts

Possible signs in FRST logs:

CHR DefaultSearchURL: Default -> hxxps://searchpowerapp.com/results.php?p=9146&v=402&q={searchTerms}&source=default
CHR DefaultSearchKeyword: Default -> spa
CHR DefaultSuggestURL: Default -> hxxps://searchpowerapp.com/gjson.php?q={searchTerms}
CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd [2020-04-08]
Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0
       Adds the file background.js"="4/1/2020 11:16 PM, 6655 bytes, A
       Adds the file manifest.json"="4/8/2020 11:46 AM, 1622 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0\_metadata
       Adds the file computed_hashes.json"="4/8/2020 11:46 AM, 294 bytes, A
       Adds the file verified_contents.json"="4/1/2020 11:15 PM, 1648 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphdhklkeifbgkekgnjfocjbahfiilkd\9.0.9_0\icons
       Adds the file icon128.png"="4/8/2020 11:46 AM, 2188 bytes, A
       Adds the file icon48.png"="4/8/2020 11:46 AM, 88 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd
       Adds the file 000003.log"="4/8/2020 11:49 AM, 99 bytes, A
       Adds the file CURRENT"="4/8/2020 11:46 AM, 16 bytes, A
       Adds the file LOCK"="4/8/2020 11:46 AM, 0 bytes, A
       Adds the file LOG"="4/8/2020 11:49 AM, 183 bytes, A
       Adds the file MANIFEST-000001"="4/8/2020 11:46 AM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nphdhklkeifbgkekgnjfocjbahfiilkd
       Adds the file Search Power+.ico"="4/8/2020 11:49 AM, 162813 bytes, A
       Adds the file Search Power+.ico.md5"="4/8/2020 11:49 AM, 16 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
       "nphdhklkeifbgkekgnjfocjbahfiilkd"="REG_SZ", "98F5D59F10B88C141CB014DCEF719DFBD54B846B901157819E097E17086E7B23"
Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/8/20
Scan Time: 12:28 PM
Log File: b8600a26-7983-11ea-a919-00ffdcc6fdfc.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.867
Update Package Version: 1.0.22122
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 233820
Threats Detected: 18
Threats Quarantined: 18
Time Elapsed: 11 min, 1 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.SearchPowerApp.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nphdhklkeifbgkekgnjfocjbahfiilkd, Quarantined, 15068, 770853, , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NPHDHKLKEIFBGKEKGNJFOCJBAHFIILKD, Quarantined, 15068, 770853, 1.0.22122, , ame, 

File: 15
PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\000003.log, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\CURRENT, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\LOCK, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\LOG, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nphdhklkeifbgkekgnjfocjbahfiilkd\MANIFEST-000001, Quarantined, 15068, 770853, , , , 
PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NPHDHKLKEIFBGKEKGNJFOCJBAHFIILKD\9.0.9_0\BACKGROUND.JS, Quarantined, 15068, 770853, 1.0.22122, , ame, 
PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 235, 763703, 1.0.22122, , ame, 
PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 235, 763703, 1.0.22122, , ame, 
PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 235, 763703, 1.0.22122, , ame, 
Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, 
Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, 
PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 235, 763703, 1.0.22122, , ame, 
Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 405, 460701, 1.0.22122, , ame, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements






Also tagged with one or more of these keywords: searchpowerapp

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.