Dragon Angel Overview

Dragon Angel is a malicious browser extension that can appear in Chrome browsers. It usually appears as a result of adware activity on the system. For example, unwanted programs like Chromstera or Chromnius after installation can offer this extension to the main browser. Users complain about it continuously appearing unless the source of the problem – the malignant browser – is removed.

The purpose for such plugins is search query redirection. Frauds who stand behind it force every single search request that you do to go through their servers. By forming a digital fingerprint of their victims, they earn money after selling it to third parties. I’ve did a comprehensive analysis of Dragon Angel, and found a couple of really interesting details – so read on.

Dragon Angel Detailed Analysis

Dragon Angel appears on your device due to the activity of unwanted software. It is often the result of potentially unwanted software that comes bundled with freeware or software cracks. Although most installers allow you to cancel installing additional software, unscrupulous developers may remove this option.

Search Redirects

Once installed, the extension changes the homepage and some browser settings. It also forcibly redirects all search queries through Dragonboss search engine. It eventually ends up on a legit search engine page, usually Yahoo or Bing, but during these redirections, the said search engine will collect the info about your request. Also, the search results after such a multi-step operation are different from what you would get after a direct request to the search systems.

What this means is the victims will see promotions instead of relevant search results. These promos mostly contain sponsored websites – gambling, adult sites or marketplaces who paid for the ads. At the same time, this advertising can lead to phishing websites or malware downloading pages.

Difficulties With Removal

The biggest problem for the average user is that Dragon Angel uses self-defense measures. After installation, the malware modifies registry settings to disable the ability to remove extensions from the browser or change homepage settings. This eventually leads to the infamous “Managed by Your Organization” error in Chrome, and complete inability to remove the extension.

According to the feedback from users who have encountered this plugin, the severity of this problem forces users to reset their PCs. This is the ultimate solution, but it will result in data loss, and feels like hunting sparrows with a tank gun. Fortunately, I have a solution to that problem without data loss. We will discuss it next.

Not by Dragon Angel Alone

During the analysis, I found other extensions from this “developer” called Dragon Honey and Dragon Search. All of them share the same logo, and the same purpose – redirecting user queries through their own search engine. However, this is not the last finding of my research.

The exact same “developer” has another project called Chromnius Browser. It is a browser based on Chromium core, obviously, and does not feature any remarkable qualities. Promotions say that Chromnius is a Web browser that provides better security while browsing online by blocking pop-ups and tracker cookies. Though a closer analysis clearly shows that Chromnius is just yet another adware that tries to look as web browser. It can infect other browsers, send pop-up notifications without user concent and redirect search queries.

How To Remove Dragon Honey

First, I strongly recommend scanning your device for malware. This will neutralize software that modifies system settings. To do this, download GridinSoft Anti-Malware and run a full scan. This will find the malware that initiates browser manipulation. In addition, GridinSoft Anti-Malware allows you to reset your web browser settings entirely in one click. This is especially useful if previous methods have failed.

Next, if you see this “Managed by your organisation” message when opening the browser menu in Google Chrome, there are two ways to remove Dragon Honey; we will look at them now. The first one is automatic and will work for most users. To regain control of the browser, you must follow these instructions to download the file and run it as an administrator. This will remove the entry from the registry, which will not allow you to change the browser settings.

The second method involves all the same, only in manual mode. To do this, press Windows + R on your keyboard, type “regedit“, and select the OK button

Copy the following path and paste it into the address bar, and press Enter:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

Select the Chrome key from the left pane of your Registry Editor. Right-click on the Chrome policy you want to remove and select Delete.

The post Dragon Angel Malicious Browser Extension appeared first on Gridinsoft Blog.

What are “Re captha version” pop-up virus?

Re captha version virus is a browser notification spam campaign that takes place on an eponymous website. An entire network of such sites has similar names and content. All of them aim at one thing – forcing users to allow notifications, under the guise of anti-robot captcha. This makes possible the main course of this scam – huge numbers of pop-ups that flood both the web browser and system notifications.

List of domains involved in the scam

Websites like “Re captha version” commonly appear after the redirection from another site, or following the click on the suspicious banner somewhere on the Web. If you’d try visiting such websites apart from the malicious redirections, they will likely return a white screen or various error messages. In some cases, they work, but the content is the same as the first time – just the offer to enable pop-up notifications.

But what for all this is running? Promotions that such websites show are extremely cheap, but their volume multiplied by the number of victims gives quite a substantial profit. Considering that these frauds will advertise other malicious actors, the profit may be smeared through several cybercriminal groups. And while there are ways to earn more, and in a legitimate way, pop-up spam campaigns are extremely easy to run. This is what causes these fraudulent sites to keep going.

GridinSoft Anti-Malware offers an advanced network protection feature that is capable of filtering the pop-up scam sites. We start tracking them at the very moment of their appearance, meaning they will not be able to harm you at all. Get your security boosted Gridinsoft.

How dangerous is pop-up notifications spam?

Despite what they look like, pop-ups are a rather dangerous thing, especially when dozens of them appear in a short period. The main effect is distraction: pop-ups will keep appearing even after closing the browser. They clutter the notification tray, making it impossible to find the alerts you need.

But the key danger hides in the content of those promotions. Pages and offers they promote are not even remotely relevant. Moreover, the links these advertisements lead to are often just clickbait websites or outright phishing pages. The longer all this happens, the more likely for the user to accidentally click one and get into a sticky situation.

How to remove Re captha version ads?

Removing pop-ups from the browser involves two steps – disallowing sending notifications to all sites and scanning your system for threats. The first one is manual – you need to go to your browser settings, open the page with notification settings and delete all entries there. Then, reload your browser for the changes to take effect.

Disabling browser pop-ups (scroll images)

For the second step – scanning for threats – I recommend using GridinSoft Anti-Malware. As I said, ads can lead to the installation of unwanted software. But aside from this, the appearance of Re captha version website may be the sign of adware activity. To ensure that your device is clean, run a Standard scan and let it finish – it won’t take long.

The post Re Captha Version Pop-Ups Virus appeared first on Gridinsoft Blog.

Fake ChatGPT Plugin Spreads via Chrome Web Store

Chrome Web Store serves as a default place to get add-ons to your browser. This, however, creates a menace of flooding this service with malicious or just junky extensions. Filtering them out, as practice shows, is not an easy task. In some cases, malicious plugins manage to score 100,000+ downloads before being wiped from a store. Still, most of them are not immediately dangerous, as their functionality resembles adware or browser hijackers.

Fake ChatGPT plugin used the worst breaches present in Web Store, as well as in Google Ads. To promote the plugin, crooks who stand behind it purchased the sponsored advertising in Google Search results. It all ended up with victims seeing a link to install a malicious ChatGPT plugin on top of a search query. Being published in the Store on February 14, 2023, it started to bloom only a month later, after the mentioned advertising appeared. By March 22, Google managed to remove the plugin from the Web Store and toggle the advertisements down. However, over 2 million people already managed to install that malware – so it is a clue for understanding the scale of possible problems.

Malicious ChatGPT add-on hijacks Facebook accounts

Key thing that made this plugin so bad is the fact that it was aiming to hijack Facebook accounts. Even though it proceeds with giving your what it promised, the crime happens right after the plugin installation. That was done via collecting the cookies, which browser plugins have access to if the user gives corresponding permission. The exact plugin was offering “quick access to GPT chat”, thus it is not clear whether it may need user cookies. Still, that barely bothers people who want to get ChatGPT access in one click.

Cookies in web browsers act as a form of temporary info storage, which is needed for websites to remember the user’s choices, nickname, and other trivia details. Some websites store session tokens within cookies – and Facebook is among them. The risk here is that a third party can relatively easily parse these cookies and retrieve the session token. This, in turn, gives them full access to your account – and they will likely use it immediately. That is dictated by a usual session tokens expiration time – less than 24 hours. Seeing that your account sent numerous spam messages to your friends and posted scam offers or even extremist propaganda is at least embarrassing.

How to avoid malicious browser plugins?

It may be difficult to distinguish fraud at a glance, especially when Google promotes it to you. First and foremost, keep track of official announcements. If an organisation or company never claims to know about browser plugins or any other add-on, it will be a bad idea to trust the one you find online. Even seeing a huge number of downloads does not mean it is safe and legit – at least because the counter may be artificially boosted.

Controlling the permissions you give to add-ons is another possible remedy. Yet it also does not guarantee that the plugin will not misuse that privilege. For that reason, the best option is to use anti-malware software. A program that will detect malicious software by its behavior, regardless of its form, is an essential thing these days. Try out GridinSoft Anti-Malware – it works perfectly in protection against unusual threats, including browser plugins.

The post Malicious ChatGPT Add-On Hijack Facebook Accounts appeared first on Gridinsoft Blog.

Search Marquis is a type of malware that aims to infect the browser, such as Google Chrome, Mozilla Firefox, and Safari, hence the name – the hijacker of the browser. This program works by disguising itself as a search engine and most often affects browsers on Mac devices. So, how to get rid of Search Marquis?

How Search Marquis Works?

The working principle of this malware is to change the settings of the browser, then redirect the user to searchmarquis.com. As soon as a user enters this questionable search engine, he receives annoying advertisements, as well as is redirected to even more malicious websites. Any click, whether intentional or not, on different types of advertising sites, and others, will redirect the user to malicious content. Next, it will continue as a vicious circle, because after tapping the user gives access to cyber threats to his device.

Symptoms of Search Marquis Virus

We will provide you with a list of signs that your Mac device is infected. This will give you the ability to control the activity of your device and in the event of a threat penetration, you will know what it looks like and what to do with it in the future.

• Redirects to searchmarquis.com. Note that when you visit Google, for example, your search engine changes to Search Marquis.
• Annoying ads. If you have visited searchmarquis.com, then you will notice a huge amount of advertising that did not exist before. This massive amount of obsessive advertising is provided by adware. You can see it in the form of banners, pop-up windows, and advertising on any product or service.
• Redirects to questionable sites. Another sign is considered constant redirection to suspicious websites. This can lead to the threat of phishing proliferation or other malicious intentions of intruders, which later lead to financial losses.
• New and unrecognized add-ons. Note that browser extensions include new settings that you have not previously installed. If you notice this and some other suspicious files, then there is a possibility that your Mac is infected.

How to Remove Search Marquis From Mac

If you notice all the above signs of malware appearing on your device, then you need to take the following actions. First, remove the virus from your Mac device, and secondly reset the default browser settings.

Get rid of the Search Marquis virus with the help of an antivirus:

• Select a solid antivirus;
• Set it on your Mac;
• Start a full system scan;
• Next, see attached instructions provided by your antivirus.

Delete files related to the Search Marquis virus manually:

• Determine and stop malicious processes: go to the Finder > Go > Utilities > Activity Monitor and Force Quit all suspicious activity.



• Determine and remove recently created launch agents: navigate to the Finder > Go > Go to Folder, type /Library/LaunchAgents, and delete unwanted launch agents;



• Remove unwanted running agents in other folders: fill the same steps in /Library/Application Support and /Library/LaunchDaemons folders;
• Delete unrecognized apps: navigate to the Finder > Go > Applications and transfer all suspicious apps to the bin;



• Find and delete malicious Login items: go to the Apple icon > System Preferences > Users & Groups > Login items > Padlock and enter your admin password; Delete them with a minus button at the bottom if there are any recently-added suspicious files.



After you remove the virus from your Mac device, you must also remove it from your browser. To do this we will provide you with the necessary instructions below.

Remove Search Marquis hijacker from your browser

The purpose of the Search marquis browser hijacker is to change the user’s browser settings. It follows that you need to reset all the modified settings by the attacker about the default settings. Below we will provide step-by-step instructions on how to do this:

For Safari users:

• Open Safari and tap Develop in the top menu bar. Then tap the Empty Caches;



• Tap History in the same Safari top menu, select the Clear History option, and choose to clear all history in the pop-up window;



• Go back to earlier mentioned Safari Preferences and go to the Privacy > Manage Website Data > Remove All to delete cookies;



• Relaunch Safari.

TIP: If you can’t look for the Develop menu go to Safari > Preferences > Advanced and at the bottom tick the option to show the Develop menu.

For Chrome users:

• Launch Google Chrome, tap on the 3 dots in the top right corner for the drop-down list, and select the Settings option;



• Tap on the Advanced tab on the left and select the Reset Settings at the bottom;



• Verify the reset by pressing the Reset Settings button;



• Relaunch Chrome

How can I protect my device against viruses?

Regardless of whether you encounter malware or not, you should consider precautions. We will consider below the most necessary tips for pest prevention.

• Regularly update your OS and apps. Because systems have vulnerabilities, malicious software can be more easily harmed. To prevent this, developers of systems and all programs release new updates for them.
• Never click on suspicious ads. Today the Internet is full of different content, which allows hackers to also post their malicious ads. In this way, they manage to deceive a large number of users. In order not to fall for this trick, you need to not click on all popup windows in your browser.
• Do not open dubious email attachments. Malicious phishing attacks and malware are often distributed via email. Attackers attach their malicious files to a letter that tries to convince the user to press this. So don’t press everything you see in unfamiliar emails.
• Do not click on questionable links on social platforms. Social media is another platform for cybercriminals. Through account hacks, hackers manage to distribute malware to another list of users. So before opening suspicious links sent from your friends, check to see if your friend’s account has been hacked.
• Protect your device with an antivirus. The best and most reliable way to protect is considered antivirus. If you install strong antivirus protection, you can avoid multiple threats and cyberattacks. Antivirus will from time to time track your system for any pests and will be able to prevent your device from potential attack.

The post Search Marquis: How to prevent it appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/search-marquis-how-to-prevent-it/feed/ 0 9279 https://gridinsoft.com/blogs/remove-yahoo-search-from-chrome/ https://gridinsoft.com/blogs/remove-yahoo-search-from-chrome/#respond Mon, 09 May 2022 22:49:39 +0000 https://gridinsoft.com/blogs/?p=7772 Yahoo Search is a legitimate search engine that exists for over 25 years. When chosen by desire, it offers all the basic functions of any search engine. However, there are certain situations when Yahoo search appears in your Chrome browser without your wish. In this article, I will show you how to remove Yahoo Search… Continue reading Yahoo Search: How to Remove Yahoo from Chrome?

The post Yahoo Search: How to Remove Yahoo from Chrome? appeared first on Gridinsoft Blog.

]]> Yahoo Search is a legitimate search engine that exists for over 25 years. When chosen by desire, it offers all the basic functions of any search engine. However, there are certain situations when Yahoo search appears in your Chrome browser without your wish. In this article, I will show you how to remove Yahoo Search from Chrome if you do not want it to appear.

What is the Yahoo Search Engine?

Yahoo is one of the first search engines that appeared on the Internet. In 1995, it was initially introduced as a search mechanism for cataloging the websites recommended by Yahoo. Further, they applied for a partnership with Inktomi and then Google. That allowed Yahoo to become much more popular. In 2003, they added a full-fledged web crawling service that extended the search results. However, in 2004 Google managed to outpace Yahoo by market share. Now it is just a part of niche services offered by Yahoo.



Besides its 100% benevolent nature, there are cases when users uncover that Yahoo is set as their search engine by force. Changing it to the one you used does not help – it will be switched back to Yahoo almost immediately. Searching with such settings is likely not comfortable because the results differ from what you expect. And the most unpleasant thing is that someone earns money for you with such changes.

How Does That Work?

Seeing your search engine constantly changed to Yahoo means that you have a malicious program on your computer. Such programs are usually identified as browser hijackers. As you can guess from their name, , they take control of your web browser without your allowance. They can change any setting in the infected browser, including the search engine, redirect search queries, open the websites and start the browser whenever it wants. The crooks control all this activity and designate all changes and redirects that malware does.

The exact form of that malware may be different. Most browser hijackers are tiny programs that sit deep on the disk. Throughout the last couple of years, they massively opted for the guise of a browser plugin. That makes the malware implementation much easier, and formally such plugins do not violate any rules – the user allows it to do all these nasty things during the installation.

Is the Yahoo Search in Chrome Dangerous?

There is no direct danger browser hijackers bring to your system. But since it can throw you on the website it wants, you may easily fall victim to phishing or unintentionally trigger the malware downloading. Same-quality crooks often make sites advertised by crooks, so the chance of seeing a legit site after the redirect is pretty low. Scam sites like Pornographic Virus Alert from Microsoft also appear among these redirections.



Besides the possibility of being scammed in such a way, you may also get your personal information stolen. In the cases when malware is spread as a browser hijacker, it asks you to give access to cookie files and browser history. Those two categories are pretty valuable for selling the data to third parties. Besides that, cookies may contain the login credentials in the unciphered form – that is just a gift for cybercriminals.

How Did I Get the Malware?

As I have mentioned before, browser hijackers may have different forms. Web browser plugin, “PC optimiser”, rogue – choose what you want. While all this diversity is hard to compare when you don’t know about the internal things, the externals – exactly how they are distributed- are most likely the same. Crooks who spread hijackers usually try to bait the user into installing the malware under something useful. Usually, such stuff is found on online forums, abandoned sites that were hacked, and advertisements.

Any advertised offers that look too generous or contain statements baiting you to click on them must not be trusted. Only God knows what will happen – redirection, malware downloading, or even throwing you to the exploit page. It is better not to choose at all – I recommend you avoid clicking such things. It is one of the most basic principles of cyber hygiene – don’t ignore it!

Remove Yahoo Search from Chrome

Most modern malware creates enough hitches in your system to make it harder to remove. Browser hijackers are not an exclusion. Users may delete some of the files, leaving the other part untouched. And the virus manages to recover its files using the rest of them. Detecting all malware parts is a thankless job. That’s why I’d advise you to use anti-malware software. Reverting the changes in the web browser is much easier, so I will show you how to reset your Chrome browser.

Anti-malware programs can find all malware parts by checking the paths specified in their code. Therefore, using a well-done antivirus that will detect and wipe all the files of browser hijackers is a perfect way to get rid of the latter. I will recommend GridinSoft Anti-Malware as the program that will 100% complete this task. Download it from our official website.

You can try out the full functionality of GridinSoft Anti-Malware during a 6-day free trial. After the app installation, you will be offered to type your nickname and email address to receive a free trial code. It will arrive right in your email after passing these steps. Without it, you can still scan your devices and reset the browsers but can’t remove the detects.

Reset Your Chrome Browser Settings

• Most of the contemporary browsers have the same reset steps. Chrome is not an exclusion; it is a trendsetter for the rest programs in this class. Go to Settings, and find there the Reset and Clean Up submenu.



• In it, click on the Restore settings to their original defaults. That will call the appearance of the pop-up window.



• In that pop-up window, accept the settings resetting. Then, your browser will be as good as the newly installed.



The post Yahoo Search: How to Remove Yahoo from Chrome? appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/remove-yahoo-search-from-chrome/feed/ 0 7772