Cant remove Private Searches hijacker extension

Surge7861

Surge7861 last edited by

It seems an extension was put on and hides itself as google docs. When thats active everytime I go to search something it autodirects me to privatesearches.org. I can remove the extension by clicking on the extenstion tab and clicking remove, but every time I reopen opera it appears again, i've treid scans on the pc with malwarebytes but it never seems to remove this issue.

burnout426

burnout426 Volunteer last edited by

Do you have a privatesearches process showing on the processes tab in the Windows Task Manager? If so, you can right-click the process and choose "open file location" to find out where it's at.

Also, goto the URL opera://about, take note of the "profile" path. Then, in Windows Explorer (file explorer) (with file extensions on hidden items turned on under "View -> show"), browser to the "Extensions" folder in the profile folder. There you will see extensions sorted by ID folder. In each folder, open up manifest.json in Notepad and see if you can find the ID for the fake Google docs malware extension.

If you can find the ID, that will help as you can open regedit and search the Windows registry for that ID to locate some of the entries for it. For example, the ID might be in a Chrome polices key to tell Chrome to automatically install the extension if it's not installed. That shouldn't affect Opera though as it doesn't support policies, but that should help you get rid of it for Chrome and track down the location of the malware perhaps.

Also, right-click your Opera shortcut, goto "properties" and switch to the "shortcuts" tab. For a pinned Opera taskbar icon, right-click it and then right-click "Opera Browser" and goto properties to get to the shortcut tab. What's the command shown in the target field?

burnout426

burnout426 Volunteer last edited by

Also see https://virusresearch.org/remove-private-search-protection-com-hijacker/#uninstall_Private.search-protection.com_1.

Surge7861

Surge7861 last edited by

Thanks for the reply I'll try to answer all your questions below..

Nothing seems to show up under task manager but there is like 10 opera gx ones that show up im not sure if that is notmal as I havent checked before.

I checked each folder for the manifest.json stuff, there were 5 folders 4 of them were opera and one was for honey (I installed that myself so I could see extensions up the top) doesnt seem to be in there.

The command in target is: "C:\Users*****\AppData\Local\Programs\Opera GX\launcher.exe"
I just covered up personal details with an asterisks

As for the link I followed what I could but im not seeing anything suspicious in task manager to work off of it sadly..

If there is anything else you want me to look up and post I'll do what I can, cheers.

burnout426

burnout426 Volunteer @Surge7861 last edited by

@surge7861 said in Cant remove Private Searches hijacker extension:

but there is like 10 opera gx ones that show up im not sure if that is notmal

Yes. That's normal.

burnout426

burnout426 Volunteer last edited by

Do you see any weird exe files at the root of "C:\Users\yourusername\AppData"?

If you rename your profile folder, does the extension show up and keep coming back in the new profile too? (You can delete the new profile folder and rename your old one back when you're done testing if you want.)

Surge7861

Surge7861 last edited by

I did forget to mention i did create a dummy profile on the pc yesterday and tested opera gx on a fresh install there and it didn't show up so i believe it's tied to just my profile and only opera as ive tested other browsers on my profile too.

Surge7861

Surge7861 last edited by

As for the exe in the file I have the opera.exe and 2 orthers
launcher.exe.1671441701.old
launcher.exe.1671666764.old
So I dont think any of them are the issue

hvvvpl

hvvvpl last edited by

im get this same virus yesterday, in my task manager i hav
Antimalware Service Executable
Application Frame Host
calculator(2) (but in portugese)
COM Surrogate
COM Surrogate
crashpar_handler
crashpar_handler
Device Association Framework ...
hpwuSchd Application (32bits)
User OOBE Broker
Usermode Font Driver Host
Video Application (2)

if some one knows if one of these its weird or somethhing tell me plz

burnout426

burnout426 Volunteer @Surge7861 last edited by

@surge7861 Okay. It's probably best to start fresh with a new profile then instead of trying to fix your profile.

Lettuce-x

Lettuce-x last edited by

I don't have any idea why the browser looks like this when I search for anything, can I get some help please?

leocg

leocg Moderator Volunteer @Lettuce-x last edited by

@lettuce-x Read the topic above.

Anawilliam

Anawilliam Banned @burnout426 last edited by

@burnout426 Thank you for you explanation! I will use this