This Malware Can Delete and Replace Your Entire Chrome Browser with a look alike


Super Moderator
MalwareTips Staff
Oct 23, 2012
Windows 10
eFast browser poses as Chrome but inserts unwanted ads
There's a modified Google Chrome clone going around the Internet that's being used by attackers to show users unwanted ads and redirect them to other malware infection points.

The browser in question is named eFast, and according to security researchers at PCRisk and Malwarebytes, it infects user PCs after being installed alongside other applications.

This PUP (Potentially Unwanted Application) is based on the Chromium open source browser, the very same code on which Google Chrome is also built.

The shared codebase allows the browser to easily pass as the real deal, and successfully fool users into thinking they're actually using Chrome.

During eFast's installation, the browser takes special care to remove any Google Chrome shortcuts, and replaces them with its own, using an icon specifically designed to look like Chrome's, but slightly different.

Furthermore, additional shortcuts for popular sites like YouTube, Amazon, Facebook, Wikipedia, and Hotmail are all placed on the desktop, all primed to open inside an eFast browser.

eFast hijacks file and URL associations on infected systems
Malwarebytes has also observed the browser alters OS settings, eFast changing default file associations and URL types, so whenever the user clicked any HTML, GIF, or JPEG document inside their operating system, eFast would be used instead of the previously set application.

At the moment of writing this article, researchers have detected eFast placing itself as the default application for the following file types: HTM, HTML, SHTML, XHTML, XHT, WEBP, PNG, JPG, JPEG, GIF, and PDF.

Additionally, URLs with the following protocols were also opened by default in eFast: HTTP, HTTPS, FTP, IRC, MAILTO, MMS, SMS, SMSTO, TEL, NEWS, NNTP, URN, and WEBCAL.

eFast is being used to deliver adware and ads to users
Once the user was convinced (tricked) to use eFast, the browser's malware code injects ads inside their normal Web pages, and even redirect them to sites where other malware is being served.

Besides this, during the eFast installation, the predm.exe file was also placed inside the user's Program Files folder, file that is currently detected as infected by 44 antivirus engines on VirusTotal.

Both PCRisk and Malwarebytes provide instructions on how to remove eFast from infected computers.


Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome, in a way that you will not notice any difference while browsing.
The new adware software, dubbed "eFast Browser," works by installing and running itself in place of Google Chrome
The adware does all kinds of malicious activities that we have seen quite often over the years:

  • Generates pop-up, coupon, pop-under and other similar ads on your screen
  • Placing other advertisements into your web pages
  • Redirects you to malicious websites containing bogus contents
  • Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue
Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft.

Read more : This Malware Can Delete and Replace Your Entire Chrome Browser with a lookalike - The Hacker News


New Member
Oct 19, 2015
Note as an addition that you will need to have authorized the loader/installer administrative rights at some point for it to replace Google Chrome (assuming you have Google Chrome installed in Program Files (x86)/Program Files since those directories are actually protected).