Tio 0 Posted June 14, 2022 Share Posted June 14, 2022 Today when I decided to change accounts on google chrome on the top right corner where are the 3 dots I saw an error message when clicked there were 2 browser extensions - 1 Ace Script from Ace Stream and 2nd Malewarebytes guard something. I clicked to see what were those and didn't have the option to remove them , on chrome extensions it wasn't displayed. When I ran couple of days ago on my first laptop full scan it detected this extensions and I clicked to remove it, ran again in the scan it was clean. On the 2nd laptop , full scan - showed nothing. Dont remember installing acestream on these 2 laptops or if it happened it was very long time ago, I think I even had windows preinstalled after that. I did some research and quite few people had this issue and found a solution how to remove it from regedit "HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension called " mjbepbhonbojpoaenhckjocchgfiaofo" I forgot to take picture but I saw someone posted something like "another programe added an extensions that might change the way chrome works" I had this extensions KEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension "mjbepbhonbojpoaenhckjocchgfiaofo" on both of my computers even though they showed clean. I couldnt find much info so if any could give me more details about it , do I have to change my passwords and so on ? I use nod32 ANTIVIRUS I have a 3rd laptop for streaming movies , and I think i installed acestream there maybe more than a year ago, it uses a free version of nod32 provided from my internet provider ( doubt it can send to to my other laptops ) just for info. While we are on google chrome topic, I had an upgrade on google chrome today and after the update it was written something like " reload the page to continue" it wiped out all my history and removed my addblocker extensions and when I try to install it on extensions "no results shown" any other way to install it ? And when I enter chrome there is in the middle "Who is using chrome" and on the bottom of the middle eventual chrome useres "Guest 1" "my account " "guest 1" is this new feature or something ? Sorry for long post and if I had stupid questions Link to comment Share on other sites More sharing options...
Tio 0 Posted June 14, 2022 Author Share Posted June 14, 2022 (edited) P.S. I uninstalled acestream on my 3rd laptop the day I installed it 1-2 hours later maybe 6months - 1 year ago , just checked it also had this mjbepbhonbojpoaenhckjocchgfiaofo extension Edited June 14, 2022 by Tio Link to comment Share on other sites More sharing options...
itman 1,668 Posted June 14, 2022 Share Posted June 14, 2022 (edited) You originally posted about this issue on the forum in 2020: https://forum.eset.com/topic/25398-ace-script-google-extension/ . Review this posting on bleepingcomputer.com: https://www.bleepingcomputer.com/forums/t/700953/potential-virus-malware/ . As FRST fix shows below, appears quite a bit has to be done to fully remove this. Suggest you go to bleepingcomputer.com for assistance. Remove this program in bold via the Control Panel > Programs > Programs and Features. Ace Stream Media 3.1.32 (HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\AceStream) (Version: 3.1.32 - Ace Stream Media) <==== ATTENTION <<<>>> Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX. Type Notepad and and click the OK key. Please copy the entire contents of the code box below to the a new file. start CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Run: [AceStream] => C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe [27960 2018-08-23] (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION FF HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi FF Extension: (Ace Script) - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2018-11-26] FF Plugin HKU\S-1-5-21-1609680358-3891883066-2646586907-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\I\AppData\Roaming\ACEStream\player\npace_plugin.dll [2017-01-13] (Innovative Digital Technologies -> Innovative Digital Technologies) FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2019-07-10] <==== ATTENTION (Points to *.cfg file) FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2019-07-10] <==== ATTENTION CHR HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{35383727-ADFB-4750-824C-2702895D32BE}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FirewallRules: [{07F5E9C8-2AAA-4AF5-A3E1-B0BF4CC67BD0}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FirewallRules: [{47A80E8B-CEF9-498C-B70C-2A17D169A56F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File C:\Users\I\AppData\Roaming\ACEStream CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: End Edited June 14, 2022 by itman Link to comment Share on other sites More sharing options...
Tio 0 Posted June 14, 2022 Author Share Posted June 14, 2022 42 minutes ago, itman said: You originally posted about this issue on the forum in 2020: https://forum.eset.com/topic/25398-ace-script-google-extension/ . Review this posting on bleepingcomputer.com: https://www.bleepingcomputer.com/forums/t/700953/potential-virus-malware/ . As FRST fix shows below, appears quite a bit has to be done to fully remove this. Suggest you go to bleepingcomputer.com for assistance. Remove this program in bold via the Control Panel > Programs > Programs and Features. Ace Stream Media 3.1.32 (HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\AceStream) (Version: 3.1.32 - Ace Stream Media) <==== ATTENTION <<<>>> Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX. Type Notepad and and click the OK key. Please copy the entire contents of the code box below to the a new file. start CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Run: [AceStream] => C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe [27960 2018-08-23] (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION FF HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi FF Extension: (Ace Script) - C:\Users\I\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi [2018-11-26] FF Plugin HKU\S-1-5-21-1609680358-3891883066-2646586907-1001: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\I\AppData\Roaming\ACEStream\player\npace_plugin.dll [2017-01-13] (Innovative Digital Technologies -> Innovative Digital Technologies) FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2019-07-10] <==== ATTENTION (Points to *.cfg file) FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2019-07-10] <==== ATTENTION CHR HKU\S-1-5-21-1609680358-3891883066-2646586907-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{35383727-ADFB-4750-824C-2702895D32BE}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FirewallRules: [{07F5E9C8-2AAA-4AF5-A3E1-B0BF4CC67BD0}] => (Allow) C:\Users\I\AppData\Roaming\ACEStream\engine\ace_engine.exe (INNOVATIVE DIGITAL TECHNOLOGIES LLC -> Innovative Digital Technologies) FirewallRules: [{47A80E8B-CEF9-498C-B70C-2A17D169A56F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File C:\Users\I\AppData\Roaming\ACEStream CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: End Oh my God , so sorry. I deleted it from all 3 laptops it was under appdata/roaming files , delete and in the recycle bin guess thats good enough ? I wanted to copy things thing buti t says the other user uses mozilla. Did you find any information about this Ace Script thing ? Because im starting to get worried that I have to change all my passwords now.... or you reckon its not so dangerous Link to comment Share on other sites More sharing options...
itman 1,668 Posted June 14, 2022 Share Posted June 14, 2022 5 hours ago, Tio said: Did you find any information about this Ace Script thing ? Quote Because it is based on torrent client technology and opens ports to other P2P file sharers, AceStream Media frequently allows adware, scareware and other unwanted programs into a system and is notoriously hard to remove. https://www.file.net/process/ace_web_extension.exe.html Link to comment Share on other sites More sharing options...
Tio 0 Posted June 15, 2022 Author Share Posted June 15, 2022 Hello, First of all I would like to thank you for your help. 1. This might be helpful to someone like me :), so delete the "mjbep..." from registry HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension " mjbepbhonbojpoaenhckjocchgfiaofo" 2. %appdata%roaming files to delete it , 3. I used adwcleaner ( it did detect some acestream files that I missed) Now I am not sure if I should make a new thread about it therefore I decided to ask you. I have 2 laptops very clean browsing , 3rd used for streaming movies ( the one when u click and it redirects you to bettings sites and so on) whenever I decided to click "play" on a movie a new tab opens on my tab redirecting me to some site but the Nod AV most of the time either blocks it "threat(red)" or "pup(yellow)" and I close the redirected tab and just play the movie, does it mean that the AV blocked the site and the potential threat the movie is safe to play? Correct me if I am wrong, when I installed the Ace STream on my laptop since we were all on the same wi-fi does it mean that we are on the same server, therefore sharing this floating files, because when I cleaned the 3rd laptop going to the local files and floating files checking them, on the 2 laptops got a new folder called "LocalLow" file. My solution for the time being is to make a sub network as I heard if f.e my wi-fi is "Asd1" I can make a sub wi-fi called "Asd1 guest" which will be different therefore my 3rd laptop wont have any connection to the other 2 laptops I desperately wanna stream movies w/o affecting my other 2 laptops. Sorry again I wanted to make it as short as possible Link to comment Share on other sites More sharing options...
itman 1,668 Posted June 15, 2022 Share Posted June 15, 2022 My original advice still stands. Go to bleepingcomputer.com for assistance for removal of all traces of this PUA software for all devices it was installed on. Link to comment Share on other sites More sharing options...
Tio 0 Posted June 16, 2022 Author Share Posted June 16, 2022 Yeah, I did it , I just posted it for the steps for someone in the future if he needs it - its done. Could you please take a look at the 2nd part, with the laptops Link to comment Share on other sites More sharing options...
Recommended Posts