Jump to content

Browser extension adds on , detected it once but didnt delete it.


Recommended Posts

Today when I decided to change accounts on google chrome on the top right corner where are the 3 dots I saw an error message when clicked there were 2 browser extensions - 1 Ace Script from Ace Stream and 2nd Malewarebytes guard something. I clicked to see what were those and didn't have the option to remove them , on chrome extensions it wasn't displayed. When I ran couple of days ago on my first laptop full scan it detected this extensions and I clicked to remove it, ran again in the scan it was clean. On the 2nd laptop , full scan - showed nothing. Dont remember installing acestream on these 2 laptops or if it happened it was very long time ago, I think I even had windows preinstalled after that.  I did some research and quite few people had this issue and found a solution how to remove it from regedit  "HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension called " mjbepbhonbojpoaenhckjocchgfiaofo"

I forgot to take picture but I saw someone posted something like "another programe added an extensions that might change the way chrome works" 

I had this extensions KEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension "mjbepbhonbojpoaenhckjocchgfiaofo" on both of my computers even though they showed clean. I couldnt find much info so if any could give me more details about it , do I have to change my passwords and so on ? I use nod32 ANTIVIRUS

I have a 3rd laptop for streaming movies , and I think i installed acestream there maybe more than a year ago, it uses a free version of nod32 provided from my internet provider ( doubt it can send to to my other laptops ) just for info.

While we are on google chrome topic, I had an upgrade on google chrome today and after the update it was written something like " reload the page to continue" it wiped out all my history  and removed my addblocker extensions and when I try to install it on extensions "no results shown" any other way to install it ? And when I enter chrome there is in the middle "Who is using chrome" and on the bottom of the middle eventual chrome useres "Guest 1" "my account " "guest 1" is this new feature or something ? 

Sorry for long post and if I had stupid questions 

 

Link to comment
Share on other sites

Posted (edited)

P.S. I uninstalled acestream on my 3rd laptop the day I installed it 1-2 hours later maybe 6months - 1 year ago , just checked it also had this mjbepbhonbojpoaenhckjocchgfiaofo extension

Edited by Tio
Link to comment
Share on other sites

You originally posted about this issue on the forum in 2020: https://forum.eset.com/topic/25398-ace-script-google-extension/ .

Review this posting on bleepingcomputer.com: https://www.bleepingcomputer.com/forums/t/700953/potential-virus-malware/ . As FRST fix shows below, appears quite a bit has to be done to fully remove this. Suggest you go to bleepingcomputer.com for assistance.

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Ace Stream Media 3.1.32 (HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\AceStream) (Version: 3.1.32 - Ace Stream Media) <==== ATTENTION
<<<>>>

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
start

CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Run: [AceStream] => C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe [27960 2018-08-23] (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
FF HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Script) - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2018-11-26]
FF Plugin HKU\S-1-5-21-1609680358-3891883066-2646586907-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\I\AppData\Roaming\ACEStream\player\npace_plugin.dll [2017-01-13] (Innovative Digital Technologies -> Innovative Digital Technologies)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2019-07-10] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2019-07-10] <==== ATTENTION
CHR HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{35383727-ADFB-4750-824C-2702895D32BE}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FirewallRules: [{07F5E9C8-2AAA-4AF5-A3E1-B0BF4CC67BD0}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FirewallRules: [{47A80E8B-CEF9-498C-B70C-2A17D169A56F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File

C:\Users\I\AppData\Roaming\ACEStream

CMD: netsh int ip reset
CMD: ipconfig /flushDNS

EmptyTemp:

End
Edited by itman
Link to comment
Share on other sites

42 minutes ago, itman said:

You originally posted about this issue on the forum in 2020: https://forum.eset.com/topic/25398-ace-script-google-extension/ .

Review this posting on bleepingcomputer.com: https://www.bleepingcomputer.com/forums/t/700953/potential-virus-malware/ . As FRST fix shows below, appears quite a bit has to be done to fully remove this. Suggest you go to bleepingcomputer.com for assistance.

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Ace Stream Media 3.1.32 (HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\AceStream) (Version: 3.1.32 - Ace Stream Media) <==== ATTENTION
<<<>>>

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
start

CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Run: [AceStream] => C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe [27960 2018-08-23] (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
FF HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi
FF Extension: (Ace Script) - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2018-11-26]
FF Plugin HKU\S-1-5-21-1609680358-3891883066-2646586907-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\I\AppData\Roaming\ACEStream\player\npace_plugin.dll [2017-01-13] (Innovative Digital Technologies -> Innovative Digital Technologies)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2019-07-10] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2019-07-10] <==== ATTENTION
CHR HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{35383727-ADFB-4750-824C-2702895D32BE}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FirewallRules: [{07F5E9C8-2AAA-4AF5-A3E1-B0BF4CC67BD0}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies)
FirewallRules: [{47A80E8B-CEF9-498C-B70C-2A17D169A56F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File

C:\Users\I\AppData\Roaming\ACEStream

CMD: netsh int ip reset
CMD: ipconfig /flushDNS

EmptyTemp:

End

Oh my God , so sorry. I deleted it from all 3 laptops it was under  appdata/roaming files , delete and in the recycle bin guess thats good enough ? I wanted to copy things thing buti t says  the other user uses mozilla.

Did you find any information about this Ace Script thing ? Because im starting to get worried that I have to change all my passwords now.... or you reckon its not so dangerous 

 

Link to comment
Share on other sites

5 hours ago, Tio said:

Did you find any information about this Ace Script thing ?

Quote

Because it is based on torrent client technology and opens ports to other P2P file sharers, AceStream Media frequently allows adware, scareware and other unwanted programs into a system and is notoriously hard to remove.

https://www.file.net/process/ace_web_extension.exe.html

Link to comment
Share on other sites

Hello, 

First of all I would like to thank you for your help. 
1.  This might be helpful to someone like me :), so  delete the "mjbep..." from registry HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension  " mjbepbhonbojpoaenhckjocchgfiaofo"

2. %appdata%roaming files to delete it ,

3. I used adwcleaner ( it did detect some acestream files that I missed) 

 

Now I am not sure if I should make a new thread about it therefore I decided to ask you. I have 2 laptops very clean browsing , 3rd used for streaming movies  ( the one when u click and it redirects you to bettings sites and so on) whenever I decided to click "play" on a movie a new tab opens on my tab redirecting me to some site but the Nod AV most of the time either blocks it "threat(red)" or "pup(yellow)" and I close the redirected tab and just play the movie, does it mean that the AV blocked the site and the potential threat the movie is safe to play? 

Correct me if I am wrong, when I installed the Ace STream on my laptop since we were all on the same wi-fi does it mean that we are on the same server, therefore sharing this floating files, because when I cleaned the 3rd laptop going to the local files and floating files checking them, on the 2 laptops got a new folder called "LocalLow" file. My solution for the time being is to make a sub network as I heard if f.e my wi-fi is "Asd1" I can make a sub wi-fi called "Asd1 guest" which will be different therefore my 3rd laptop wont have any connection to the other 2 laptops I desperately wanna stream movies w/o affecting my other 2 laptops.

Sorry again I wanted to make it as short as possible 

Link to comment
Share on other sites

My original advice still stands. Go to bleepingcomputer.com for assistance for removal of all traces of this PUA software for all devices it was installed on.

Link to comment
Share on other sites

Yeah, I did it , I just posted it for the steps for someone in the future if he needs it - its done. 

Could you please take a look at the 2nd part, with the laptops 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...