What is Ad Avenger?
The Malwarebytes research team has determined that Ad Avenger is a browser hijacker and forced Chrome extension.
How do I know if my computer is affected by Ad Avenger?
You may see these warnings during install:
And this entry in your list of installed extensions:
How did Ad Avenger get on my computer?
Forced extensions use typical methods for distributing themselves.
This particular one was promoted by a site mimicking a BSOD:
and the extension was available in the webstore.
How do I remove Ad Avenger?
Our program Malwarebytes can detect and remove this unwanted program.
- Please download Malwarebytes for Windows to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- When the scan is finished click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
- No, Malwarebytes removes Ad Avenger completely.
We protect our customers from these extensions by blocking the domains that spread them:
Technical details for experts
Possible signs in FRST logs:
CHR Extension: (Ad Avenger) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp [2021-11-23]Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0 Adds the file 52e286516679b6c2d008.svg"="9/21/2021 1:45 AM, 4463 bytes, A Adds the file 9dfe622de6dc7a5cdc2e.svg"="9/21/2021 1:45 AM, 2941 bytes, A Adds the file background.bundle.js"="9/24/2021 3:39 AM, 25398 bytes, A Adds the file db58c24b4bfbd18676af.svg"="9/21/2021 1:45 AM, 502 bytes, A Adds the file e3c2c7bee71bc670f6a5.svg"="9/21/2021 1:45 AM, 2804 bytes, A Adds the file e9879ccc8df45d3edffe.svg"="9/21/2021 1:45 AM, 502 bytes, A Adds the file f4e52e839adc286566c4.svg"="9/21/2021 1:45 AM, 7834 bytes, A Adds the file firstAdBlockedPopup.bundle.js"="9/22/2021 6:11 AM, 29717 bytes, A Adds the file manifest.json"="11/23/2021 10:43 AM, 1604 bytes, A Adds the file popup.bundle.js"="9/24/2021 3:39 AM, 3282 bytes, A Adds the file popup.css"="9/22/2021 6:11 AM, 2186 bytes, A Adds the file popup.html"="9/22/2021 6:11 AM, 3282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\de Adds the file messages.json"="11/23/2021 10:43 AM, 1748 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\en Adds the file messages.json"="11/23/2021 10:43 AM, 1632 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\es Adds the file messages.json"="11/23/2021 10:43 AM, 1782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\fr Adds the file messages.json"="11/23/2021 10:43 AM, 1866 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\it Adds the file messages.json"="11/23/2021 10:43 AM, 1753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\nl Adds the file messages.json"="11/23/2021 10:43 AM, 1738 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_locales\pt_PT Adds the file messages.json"="11/23/2021 10:43 AM, 1799 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\_metadata Adds the file computed_hashes.json"="11/23/2021 10:43 AM, 39269 bytes, A Adds the file verified_contents.json"="9/21/2021 1:45 AM, 6553 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard Adds the file adguard-api.js"="9/21/2021 3:00 AM, 1432010 bytes, A Adds the file adguard-assistant.js"="9/21/2021 1:45 AM, 9951 bytes, A Adds the file adguard-content.js"="9/21/2021 1:45 AM, 235507 bytes, A Adds the file filters.json"="9/21/2021 1:45 AM, 52213 bytes, A Adds the file filters_i18n.json"="9/21/2021 1:45 AM, 786872 bytes, A Adds the file redirects.yml"="9/21/2021 1:45 AM, 69056 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\adguard\assistant Adds the file assistant.js"="9/22/2021 6:11 AM, 476881 bytes, A Adds the file assistant.js.LICENSE.txt"="9/22/2021 6:11 AM, 66 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\disabled Adds the file 128x128.png"="9/21/2021 1:45 AM, 2082 bytes, A Adds the file 16x16.png"="9/21/2021 1:45 AM, 386 bytes, A Adds the file 24x24.png"="9/21/2021 1:45 AM, 1320 bytes, A Adds the file 32x32.png"="9/21/2021 1:45 AM, 617 bytes, A Adds the file 48x48.png"="9/21/2021 1:45 AM, 910 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\enabled Adds the file 128x128.png"="11/23/2021 10:43 AM, 2279 bytes, A Adds the file 16x16.png"="11/23/2021 10:43 AM, 394 bytes, A Adds the file 24x24.png"="11/23/2021 10:43 AM, 978 bytes, A Adds the file 300x300.png"="9/21/2021 1:45 AM, 5342 bytes, A Adds the file 32x32.png"="11/23/2021 10:43 AM, 657 bytes, A Adds the file 48x48.png"="11/23/2021 10:43 AM, 967 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aabcnnmihfbpfblmeflmggaccdjlpfpp\1.0.0_0\icons\paused Adds the file 128x128.png"="9/21/2021 1:45 AM, 2106 bytes, A Adds the file 16x16.png"="9/21/2021 1:45 AM, 411 bytes, A Adds the file 24x24.png"="9/21/2021 1:45 AM, 1514 bytes, A Adds the file 32x32.png"="9/21/2021 1:45 AM, 630 bytes, A Adds the file 48x48.png"="9/21/2021 1:45 AM, 915 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp Adds the file 000004.log"="11/23/2021 10:43 AM, 47 bytes, A Adds the file 000005.ldb"="11/23/2021 10:43 AM, 3187284 bytes, A Adds the file CURRENT"="11/23/2021 10:43 AM, 16 bytes, A Adds the file LOCK"="11/23/2021 10:43 AM, 0 bytes, A Adds the file LOG"="11/23/2021 10:43 AM, 528 bytes, A Adds the file MANIFEST-000001"="11/23/2021 10:43 AM, 106 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "aabcnnmihfbpfblmeflmggaccdjlpfpp"="REG_SZ", "9BE250A1FB13FF810B53080319E2E28A2F7753C1BA7B85E32602EC3C6CD4D30B"Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/23/21 Scan Time: 10:51 AM Log File: fcf03380-4c42-11ec-a06d-080027235d76.json -Software Information- Version: 4.4.11.149 Components Version: 1.0.1513 Update Package Version: 1.0.47539 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 243147 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 0 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ForcedExtension, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, , , , , , PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\aabcnnmihfbpfblmeflmggaccdjlpfpp, Quarantined, 290, 999753, 1.0.47539, , ame, , , File: 8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 290, 999753, , , , , F88F08FFCF4016B6F561F7BE6D69917D, 08F79CF373A3A0973CC3254B059DC7F442B4938B7EA054D320CA51D9974436F8 PUP.Optional.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 290, 999753, , , , , 5D97162A5404EFBFC1CB01305EDF7181, 51FB74C1F45AAFF2316DEFC3675851E30B2B7506C7CB30C0BC63D74DCE0564A3 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000004.log, Quarantined, 290, 999753, , , , , 4282EA14DF01A55AB2687A81A9633D89, FED16FB5E294C1022BE4212041BA4CF5FCEEC73978B736EDD4ED4A4C312A0B66 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\000005.ldb, Quarantined, 290, 999753, , , , , 7F157FA006DDE4EB5AD43046E0C1753D, A0017BF6FC0B37A824E5AE19C379C60F50AB2D69DA09AF56B3994FD78BF263ED PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\CURRENT, Quarantined, 290, 999753, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOCK, Quarantined, 290, 999753, , , , , , PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\LOG, Quarantined, 290, 999753, , , , , D9241EA5893EBD1A0E7AA5D565570510, 4CA77E3B669897F7F41A89AAEA908E585000682B125E1733B1F7DBD6C4D4D6A5 PUP.Optional.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aabcnnmihfbpfblmeflmggaccdjlpfpp\MANIFEST-000001, Quarantined, 290, 999753, , , , , A44370B5654C26C5F182A43733452105, 3406A540A4195A9FAE333C4946B98D81F1B1792E97392A33400974592F490408 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention