PUP.Optional.CustomSearchBar

Short bio

PUP.Optional.CustomSearchBar is Malwarebytes detection name for a potentially unwanted program that hijacks the search queries on Chrome and Edge.

Symptoms

Users will notice a browser extension that they can’t remove in the usual way.

The remove button is greyed out and they will see a notification that tells them their browser is managed.

Type and source of infection

The browser extension gets force installed by a PowerShell script that gets triggered by a Scheduled Task every 4 hours.

Protection

PUP.Optional.ActiveSearchBar is a “removal only” detection name. Malwarebytes users are protected by the web protection module that blocks the domains that host the extensions and the scripts they use.

Remediation

Malwarebytes can detect and remove PUP.Optional.ActiveSearchBar without further user interaction.

1. Please download Malwarebytes to your desktop.
2. Double-click MBSetup.exe and follow the prompts to install the program.
3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantine to remove the found threats.
7. Reboot the system if prompted to complete the removal process.

IOCs

HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

Task: {0F47CAEB-A771-4AB6-800F-D45CD2B91582} - System32\Tasks\MicrosoftWindowsOptimizerUpdateTask_PR1 => powershell -File C:/Windows/System32/OptimizerWindows.ps1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell “ExecutionPolicy”=”REG_SZ”, “Unrestricted”

nniikbbaboifhfjjkjekiamnfpkdieng

Associated threats

• wincloudservice.com
• activesearchbar.me
• optimizerupdate.com