PUP.Optional.CustomSearchBar
Short bio
PUP.Optional.CustomSearchBar is Malwarebytes detection name for a potentially unwanted program that hijacks the search queries on Chrome and Edge.
Symptoms
Users will notice a browser extension that they can’t remove in the usual way.
The remove button is greyed out and they will see a notification that tells them their browser is managed.
Type and source of infection
The browser extension gets force installed by a PowerShell script that gets triggered by a Scheduled Task every 4 hours.
Protection
PUP.Optional.ActiveSearchBar is a “removal only” detection name. Malwarebytes users are protected by the web protection module that blocks the domains that host the extensions and the scripts they use.
Remediation
Malwarebytes can detect and remove PUP.Optional.ActiveSearchBar without further user interaction.
- Please download Malwarebytes to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- Click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
IOCs
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {0F47CAEB-A771-4AB6-800F-D45CD2B91582} – System32\Tasks\MicrosoftWindowsOptimizerUpdateTask_PR1 => powershell -File C:/Windows/System32/OptimizerWindows.ps1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell “ExecutionPolicy”=”REG_SZ”, “Unrestricted”
nniikbbaboifhfjjkjekiamnfpkdieng
nniikbbaboifhfjjkjekiamnfpkdieng