Metallica

Staff
  • Content count

    2,084
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

159,291 profile views
  1. What is PC Cleaner Pro 2018?The Malwarebytes research team has determined that PC Cleaner Pro 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Cleaner Pro 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen when you want to fix the "problems" it found:You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC Cleaner Pro 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Cleaner Pro 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC Cleaner Pro 2018? No, Malwarebytes removes PC Cleaner Pro 2018 completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Cleaner Pro 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (PC Cleaners Inc.) C:\ProgramData\PCCleaner Pro\PCCleaners.exe S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [32400 2016-03-04] (ThreatTrack Security) (ThreatTrack Security) C:\Windows\system32\Drivers\gfiutil.sys C:\ProgramData\PCCleaner Pro C:\ProgramData\PCProSettingsLocal C:\Windows\System32\Tasks\PC Software Updater C:\Windows\System32\Tasks\PCCleaner-Maintenance-Autorun C:\Users\Public\Desktop\PC Cleaner Pro.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC Cleaners C:\ProgramData\appclunst.exe C:\Users\{username}\Downloads\PCPro-Installer.exe PC Cleaners (HKCU\...\PC Cleaners) (Version: 14.0 - PC Cleaners) <==== ATTENTION Task: {460C2BFF-CCED-437A-897E-AA02B290D7AF} - System32\Tasks\PC Software Updater => C:\ProgramData\PCCleaner Pro\PCCleaners.exe [2018-04-19] (PC Cleaners Inc.) Task: {58F68C5F-AF5F-4992-8001-03B0ACC54FBD} - System32\Tasks\PCCleaner-Maintenance-Autorun => C:\ProgramData\PCCleaner Pro\PCCleaners.exe [2018-04-19] (PC Cleaners Inc.) () C:\ProgramData\PCProSettingsLocal\av\d\libBase64.dll () C:\ProgramData\PCProSettingsLocal\av\d\libMachoUniv.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\ProgramData Adds the file appclunst.exe"="4/19/2018 8:37 AM, 9589336 bytes, A Adds the folder C:\ProgramData\PCCleaner Pro Adds the file FSSC.dat"="4/19/2018 8:44 AM, 12 bytes, A Adds the file gfiutil.dll"="3/4/2016 10:26 AM, 22032 bytes, A Adds the file gfiutl32.sys"="3/4/2016 10:26 AM, 25440 bytes, A Adds the file gfiutl64.sys"="3/4/2016 10:26 AM, 32400 bytes, A Adds the file PCCleaners.exe"="4/19/2018 8:44 AM, 82583448 bytes, A Adds the folder C:\ProgramData\PCProSettingsLocal Adds the file res.db"="4/19/2018 8:50 AM, 105472 bytes, A Adds the file st.db"="4/19/2018 8:44 AM, 3072 bytes, A Adds the file st.txt"="4/19/2018 8:52 AM, 589 bytes, A Adds the folder C:\ProgramData\PCProSettingsLocal\av Adds the file SBTE.dll"="4/19/2018 8:44 AM, 1059216 bytes, A Adds the file SpursDownload.dll"="4/19/2018 8:44 AM, 414608 bytes, A Adds the file unrar.dll"="4/19/2018 8:44 AM, 160768 bytes, A Adds the file vipre.dll"="4/19/2018 8:44 AM, 333704 bytes, A Adds the folder C:\ProgramData\PCProSettingsLocal\av\d Adds the file acertdefs0.std"="10/1/2012 12:34 PM, 477 bytes, A Adds the file adsrules.dat"="11/6/2015 6:23 PM, 286780 bytes, A Adds the file AdviceTx.vdx"="3/28/2013 5:36 AM, 10245 bytes, A Adds the file api0.std"="7/14/2015 6:11 AM, 669262 bytes, A Adds the file apincl.dat"="7/15/2015 1:28 PM, 714 bytes, A Adds the file apprules.dat"="3/28/2013 6:00 AM, 1566 bytes, A Adds the file bhmem.vtd"="4/19/2018 8:51 AM, 23604 bytes, A Adds the file bhsl.vtd"="4/19/2018 12:18 AM, 4810620 bytes, A Adds the file bmem.vtd"="4/19/2018 8:52 AM, 400348 bytes, A Adds the file CatDesc.vdx"="3/28/2013 5:36 AM, 180180 bytes, A Adds the file CatID.vdx"="3/28/2013 5:36 AM, 9660 bytes, A Adds the file cblk.vtd"="4/19/2018 12:13 AM, 273033036 bytes, A Adds the file ckmem.vdx"="4/19/2018 8:52 AM, 412 bytes, A Adds the file cmem.vtd"="4/19/2018 8:51 AM, 219054 bytes, A Adds the file cname.wtd"="4/17/2018 8:18 AM, 125152 bytes, A Adds the file comp0.std"="3/31/2014 9:49 AM, 43939 bytes, A Adds the file compatv.dat"="2/6/2018 9:30 AM, 572 bytes, A Adds the file Cookies.vdx"="7/1/2015 8:44 AM, 206832 bytes, A Adds the file CoreVer.txt"="9/9/2009 6:46 PM, 3 bytes, A Adds the file ctid.vtd"="4/19/2018 12:11 AM, 89590610 bytes, A Adds the file defs0.std"="4/17/2018 6:35 AM, 12206561 bytes, A Adds the file DefVer.txt"="4/19/2018 1:34 AM, 26 bytes, A Adds the file dex_hash.dat"="3/31/2017 12:16 AM, 36039720 bytes, A Adds the file dexmem.vtd"="4/19/2018 8:52 AM, 105700 bytes, A Adds the file dnrl.vdx"="11/6/2015 9:40 AM, 225040 bytes, A Adds the file dnrlmem.vtd"="4/19/2018 8:52 AM, 564 bytes, A Adds the file elf_hash.dat"="1/8/2015 11:58 AM, 528 bytes, A Adds the file EPSigs.vdx"="3/27/2013 2:55 PM, 65429 bytes, A Adds the file FastSigs.vdx"="9/8/2017 4:03 PM, 310940 bytes, A Adds the file FileDT.vdx"="4/19/2018 12:17 AM, 164064 bytes, A Adds the file FolderDT.vdx"="5/21/2016 5:46 AM, 80172 bytes, A Adds the file fsigs.vdx"="1/29/2009 5:15 PM, 192 bytes, A Adds the file gfiark.dll"="8/27/2015 7:31 AM, 70112 bytes, A Adds the file gfiark32.sys"="8/27/2015 7:31 AM, 43176 bytes, A Adds the file gfiark64.sys"="8/27/2015 7:31 AM, 40584 bytes, A Adds the file gfiarkup.dll"="8/27/2015 7:32 AM, 69600 bytes, A Adds the file gfiutil.dll"="3/4/2016 10:26 AM, 22032 bytes, A Adds the file gfiutl32.sys"="3/4/2016 10:26 AM, 25440 bytes, A Adds the file gfiutl64.sys"="3/4/2016 10:26 AM, 32400 bytes, A Adds the file hcol.wtd"="4/18/2018 10:17 PM, 74316 bytes, A Adds the file heur0.std"="2/25/2014 5:54 AM, 2772 bytes, A Adds the file HistoryCleaner.xml"="9/8/2014 6:28 PM, 156524 bytes, A Adds the file hstn.vtd"="10/27/2015 6:23 AM, 96813 bytes, A Adds the file idsrules.dat"="2/27/2017 4:44 AM, 136143 bytes, A Adds the file ih.vdx"="4/11/2018 4:12 AM, 336800 bytes, A Adds the file ihmem.vtd"="4/19/2018 8:52 AM, 668 bytes, A Adds the file IncompatiblePrograms.dll"="9/5/2013 9:33 PM, 120720 bytes, A Adds the file incompats.dat"="12/10/2010 2:05 PM, 1634 bytes, A Adds the file ip.vtd"="7/3/2014 7:00 PM, 824 bytes, A Adds the file JSSigs.vdx"="7/29/2016 4:03 PM, 1396893 bytes, A Adds the file kbu.dat"="4/19/2018 12:13 AM, 18227048 bytes, A Adds the file kbu.dll"="3/17/2015 8:51 AM, 62864 bytes, A Adds the file lgpl.dll"="6/26/2015 3:13 AM, 933752 bytes, A Adds the file lib7zip.dll"="6/26/2015 3:13 AM, 184184 bytes, A Adds the file libBase64.dll"="6/26/2015 3:13 AM, 184184 bytes, A Adds the file libCHM.dll"="6/26/2015 3:13 AM, 192376 bytes, A Adds the file libEmail.dll"="6/26/2015 3:13 AM, 282488 bytes, A Adds the file libMachoUniv.dll"="6/26/2015 3:13 AM, 175992 bytes, A Adds the file libMsCab.dll"="6/26/2015 3:13 AM, 446328 bytes, A Adds the file libMsi.dll"="6/26/2015 3:13 AM, 171896 bytes, A Adds the file libNSIS.dll"="6/26/2015 3:13 AM, 196472 bytes, A Adds the file libOleA.dll"="6/26/2015 3:13 AM, 343928 bytes, A Adds the file libRar.dll"="6/26/2015 3:13 AM, 274296 bytes, A Adds the file libRTF.dll"="6/26/2015 3:13 AM, 171896 bytes, A Adds the file libtd.dll"="6/26/2015 3:13 AM, 167800 bytes, A Adds the file libVvs.dll"="6/26/2015 3:13 AM, 376696 bytes, A Adds the file libZip.dll"="6/26/2015 3:13 AM, 241528 bytes, A Adds the file macroptn.std"="4/5/2018 2:35 PM, 197400 bytes, A Adds the file MFastSigs.vdx"="6/2/2010 9:36 AM, 0 bytes, A Adds the file mime0.std"="1/13/2016 3:09 PM, 26893 bytes, A Adds the file networkrules.dat"="3/28/2013 6:00 AM, 4760 bytes, A Adds the file pack0.std"="4/16/2015 10:30 AM, 14351 bytes, A Adds the file patch0109.exe"="1/11/2018 2:55 PM, 354488 bytes, A Adds the file patchw32.dll"="3/19/2015 2:59 PM, 233336 bytes, A Adds the file qscnf.vdx"="3/5/2013 8:02 PM, 541 bytes, A Adds the file qscnr.vdx"="2/15/2008 9:04 AM, 8440 bytes, A Adds the file RegDT.vdx"="3/5/2018 1:14 AM, 1108692 bytes, A Adds the file rem0.std"="3/14/2018 3:13 AM, 1599572 bytes, A Adds the file remediation.dll"="6/26/2015 3:13 AM, 343928 bytes, A Adds the file RootCA.wtd"="8/14/2013 2:00 PM, 34571 bytes, A Adds the file RTmem.vdx"="4/19/2018 8:52 AM, 3256 bytes, A Adds the file SBTS.dat"="7/31/2008 1:07 PM, 328 bytes, A Adds the file script0.std"="4/18/2018 6:35 AM, 176184 bytes, A Adds the file sdll0.std"="4/21/2015 4:29 PM, 3006617 bytes, A Adds the file sel.dat"="10/2/2017 2:50 PM, 8450 bytes, A Adds the file seri.dat"="1/4/2016 1:08 PM, 1106 bytes, A Adds the file smim0.std"="7/28/2015 5:18 PM, 6702 bytes, A Adds the file ThreatCategoryGlossary.xml"="3/28/2013 5:36 AM, 47016 bytes, A Adds the file ThreatCategoryGlossary.xsd"="2/25/2010 10:59 AM, 1736 bytes, A Adds the file ThreatDT.vdx"="4/18/2018 2:04 PM, 7981092 bytes, A Adds the file ThreatID.vdx"="4/18/2018 2:04 PM, 1458450 bytes, A Adds the file TImem.vdx"="4/19/2018 8:52 AM, 3574 bytes, A Adds the file unpck0.std"="4/17/2015 9:40 AM, 55436 bytes, A Adds the file updater.dll"="6/26/2015 3:14 AM, 175992 bytes, A Adds the file Upgrade.exe"="1/11/2018 2:55 PM, 354488 bytes, A Adds the file vcore.dll"="6/26/2015 3:14 AM, 5468024 bytes, A Adds the file VVSSigs.vdx"="9/11/2013 10:39 PM, 36105 bytes, A Adds the file WebFilterExceptions.dat"="10/17/2011 12:20 PM, 184 bytes, A Adds the file white.wtd"="4/18/2018 10:17 PM, 60647466 bytes, A Adds the file white0.std"="2/8/2018 5:37 AM, 56190 bytes, A Adds the file whsl.wtd"="4/18/2018 10:17 PM, 844192 bytes, A Adds the folder C:\ProgramData\PCProSettingsLocal\av\d\LKGD Adds the folder C:\ProgramData\PCProSettingsLocal\av\d\Staging Adds the folder C:\ProgramData\PCProSettingsLocal\av\d\WDBF Adds the folder C:\ProgramData\PCProSettingsLocal\av\q Adds the folder C:\ProgramData\PCProSettingsLocal\av\tmp In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file PC Cleaner Pro.lnk"="4/19/2018 8:44 AM, 781 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC Cleaners Adds the file PC Cleaner Pro.lnk"="4/19/2018 8:44 AM, 781 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Cleaner Pro.lnk"="4/19/2018 8:44 AM, 745 bytes, A In the existing folder C:\Windows\System32\drivers Adds the file gfiutil.sys"="3/4/2016 10:26 AM, 32400 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Software Updater"="4/19/2018 8:44 AM, 3362 bytes, A Adds the file PCCleaner-Maintenance-Autorun"="4/19/2018 8:44 AM, 3256 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PCCleanerSettings] "Location"="REG_SZ", "C:\ProgramData\PCCleaner Pro" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gfiutil] "DisplayName"="REG_SZ", "gfiutil" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "system32\drivers\gfiutil.sys" "Start"="REG_DWORD", 3 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Classes\apprdsdef02] "19.4.2018"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaners] "DisplayIcon"="REG_SZ", "C:\ProgramData\PCCleaner Pro\PCCleaners.exe" "DisplayName"="REG_SZ", "PC Cleaners" "DisplayVersion"="REG_SZ", "14.0" "InstallLocation"="REG_SZ", "C:\ProgramData\PCCleaner Pro" "Publisher"="REG_SZ", "PC Cleaners" "UninstallString"="REG_SZ", ""C:\ProgramData\appclunst.exe" -uninst" "VersionMajor"="REG_DWORD", 14 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\PCCleanerSettings] "Location"="REG_SZ", "C:\ProgramData\PCCleaner Pro" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/19/18 Scan Time: 9:02 AM Log File: a986031f-439f-11e8-965a-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4790 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 246128 Threats Detected: 175 Threats Quarantined: 175 Time Elapsed: 2 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\PCCleaners.exe, Quarantined, [532], [380379],1.0.4790 Module: 21 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\gfiutil.dll, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\PCCleaners.exe, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\lgpl.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\lib7zip.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libBase64.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libEmail.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMachoUniv.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMsCab.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMsi.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libNSIS.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libOleA.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libRar.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libRTF.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libtd.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libVvs.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libZip.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\remediation.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\vcore.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\SBTE.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\SpursDownload.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\vipre.dll, Quarantined, [532], [393100],1.0.4790 Registry Key: 15 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Software Updater, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{460C2BFF-CCED-437A-897E-AA02B290D7AF}, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{460C2BFF-CCED-437A-897E-AA02B290D7AF}, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PCCleaner-Maintenance-Autorun, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{58F68C5F-AF5F-4992-8001-03B0ACC54FBD}, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{58F68C5F-AF5F-4992-8001-03B0ACC54FBD}, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PCCleaner-Maintenance-Autorun, Quarantined, [532], [393106],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{58F68C5F-AF5F-4992-8001-03B0ACC54FBD}, Quarantined, [532], [393106],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{58F68C5F-AF5F-4992-8001-03B0ACC54FBD}, Quarantined, [532], [393106],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC SOFTWARE UPDATER, Quarantined, [532], [393110],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{460C2BFF-CCED-437A-897E-AA02B290D7AF}, Quarantined, [532], [393110],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{460C2BFF-CCED-437A-897E-AA02B290D7AF}, Quarantined, [532], [393110],1.0.4790 PUP.Optional.PCCleanerPro, HKCU\SOFTWARE\PCCLEANERSETTINGS, Quarantined, [532], [397069],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\WOW6432NODE\PCCLEANERSETTINGS, Quarantined, [532], [458632],1.0.4790 PUP.Optional.PCCleanerPro, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PC Cleaners, Quarantined, [532], [512187],1.0.4790 Registry Value: 4 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{460C2BFF-CCED-437A-897E-AA02B290D7AF}|PATH, Quarantined, [532], [393108],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{58F68C5F-AF5F-4992-8001-03B0ACC54FBD}|PATH, Quarantined, [532], [393104],1.0.4790 PUP.Optional.PCCleanerPro, HKCU\SOFTWARE\PCCLEANERSETTINGS|LOCATION, Quarantined, [532], [397069],1.0.4790 PUP.Optional.PCCleanerPro, HKLM\SOFTWARE\WOW6432NODE\PCCLEANERSETTINGS|LOCATION, Quarantined, [532], [458632],1.0.4790 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.PCCleanerPro, C:\PROGRAMDATA\PCCLEANER PRO, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC CLEANERS, Quarantined, [532], [346012],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\Staging, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\LKGD, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\WDBF, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\tmp, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\q, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\PROGRAMDATA\PCPROSETTINGSLOCAL, Quarantined, [532], [393100],1.0.4790 File: 124 PUP.Optional.PCCleanerPro, C:\PROGRAMDATA\PCCLEANER PRO\FSSC.DAT, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\gfiutil.dll, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\gfiutl32.sys, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\gfiutl64.sys, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCCleaner Pro\PCCleaners.exe, Delete-on-Reboot, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\WINDOWS\SYSTEM32\TASKS\PC Software Updater, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\WINDOWS\SYSTEM32\TASKS\PCCleaner-Maintenance-Autorun, Quarantined, [532], [380379],1.0.4790 PUP.Optional.PCCleanerPro, C:\WINDOWS\SYSTEM32\TASKS\PCCleaner-Maintenance-Autorun, Quarantined, [532], [393106],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC CLEANERS\PC CLEANER PRO.LNK, Quarantined, [532], [346012],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\PUBLIC\DESKTOP\PC CLEANER PRO.LNK, Quarantined, [532], [345327],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\USER PINNED\TASKBAR\PC CLEANER PRO.LNK, Quarantined, [532], [345331],1.0.4790 PUP.Optional.PCCleanerPro, C:\WINDOWS\SYSTEM32\TASKS\PC SOFTWARE UPDATER, Quarantined, [532], [393110],1.0.4790 PUP.Optional.PCCleanerPro, C:\PROGRAMDATA\PCPROSETTINGSLOCAL\ST.TXT, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\DefVer.txt, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\acertdefs0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\adsrules.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\AdviceTx.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\api0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\apincl.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\apprules.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\bhmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\bhsl.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\bmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\CatDesc.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\CatID.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\cblk.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ckmem.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\cmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\cname.wtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\comp0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\compatv.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\Cookies.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\CoreVer.txt, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ctid.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\defs0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\dexmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\dex_hash.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\dnrl.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\dnrlmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\elf_hash.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\EPSigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\FastSigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\FileDT.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\FolderDT.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\fsigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiark.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiark32.sys, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiark64.sys, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiarkup.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiutil.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiutl32.sys, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\gfiutl64.sys, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\hcol.wtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\heur0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\HistoryCleaner.xml, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\hstn.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\idsrules.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ih.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ihmem.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\IncompatiblePrograms.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\incompats.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ip.vtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\JSSigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\kbu.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\kbu.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\lgpl.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\lib7zip.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libBase64.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libCHM.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libEmail.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMachoUniv.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMsCab.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libMsi.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libNSIS.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libOleA.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libRar.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libRTF.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libtd.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libVvs.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\libZip.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\macroptn.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\MFastSigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\mime0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\networkrules.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\pack0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\patch0109.exe, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\patchw32.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\qscnf.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\qscnr.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\RegDT.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\rem0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\remediation.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\RootCA.wtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\RTmem.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\SBTS.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\script0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\sdll0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\sel.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\seri.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\smim0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ThreatCategoryGlossary.xml, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ThreatCategoryGlossary.xsd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ThreatDT.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\ThreatID.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\TImem.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\unpck0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\updater.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\Upgrade.exe, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\vcore.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\VVSSigs.vdx, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\WebFilterExceptions.dat, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\white.wtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\white0.std, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\d\whsl.wtd, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\SBTE.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\SpursDownload.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\unrar.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\av\vipre.dll, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\res.db, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\ProgramData\PCProSettingsLocal\st.db, Quarantined, [532], [393100],1.0.4790 PUP.Optional.PCCleanerPro, C:\PROGRAMDATA\APPCLUNST.EXE, Quarantined, [532], [512187],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\DESKTOP\PCPRO-INSTALLER.EXE, Quarantined, [532], [512187],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\APPDATA\LOCAL\TEMP\PINST01.DAT, Quarantined, [532], [512188],1.0.4790 PUP.Optional.PCCleanerPro, C:\USERS\{username}\DOWNLOADS\PCPRO-INSTALLER.EXE, Quarantined, [532], [512187],1.0.4790 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is MediaNewPage?The Malwarebytes research team has determined that MediaNewPage is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also comes as a Chrome extension.How do I know if my computer is affected by MediaNewPage?You may see this entry in your list of installed Firefox extensions:and these warnings during install:and notice this altered setting:How did MediaNewPage get on my computer?Browser hijackers use different methods for distributing themselves. This one was installed through their website:How do I remove MediaNewPage?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MediaNewPage? No, Malwarebytes removes MediaNewPage completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MediaNewPage hijacker. It would have blocked the site that installs the extension: Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{24912aaa-d0e6-468f-ae3b-bc30c6cf208f}.xpi [2018-04-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {24912aaa-d0e6-468f-ae3b-bc30c6cf208f}.xpi"="4/18/2018 8:36 AM, 22717 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/18/18 Scan Time: 8:53 AM Log File: 4124908a-42d5-11e8-832b-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4776 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245871 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.MediaNewTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{24912AAA-D0E6-468F-AE3B-BC30C6CF208F}.XPI, Quarantined, [4792], [510037],1.0.4776 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is hqfokcomiew?The Malwarebytes research team has determined that hqfokcomiew is adware. These adware applications display advertisements not originating from the sites you are browsing.This particular one runs a Scheduled Task to open a preset site in the default browser.How do I know if my computer is affected by hqfokcomiew?You may see this task in your list of Scheduled Tasks:How did hqfokcomiew get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.How do I remove hqfokcomiew?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of hqfokcomiew? No, Malwarebytes removes hqfokcomiew completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the hqfokcomiew adware. It would have blocked their domain. Technical details for expertsPossible signs in FRST logs: C:\Windows\System32\Tasks\hqfokcomiew Task: {1C4CFD51-DA07-4703-B79B-7B9A6929F607} - System32\Tasks\hqfokcomiew => Chrome.exe hqfok.com/iew Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\Tasks Adds the file hqfokcomiew"="4/17/2018 8:40 AM, 3356 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/18 Scan Time: 8:50 AM Log File: 9912a929-420b-11e8-8828-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4762 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245694 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\HQFOKCOMIEW, Quarantined, [6210], [510219],1.0.4762 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C4CFD51-DA07-4703-B79B-7B9A6929F607}, Quarantined, [6210], [510219],1.0.4762 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{1C4CFD51-DA07-4703-B79B-7B9A6929F607}, Quarantined, [6210], [510219],1.0.4762 Registry Value: 1 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C4CFD51-DA07-4703-B79B-7B9A6929F607}|PATH, Quarantined, [6210], [510220],1.0.4762 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Adware.StartPage.BatBitRst, C:\WINDOWS\SYSTEM32\TASKS\HQFOKCOMIEW, Quarantined, [6210], [510219],1.0.4762 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6210], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6210], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is DoctoPDF?The Malwarebytes research team has determined that DoctoPDF is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This one changes both startpages and newtabs.How do I know if my computer is affected by DoctoPDF?You may see these warnings during install on Chrome:these browser add-ons:Firefox extensionand this screen for the Internet Explorer installer:and you will see this new startpage:How did DoctoPDF get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was offered through ad-rotators.How do I remove DoctoPDF?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DoctoPDF? No, Malwarebytes removes DoctoPDF completely. We advise users who had their browser(s) hijacked to read our Restore your Browser page. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the DoctoPDF hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block the site promoting these hijackers: Technical details for expertsPossible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://getdoc2pdf.com/?a=pie_mbxhvnir9bdfhjls4tk8x0_16_18&cd=2XzuyEtN1Q2Zzu0StBtBzyyBtN1Q2Z1B1P1RzutCyDtBtAzzyCtCyDzyzytN1L2XzutN1L1CzutN2Y1L1QzutDzztDtDtByBtBtAyD0DyByCyBtDyCyCtN1L1G1B1V1N2Y1L1QzutBtDtCzztDyEtCyCtDzzyDtAtCyCyEtDyCtN2V1I1E1V1E1P1C1B1V1N2Y1L1QzutN2V1I1E1V1B1P1B1B1V1N2Y1L1Qzu&cr=2127133731&f=1 FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{33b0a817-bb94-4ff8-90d5-54d7519ef143}.xpi [2018-04-16] CHR Extension: (DoctoPDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi [2018-04-16] Malwarebytes log for the Chrome extension removal: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/16/18 Scan Time: 9:06 AM Log File: a1b089ab-4144-11e8-becc-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4748 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 246417 Threats Detected: 153 Threats Quarantined: 153 Time Elapsed: 3 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 15 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\tiles, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\fonts, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\skin\icons, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\_metadata, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\vendor, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\skin, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HIOKJAGCIEGGABHLEODPLMJIMLCEMLOI, Quarantined, [14898], [510565],1.0.4748 File: 138 PUP.Optional.DocToPDF.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HIOKJAGCIEGGABHLEODPLMJIMLCEMLOI\10.1.2.77_0\RESPONSECONFIG.JSON, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\fonts\HelveticaNeue-Thin.otf, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\fonts\HelveticaNeueLT-Roman.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\fonts\neue-bold.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\fonts\neue.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\close-FF8A5A.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\collection-9B9B9B.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\collection-FF691E.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\doc-icon-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\error-FF691E.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\pdf-2-doc-9B9B9B.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\pdf-2-doc-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\pdf-icon-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\success-FF8A5A.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\tab-arrow-FF691E.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\converter\upload-FF691E.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\128.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\16.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\48.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\close.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\favicon.ico, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\icons\trends.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\bing-maps-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\from-to-icon-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\google-maps-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\location-icon-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\search-4A4A4A.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\search-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\switch-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\tab-arrow-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\whereto-logo-8881FF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\maps\whereto-logo-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\aliexpress_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\amazon_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\booking_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\ebay.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\ebay_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\facebook.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\facebook_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\gmail.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\gmail_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\google-translate-icon-FFFFFF.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\gtranslte.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\pinterest.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\twitter.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\twitter_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\wix_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\yahoo.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\yahoo_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\youtube.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sitesThumbnails\youtube_tile_v2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\tiles\DOC-to-PDF.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\tiles\PDF-to-DOC.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\tiles\Translation.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\tiles\View-PDF.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\01d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\01n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\02d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\02n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\03d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\03n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\04d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\04n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\09d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\09n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\10d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\10n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\11d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\11n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\13d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\13n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\50d.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\weather\50n.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\enhanced_google.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\angle-arrow-down.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\bing.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\bing_large.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\bluesky-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\brush.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\bt.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\clock.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\cloud.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\cupcake-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\desk-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\doodle.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\down.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\eyeglass.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\eyeglass_transparent.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\gmx_large.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\google.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\google_large.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\hero-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\just-the-box-empty.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\just-the-box.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\mountain-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\pointer2.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\radio-selected.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\radio-unselected.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\sea-bg.jpg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\search-D7D7D7.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\settings.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\smallMagnifier.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\star-unselected.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\star.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\todoc.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\toggle-off.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\toggle-on.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\topdf.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\transparent_img.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\yahoo.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\yahoo.svg, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\yahoo_large.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\yandex.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\_enhanced_google.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\images\_gmx_large.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\content\bundle.v0.0.1.min.css, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\skin\icons\16.png, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\vendor\md5.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\vendor\react-dom.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\vendor\react-with-addons.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\_metadata\computed_hashes.json, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\_metadata\verified_contents.json, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\2bfc185be71f44cd73ac81511fc1f5a5.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\b495e340f4ef8924fea0284c1bf9e7ac.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\background.html, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\background.v0.0.1.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\c5a5cbf4dbcaa7064f2bc77f52101aec.otf, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\client.v0.0.1.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\common.js.v0.0.1.min.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\e5d3501d500d07b0a1e952b0f8a81d78.woff, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\e_.json, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\index.html, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\manifest.json, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\popupTab2.html, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.DocToPDF.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiokjagcieggabhleodplmjimlcemloi\10.1.2.77_0\popupTab2.js, Quarantined, [14898], [510565],1.0.4748 PUP.Optional.InstallCore, C:\USERS\{username}\DESKTOP\DOCTOPDF.EXE, Quarantined, [392], [506493],1.0.4748 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Search Encrypt?The Malwarebytes research team has determined that Search Encrypt is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Search Encrypt?You may see these warnings during install:these browser add-ons:and changed Settings like these:and you will see this icon in your browsers' menubar:How did Search Encrypt get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was offered after installing other potentially unwanted software.How do I remove Search Encrypt?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Encrypt? No, Malwarebytes removes Search Encrypt completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search Encrypt hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@search-encrypt.xpi [2018-04-13] CHR DefaultSearchURL: Default -> hxxps://www.search-encrypt.com/encsearch?q={searchTerms} CHR DefaultSearchKeyword: Default -> se CHR Extension: (Search Encrypt) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde [2018-04-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0 Adds the file manifest.json"="4/13/2018 8:45 AM, 2104 bytes, A Adds the file popup.html"="11/28/2017 3:19 PM, 2017 bytes, A Adds the file settings.html"="11/28/2017 3:19 PM, 12031 bytes, A Adds the file util.js"="11/28/2017 3:19 PM, 4768 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\_metadata Adds the file computed_hashes.json"="4/13/2018 8:45 AM, 4099 bytes, A Adds the file verified_contents.json"="11/28/2017 3:36 PM, 3285 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\css Adds the file tooltip.css"="11/28/2017 3:19 PM, 1296 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se Adds the file icon128.png"="4/13/2018 8:45 AM, 5411 bytes, A Adds the file icon16.png"="4/13/2018 8:45 AM, 758 bytes, A Adds the file icon16_disabled.png"="4/13/2018 8:45 AM, 729 bytes, A Adds the file icon48.png"="4/13/2018 8:45 AM, 2342 bytes, A Adds the file input-checked.png"="11/9/2017 12:11 PM, 318 bytes, A Adds the file input-unchecked.png"="11/9/2017 12:11 PM, 154 bytes, A Adds the file si-logo.png"="11/9/2017 12:11 PM, 32164 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib Adds the file bg.js"="11/28/2017 3:20 PM, 58805 bytes, A Adds the file jquery.js"="11/28/2017 3:19 PM, 115193 bytes, A Adds the file label.js"="11/28/2017 3:19 PM, 8502 bytes, A Adds the file popup.js"="11/28/2017 3:19 PM, 2573 bytes, A Adds the file savesettings.js"="11/28/2017 3:19 PM, 4352 bytes, A Adds the file warn-user-of-potential-redirect.js"="11/28/2017 3:19 PM, 6913 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde Adds the file 000003.log"="4/13/2018 8:45 AM, 279 bytes, A Adds the file CURRENT"="4/13/2018 8:45 AM, 16 bytes, A Adds the file LOCK"="4/13/2018 8:45 AM, 0 bytes, A Adds the file LOG"="4/13/2018 8:45 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/13/2018 8:45 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\@search-encrypt Adds the file storage.js"="4/13/2018 8:43 AM, 12710 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @search-encrypt.xpi"="4/13/2018 8:43 AM, 454714 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jhdjoncehmfoobadeedcgipeidikgnde"="REG_SZ", "A0F72904B77E656CB9E620FAD4F2C6C20CDB334C3A071B17FB70B18DA9BF161D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/13/18 Scan Time: 8:56 AM Log File: c16c73d1-3ee7-11e8-90ff-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4718 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 246079 Threats Detected: 38 Threats Quarantined: 38 Time Elapsed: 2 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.SearchEncrypt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\@SEARCH-ENCRYPT, Quarantined, [1698], [506346],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\_metadata, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\css, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JHDJONCEHMFOOBADEEDCGIPEIDIKGNDE, Quarantined, [14859], [448980],1.0.4718 File: 29 PUP.Optional.SearchEncrypt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\@SEARCH-ENCRYPT.XPI, Quarantined, [1698], [506348],1.0.4718 PUP.Optional.SearchEncrypt, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\@search-encrypt\storage.js, Quarantined, [1698], [506346],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde\000003.log, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde\CURRENT, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde\LOCK, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde\LOG, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jhdjoncehmfoobadeedcgipeidikgnde\MANIFEST-000001, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JHDJONCEHMFOOBADEEDCGIPEIDIKGNDE\2.1.5_0\MANIFEST.JSON, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\css\tooltip.css, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\icon128.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\icon16.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\icon16_disabled.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\icon48.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\input-checked.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\input-unchecked.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\img\se\si-logo.png, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\bg.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\jquery.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\label.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\popup.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\savesettings.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\lib\warn-user-of-potential-redirect.js, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\_metadata\computed_hashes.json, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\_metadata\verified_contents.json, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\popup.html, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\settings.html, Quarantined, [14859], [448980],1.0.4718 PUP.Optional.SearchEncrypt.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhdjoncehmfoobadeedcgipeidikgnde\2.1.5_0\util.js, Quarantined, [14859], [448980],1.0.4718 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Auto PC Booster 2018?The Malwarebytes research team has determined that Auto PC Booster 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Auto PC Booster 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Auto PC Booster 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website.How do I remove Auto PC Booster 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Auto PC Booster 2018? No, Malwarebytes removes Auto PC Booster 2018 completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Auto PC Booster 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domains: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe C:\Windows\System32\Tasks\Auto PC Booster 2018_Logon C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername} C:\Users\Public\Desktop\Auto PC Booster 2018.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC Booster 2018 for {computername} C:\ProgramData\Auto PC Booster 2018 for {computername} C:\Program Files\Auto PC Booster 2018 for {computername} Auto PC Booster 2018 (HKLM\...\{7B1AE0CD-7ED9-44C2-8ED8-DFA8522119DE}_is1) (Version: 3.6.0.0 - ) Task: {333EC2B5-9BD9-456C-9DAD-E2426CD22806} - System32\Tasks\Auto PC Booster 2018_Logon => C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe [2018-04-06] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Auto PC Booster 2018 for {computername} Adds the file application.ico"="2/6/2018 10:43 AM, 56150 bytes, A Adds the file danish_iss.ini"="5/23/2017 6:31 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/23/2017 6:31 PM, 2600 bytes, A Adds the file english_iss.ini"="5/23/2017 6:31 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/23/2017 6:31 PM, 2368 bytes, A Adds the file French_iss.ini"="5/23/2017 6:31 PM, 2792 bytes, A Adds the file german_iss.ini"="5/23/2017 6:31 PM, 2658 bytes, A Adds the file gtcmg.dll"="4/6/2018 11:07 AM, 2841024 bytes, A Adds the file HtmlRenderer.dll"="4/6/2018 11:07 AM, 228288 bytes, A Adds the file HtmlRenderer.WinForms.dll"="4/6/2018 11:07 AM, 67008 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="4/6/2018 11:07 AM, 55744 bytes, A Adds the file italian_iss.ini"="5/23/2017 6:31 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/23/2017 6:32 PM, 1844 bytes, A Adds the file langs.db"="2/6/2018 4:13 PM, 446464 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/6/2018 11:07 AM, 177600 bytes, A Adds the file mysysm.exe"="4/6/2018 11:07 AM, 2036160 bytes, A Adds the file mysysm.exe.config"="4/6/2018 11:07 AM, 5432 bytes, A Adds the file NAudio.dll"="4/6/2018 11:07 AM, 477632 bytes, A Adds the file norwegian_iss.ini"="5/23/2017 6:32 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/23/2017 6:32 PM, 2424 bytes, A Adds the file russian_iss.ini"="5/23/2017 6:32 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/23/2017 6:32 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/23/2017 6:32 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="4/6/2018 11:07 AM, 297408 bytes, A Adds the file TAFactory.IconPack.dll"="4/6/2018 11:07 AM, 43456 bytes, A Adds the file unins000.dat"="4/12/2018 8:45 AM, 84011 bytes, A Adds the file unins000.exe"="4/12/2018 8:45 AM, 1235392 bytes, A Adds the file unins000.msg"="4/12/2018 8:45 AM, 22701 bytes, A Adds the folder C:\Program Files\Auto PC Booster 2018 for {computername}\x64 Adds the file SQLite.Interop.dll"="4/6/2018 11:07 AM, 1182144 bytes, A Adds the folder C:\Program Files\Auto PC Booster 2018 for {computername}\x86 Adds the file SQLite.Interop.dll"="4/6/2018 11:07 AM, 861120 bytes, A Adds the folder C:\ProgramData\Auto PC Booster 2018 for {computername} Adds the file mdb.db"="10/3/2017 4:30 PM, 835584 bytes, A Adds the file pcspstartrepair_en.mp3"="3/2/2017 11:05 AM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC Booster 2018 for {computername} Adds the file Auto PC Booster 2018.lnk"="4/12/2018 8:45 AM, 1021 bytes, A Adds the file Buy Auto PC Booster 2018.lnk"="4/12/2018 8:45 AM, 1033 bytes, A Adds the file Uninstall Auto PC Booster 2018.lnk"="4/12/2018 8:45 AM, 1033 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername} Adds the file Errorlog.txt"="4/12/2018 8:47 AM, 13982 bytes, A Adds the file exlist.bin"="4/12/2018 8:46 AM, 258029 bytes, A Adds the file param.ini"="4/12/2018 8:45 AM, 376 bytes, A Adds the file res.xml"="4/12/2018 8:47 AM, 8271 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Auto PC Booster 2018.lnk"="4/12/2018 8:45 AM, 1003 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Auto PC Booster 2018_Logon"="4/12/2018 8:46 AM, 3088 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Auto PC Booster 2018 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/abp/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 20 "lstscandate"="REG_SZ", "4/12/2018 8:47:08 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 20 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.speeduppcutils.com/abp/price?" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "referurl"="REG_SZ", "" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.speeduppcutils.com/abp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.speeduppcutils.com/help/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "WebURL"="REG_SZ", "http://www.speeduppcutils.com/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "64787" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "d5SF3SLMVVAIMPI8104KQ4C8" "x-datetime"="REG_SZ", "04-12-2018 06:45:53 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B1AE0CD-7ED9-44C2-8ED8-DFA8522119DE}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe" "DisplayName"="REG_SZ", "Auto PC Booster 2018" "DisplayVersion"="REG_SZ", "3.6.0.0" "EstimatedSize"="REG_DWORD", 13525 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Auto PC Booster 2018 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180412" "InstallLocation"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 6 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Auto PC Booster 2018 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Auto PC Booster 2018 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QXV0byBQQyBCb29zdGVyIDIwMTg=\ACT] "data"="REG_BINARY, ....................................................................................................................................................................................................................................................................................................._......................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "x-at"="REG_SZ", "64787" "x-context"="REG_SZ", "d5SF3SLMVVAIMPI8104KQ4C8" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto PC Booster 2018 for {computername}] "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "x-at"="REG_SZ", "64787" "x-context"="REG_SZ", "d5SF3SLMVVAIMPI8104KQ4C8" "x-datetime"="REG_SZ", "04-12-2018 06:45:53 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto PC Booster 2018 for {computername}\3.6.0.0] "Installstring"="REG_SZ", "C:\Program Files\Auto PC Booster 2018 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/12/18 Scan Time: 8:56 AM Log File: 92eea197-3e1e-11e8-8aa0-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4708 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 246070 Threats Detected: 68 Threats Quarantined: 68 Time Elapsed: 3 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe, Quarantined, [3510], [509465],1.0.4708 Module: 6 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3510], [509465],1.0.4708 Registry Key: 9 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\Auto PC Booster 2018 For {computername}, Quarantined, [3510], [509470],1.0.4708 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Auto PC Booster 2018_Logon, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{333EC2B5-9BD9-456C-9DAD-E2426CD22806}, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{333EC2B5-9BD9-456C-9DAD-E2426CD22806}, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7B1AE0CD-7ED9-44C2-8ED8-DFA8522119DE}_is1, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, HKCU\SOFTWARE\Auto PC Booster 2018 for {computername}, Quarantined, [3510], [509471],1.0.4708 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASAPI32, Quarantined, [1268], [501684],1.0.4708 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR, Quarantined, [1105], [484510],1.0.4708 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASMANCS, Quarantined, [1268], [501684],1.0.4708 Registry Value: 3 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7B1AE0CD-7ED9-44C2-8ED8-DFA8522119DE}_is1|DISPLAYNAME, Quarantined, [3510], [509476],1.0.4708 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1105], [484510],1.0.4708 PUP.Optional.AutoPCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{333EC2B5-9BD9-456C-9DAD-E2426CD22806}|PATH, Quarantined, [3510], [509478],1.0.4708 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.AutoPCBooster, C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername}\smico, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\USERS\{username}\APPDATA\ROAMING\Auto PC Booster 2018 For {computername}, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\PROGRAMDATA\Auto PC Booster 2018 for {computername}, Quarantined, [3510], [509473],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\x64, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\x86, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\PROGRAM FILES\Auto PC Booster 2018 for {computername}, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Auto PC Booster 2018 for {computername}, Quarantined, [3510], [509466],1.0.4708 File: 42 PUP.Optional.AutoPCBooster, C:\USERS\{username}\APPDATA\ROAMING\Auto PC Booster 2018 For {computername}\Errorlog.txt, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername}\exlist.bin, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername}\param.ini, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\Users\{username}\AppData\Roaming\Auto PC Booster 2018 For {computername}\res.xml, Quarantined, [3510], [509468],1.0.4708 PUP.Optional.AutoPCBooster, C:\PROGRAMDATA\Auto PC Booster 2018 for {computername}\mdb.db, Quarantined, [3510], [509473],1.0.4708 PUP.Optional.AutoPCBooster, C:\ProgramData\Auto PC Booster 2018 for {computername}\pcspstartrepair_en.mp3, Quarantined, [3510], [509473],1.0.4708 PUP.Optional.AutoPCBooster, C:\PROGRAM FILES\Auto PC Booster 2018 for {computername}\unins000.dat, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\x86\SQLite.Interop.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\italian_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\application.ico, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\danish_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\Dutch_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\english_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\finish_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\French_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\german_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\gtcmg.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\HtmlRenderer.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\japanese_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\langs.db, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\mysysm.exe.config, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\NAudio.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\norwegian_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\portuguese_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\russian_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\spanish_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\swedish_iss.ini, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\unins000.exe, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\Program Files\Auto PC Booster 2018 for {computername}\unins000.msg, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\WINDOWS\SYSTEM32\TASKS\Auto PC Booster 2018_Logon, Quarantined, [3510], [509465],1.0.4708 PUP.Optional.AutoPCBooster, C:\USERS\PUBLIC\DESKTOP\Auto PC Booster 2018.lnk, Quarantined, [3510], [509469],1.0.4708 PUP.Optional.AutoPCBooster, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC Booster 2018 for {computername}\Auto PC Booster 2018.lnk, Quarantined, [3510], [509466],1.0.4708 PUP.Optional.AutoPCBooster, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC Booster 2018 for {computername}\Buy Auto PC Booster 2018.lnk, Quarantined, [3510], [509466],1.0.4708 PUP.Optional.AutoPCBooster, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC Booster 2018 for {computername}\Uninstall Auto PC Booster 2018.lnk, Quarantined, [3510], [509466],1.0.4708 PUP.Optional.AutoPCBooster, C:\USERS\{username}\DESKTOP\APBSETUP.EXE, Quarantined, [3510], [509516],1.0.4708 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is hotivitnetoiqe?The Malwarebytes research team has determined that hotivitnetoiqe is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by hotivitnetoiqe?You may see this Scheduled Task:How did hotivitnetoiqe get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.How do I remove hotivitnetoiqe?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of hotivitnetoiqe? No, Malwarebytes removes hotivitnetoiqe completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the hotivitnetoiqe hijacker. It will block the site that the hijacker tries to open: Technical details for expertsPossible signs in FRST logs: C:\Windows\System32\Tasks\hotivitnetoiqe Task: {BDA31733-2CFD-4FC6-B8D9-3DF0D39DC7E9} - System32\Tasks\hotivitnetoiqe => Iexplore.exe hotivit.net/oiqe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\Tasks Adds the file hotivitnetoiqe"="4/11/2018 8:42 AM, 3350 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/11/18 Scan Time: 8:49 AM Log File: 8133dec8-3d54-11e8-ae31-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4692 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245721 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\HOTIVITNETOIQE, Delete-on-Reboot, [6202], [508591],1.0.4692 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BDA31733-2CFD-4FC6-B8D9-3DF0D39DC7E9}, Delete-on-Reboot, [6202], [508591],1.0.4692 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{BDA31733-2CFD-4FC6-B8D9-3DF0D39DC7E9}, Delete-on-Reboot, [6202], [508591],1.0.4692 Registry Value: 1 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BDA31733-2CFD-4FC6-B8D9-3DF0D39DC7E9}|PATH, Delete-on-Reboot, [6202], [508590],1.0.4692 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Adware.StartPage.BatBitRst, C:\WINDOWS\SYSTEM32\TASKS\HOTIVITNETOIQE, Delete-on-Reboot, [6202], [508591],1.0.4692 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [6202], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is CPUID CPU-Z?The Malwarebytes research team has determined that CPUID CPU-Z is a trojan.This particular one injects downloaded JavaScript (JS) files into browser sessions and sets a proxy accompanied with a false SSL certificate to perform a man-in-the-middle (MITM) attack.How do I know if my computer is affected by CPUID CPU-Z?You may see this entry in your list of installed software:and this icon in your startmenu and on your desktop:How did CPUID CPU-Z get on my computer?Trojans use different methods for distributing themselves. This particular one was bundled with other software.How do I remove CPUID CPU-Z?Our program Malwarebytes can detect and remove this malware. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CPUID CPU-Z? No, Malwarebytes removes CPUID CPU-Z completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CPUID CPU-Z hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it blocks the domains where the trojn was downloaded from by the bundler: and even if you should get infected it blocks the exploit that the trojan uses to perform the man-in-the-middle attack: Technical details for expertsPossible signs in FRST logs: (Microsoft Corporation) C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe.bak (Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe (Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe ProxyEnable: [S-1-5-21-{user GUID}] => Proxy is enabled. ProxyServer: [S-1-5-21-{user GUID}] => http=127.0.0.1:8080;https=127.0.0.1:8080 R2 winamgr; C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe [9875968 2018-04-10] (Microsoft Corporation) [File not signed] C:\Users\Public\Desktop\CPUID CPU-Z.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID C:\Program Files\CPUID CPUID CPU-Z 1.82.1 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.82.1 - ) FirewallRules: [TCP Query User{D3E7F7AC-72C7-4000-8B93-DD0DA199AD56}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe FirewallRules: [UDP Query User{79ED0071-EA4B-4214-BD80-E472E1505F7A}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\CPUID\CPU-Z Adds the file cpuz.exe"="12/20/2017 1:10 PM, 3517688 bytes, A Adds the file cpuz.ini"="12/20/2017 1:15 PM, 594 bytes, A Adds the file cpuz_eula.txt"="8/12/2015 8:57 PM, 7651 bytes, A Adds the file cpuz_readme.txt"="12/20/2017 1:14 PM, 26325 bytes, A Adds the file unins000.dat"="4/10/2018 8:40 AM, 3245 bytes, A Adds the file unins000.exe"="4/10/2018 8:40 AM, 725157 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Audio Adds the file winamgr.exe"="4/10/2018 8:40 AM, 9875968 bytes, A Adds the file winamgr.exe.bak"="1/29/2018 2:03 PM, 9342976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\browser Adds the file svchostctl.exe"="4/10/2018 8:40 AM, 216576 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\func Adds the file ca.crt"="4/10/2018 8:40 AM, 1094 bytes, A Adds the file ca.key"="4/10/2018 8:40 AM, 887 bytes, A Adds the file cert8.db"="4/10/2018 8:40 AM, 65536 bytes, A Adds the file certutil.exe"="4/10/2018 8:40 AM, 103936 bytes, A Adds the file chrome.exe"="4/10/2018 8:40 AM, 140736 bytes, A Adds the file freebl3.dll"="4/10/2018 8:40 AM, 222208 bytes, A Adds the file key3.db"="4/10/2018 8:40 AM, 16384 bytes, A Adds the file libnspr4.dll"="4/10/2018 8:40 AM, 199680 bytes, A Adds the file libplc4.dll"="4/10/2018 8:40 AM, 14336 bytes, A Adds the file libplds4.dll"="4/10/2018 8:40 AM, 12288 bytes, A Adds the file libvlc.dll"="4/10/2018 8:40 AM, 87040 bytes, A Adds the file libvlcwk.dll"="4/10/2018 8:40 AM, 195072 bytes, A Adds the file msvcr100.dll"="4/10/2018 8:40 AM, 773968 bytes, A Adds the file nss3.dll"="4/10/2018 8:40 AM, 798720 bytes, A Adds the file nssckbi.dll"="4/10/2018 8:40 AM, 370176 bytes, A Adds the file nssdbm3.dll"="4/10/2018 8:40 AM, 108544 bytes, A Adds the file nssutil3.dll"="4/10/2018 8:40 AM, 93696 bytes, A Adds the file secmod.db"="4/10/2018 8:40 AM, 16384 bytes, A Adds the file smime3.dll"="4/10/2018 8:40 AM, 97792 bytes, A Adds the file softokn3.dll"="4/10/2018 8:40 AM, 172544 bytes, A Adds the file sqlite3.dll"="4/10/2018 8:40 AM, 423936 bytes, A Adds the file ssl3.dll"="4/10/2018 8:40 AM, 190976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\network Adds the file default_cse.js"="4/10/2018 8:40 AM, 5900 bytes, A Adds the file general.js"="4/10/2018 8:40 AM, 2252 bytes, A Adds the file svcnetwk.exe"="4/10/2018 8:40 AM, 11952128 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z Adds the file CPU-Z.lnk"="4/10/2018 8:40 AM, 893 bytes, A Adds the file Edit CPU-Z Config File.lnk"="4/10/2018 8:40 AM, 893 bytes, A Adds the file Uninstall CPU-Z.lnk"="4/10/2018 8:40 AM, 917 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file CPUID CPU-Z.lnk"="4/10/2018 8:40 AM, 869 bytes, A In the existing folder C:\Users\Public\Documents Adds the file {DE764086-1C0A-4DD3-90BA-0B93BDD794BE}"="4/10/2018 8:41 AM, 34 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail] "ChannelId"="REG_SZ", "icbusa20" [HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z] "PATH"="REG_SZ", "C:\Program Files\CPUID\CPU-Z" "PRODUCT_NAME"="REG_SZ", "CPUID CPU-Z" "VERSION"="REG_SZ", "1.82.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\483A0ECB697A7E8FE5FB5DBCA52C7F82D70D8239] "Blob"="REG_BINARY, ................ ...........................................................................................................................................................................................................K........................................................................................................................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPUID CPU-Z_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\cpuz.exe" "DisplayName"="REG_SZ", "CPUID CPU-Z 1.82.1" "DisplayVersion"="REG_SZ", "1.82.1" "EstimatedSize"="REG_DWORD", 4166 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\CPUID\CPU-Z" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "CPUID\CPU-Z" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180410" "InstallLocation"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 82 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe"" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 82 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CPUZ] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winamgr] "Description"="REG_SZ", "Windows Audio Manager" "Display"="REG_SZ", "Windows Audio Manager" "DisplayName"="REG_SZ", "Windows Audio Manager" "ErrorControl"="REG_DWORD", 0 "ImagePath"="REG_EXPAND_SZ, ""C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe" -s" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"= REG_DWORD, 1 "ProxyServer"="REG_SZ", "http=127.0.0.1:8080;https=127.0.0.1:8080" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/10/18 Scan Time: 8:54 AM Log File: fdd2c3b4-3c8b-11e8-87ee-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4674 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245556 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 2 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Module: 3 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674 Registry Key: 2 Trojan.Egguard.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [1117], [-1],0.0.0 Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\winamgr, Quarantined, [383], [489320],1.0.4674 Registry Value: 6 Trojan.Egguard.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.FakeMS, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINAMGR|IMAGEPATH, Quarantined, [3025], [506363],1.0.4674 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR, Quarantined, [1117], [505207],1.0.4674 File: 29 Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR\NETWORK\GENERAL.JS, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.crt, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.key, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\cert8.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\certutil.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\chrome.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\freebl3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\key3.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libnspr4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplc4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplds4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlc.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlcwk.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\msvcr100.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nss3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssckbi.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssdbm3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssutil3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\secmod.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\smime3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\softokn3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\sqlite3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ssl3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\default_cse.js, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\USERS\{username}\DESKTOP\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\DOWNLOADS\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Tower Blocks?The Malwarebytes research team has determined that Tower Blocks is a hijacker and forced Chrome extension.How do I know if my computer is affected by Tower Blocks?You may see these warnings during install:You will see this entry in your list of installed Chrome extensions:How did Tower Blocks get on my computer?This type of extension is installed by making the visitor think it is needed to enter the website:This particular one was also available in the webstore.How do I remove Tower Blocks?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Tower Blocks? No, Malwarebytes removes Tower Blocks completely. If you are using an older version of Malwarebytes you may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Tower Blocks entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them:Technical details for expertsPossible signs in FRST logs: CHR Extension: (Tower Blocks) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo [2018-04-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0 Adds the file background.html"="1/18/2018 2:54 PM, 1262 bytes, A Adds the file manifest.json"="4/9/2018 8:36 AM, 1121 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\_metadata Adds the file computed_hashes.json"="4/9/2018 8:36 AM, 15969 bytes, A Adds the file verified_contents.json"="3/16/2018 12:22 PM, 2801 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\assets Adds the file 128.png"="4/9/2018 8:36 AM, 6839 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\css Adds the file option.css"="1/18/2018 2:38 PM, 2745 bytes, A Adds the file popup.css"="1/18/2018 2:38 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\html Adds the file popup.html"="1/18/2018 2:38 PM, 438 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js Adds the file background.bundle.js"="3/16/2018 12:21 PM, 2311 bytes, A Adds the file content.bundle.js"="1/18/2018 2:42 PM, 721 bytes, A Adds the file option.bundle.js"="1/18/2018 2:48 PM, 15729 bytes, A Adds the file popup.bundle.js"="1/18/2018 2:42 PM, 199 bytes, A Adds the file vendor.bundle.js"="3/16/2018 12:21 PM, 224012 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\lib Adds the file three.js"="1/18/2018 2:46 PM, 800676 bytes, A Adds the file timer.js"="1/18/2018 2:53 PM, 4112 bytes, A Adds the file tweenmax.js"="1/18/2018 2:41 PM, 237732 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dddpckplncklfbgaljojknnjolknpdbo"="REG_SZ", "2A3AD424BB2ADFCF86777100F18264984BDD7690875CAC7B3C2B40E8A2676388" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/9/18 Scan Time: 8:41 AM Log File: 1712e439-3bc1-11e8-b64f-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4662 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245380 Threats Detected: 26 Threats Quarantined: 26 Time Elapsed: 2 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\_metadata, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\assets, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\html, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\css, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\lib, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\dddpckplncklfbgaljojknnjolknpdbo, Quarantined, [2116], [508012],1.0.4662 File: 18 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\assets\128.png, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\css\option.css, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\css\popup.css, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\html\popup.html, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js\background.bundle.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js\content.bundle.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js\option.bundle.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js\popup.bundle.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\js\vendor.bundle.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\lib\three.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\lib\timer.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\lib\tweenmax.js, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\_metadata\computed_hashes.json, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\_metadata\verified_contents.json, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\background.html, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dddpckplncklfbgaljojknnjolknpdbo\12.8.14_0\manifest.json, Quarantined, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2116], [508012],1.0.4662 Hijack.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2116], [508012],1.0.4662 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is zokidifcomkui?The Malwarebytes research team has determined that zokidifcomkui is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by zokidifcomkui?You may see this Scheduled Task:How did zokidifcomkui get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was bundled with other adware.How do I remove zokidifcomkui?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of zokidifcomkui? No, Malwarebytes removes zokidifcomkui completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes will have protect you against the zokidifcomkui hijacker. It will block the bundler that installed this adware and block the site it tries to open: Technical details for expertsPossible signs in FRST logs: C:\Windows\System32\Tasks\zokidifcomkui Task: {9C9A7BE3-7E24-4826-B50F-5E37C2A4A97E} - System32\Tasks\zokidifcomkui => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" zokidif.com/kui Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\Tasks Adds the file zokidifcomkui"="4/6/2018 8:59 AM, 3140 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/6/18 Scan Time: 9:07 AM Log File: 3055b395-3969-11e8-bef1-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4636 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245153 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 2 min, 35 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9A7BE3-7E24-4826-B50F-5E37C2A4A97E}, Quarantined, [6187], [507425],1.0.4636 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{9C9A7BE3-7E24-4826-B50F-5E37C2A4A97E}, Quarantined, [6187], [507425],1.0.4636 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\zokidifcomkui, Quarantined, [6187], [507425],1.0.4636 Registry Value: 1 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9A7BE3-7E24-4826-B50F-5E37C2A4A97E}|PATH, Quarantined, [6187], [507426],1.0.4636 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Adware.StartPage.BatBitRst, C:\WINDOWS\SYSTEM32\TASKS\ZOKIDIFCOMKUI, Quarantined, [6187], [507425],1.0.4636 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6187], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [6187], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Flash-paivitys?The Malwarebytes research team has determined that Flash-paivitys is adware and a spamtool. This particular one installs a Facebook app that consequently sends out spam messages to all the user groups you belong to.The Facebook apps will have a name that users do not immediately associate with messaging like HTC Sense, Spotify, or Pandora.How do I know if my computer is affected by Flash-paivitys?You may see these warnings during install:and you may notice this Firefox extension:After the install you may see spam mesages go out that look similar to this:The message is in (non-fluent) Finnish and tells readers to Google for a certain key-phrase. At prime time of the infection there would be a sponsored result waiting for them, but now they will find a Scam Alert.The intended landing page would try to scam users into buying fake or non-existing high-end products.This particular one was offered as a fake Flash update (in Finnish).How do I remove Flash-paivitys?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Flash-paivitys? No, Malwarebytes removes Flash-paivitys completely. Affected users will have to find and remove the offending app from their Facebook account. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this fraudulent extension.We protect our customers from these extensions by blocking the sites that spread them:Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\adsfinland@firefox.pl.xpi [2018-04-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file adsfinland@firefox.pl.xpi"="4/5/2018 10:45 AM, 102813 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/5/18 Scan Time: 10:58 AM Log File: 90e4efa1-38af-11e8-abc9-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4624 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245049 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Adware.FBSpammer, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\ADSFINLAND@FIREFOX.PL.XPI, Quarantined, [1704], [506269],1.0.4624 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is AutoFixer Pro 2018?The Malwarebytes research team has determined that AutoFixer Pro 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with AutoFixer Pro 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warninga during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did AutoFixer Pro 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove AutoFixer Pro 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of AutoFixer Pro 2018? No, Malwarebytes removes AutoFixer Pro 2018 completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the AutoFixer Pro 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe C:\Windows\System32\Tasks\Auto~Fixer~Pro2018_Logon C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername} C:\Users\Public\Desktop\Auto~Fixer~Pro2018.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~Fixer~Pro2018 for {computername} C:\ProgramData\Auto~Fixer~Pro2018 for {computername} C:\Program Files\Auto~Fixer~Pro2018 for {computername} Auto~Fixer~Pro2018 (HKLM\...\{005AF398-AE06-414E-91E6-55546E205240}_is1) (Version: 3.5.0.0 - ) Task: {08EAEC81-91A5-4E55-8D82-3D51595359D5} - System32\Tasks\Auto~Fixer~Pro2018_Logon => C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe [2018-03-29] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Auto~Fixer~Pro2018 for {computername} Adds the file application.ico"="2/6/2018 10:43 AM, 56150 bytes, A Adds the file danish_iss.ini"="5/23/2017 6:31 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/23/2017 6:31 PM, 2600 bytes, A Adds the file english_iss.ini"="5/23/2017 6:31 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/23/2017 6:31 PM, 2368 bytes, A Adds the file French_iss.ini"="5/23/2017 6:31 PM, 2792 bytes, A Adds the file german_iss.ini"="5/23/2017 6:31 PM, 2658 bytes, A Adds the file gtcmg.dll"="3/29/2018 3:53 PM, 1750896 bytes, A Adds the file HtmlRenderer.dll"="3/29/2018 3:53 PM, 228208 bytes, A Adds the file HtmlRenderer.WinForms.dll"="3/29/2018 3:53 PM, 66928 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="3/29/2018 3:53 PM, 55664 bytes, A Adds the file italian_iss.ini"="5/23/2017 6:31 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/23/2017 6:32 PM, 1844 bytes, A Adds the file langs.db"="2/6/2018 4:13 PM, 446464 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="3/29/2018 3:53 PM, 177520 bytes, A Adds the file mysysm.exe"="3/29/2018 3:53 PM, 2036592 bytes, A Adds the file mysysm.exe.config"="3/29/2018 3:53 PM, 5574 bytes, A Adds the file NAudio.dll"="3/29/2018 3:53 PM, 477552 bytes, A Adds the file norwegian_iss.ini"="5/23/2017 6:32 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/23/2017 6:32 PM, 2424 bytes, A Adds the file russian_iss.ini"="5/23/2017 6:32 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/23/2017 6:32 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/23/2017 6:32 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="3/29/2018 3:53 PM, 297328 bytes, A Adds the file TAFactory.IconPack.dll"="3/29/2018 3:53 PM, 43376 bytes, A Adds the file unins000.dat"="4/4/2018 8:23 AM, 83727 bytes, A Adds the file unins000.exe"="4/4/2018 8:22 AM, 1235312 bytes, A Adds the file unins000.msg"="4/4/2018 8:23 AM, 22701 bytes, A Adds the folder C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x64 Adds the file SQLite.Interop.dll"="3/29/2018 3:53 PM, 1182064 bytes, A Adds the folder C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x86 Adds the file SQLite.Interop.dll"="3/29/2018 3:53 PM, 861040 bytes, A Adds the folder C:\ProgramData\Auto~Fixer~Pro2018 for {computername} Adds the file mdb.db"="10/3/2017 4:30 PM, 835584 bytes, A Adds the file pcspstartrepair_en.mp3"="3/2/2017 11:05 AM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~Fixer~Pro2018 for {computername} Adds the file Auto~Fixer~Pro2018.lnk"="4/4/2018 8:23 AM, 1007 bytes, A Adds the file Buy Auto~Fixer~Pro2018.lnk"="4/4/2018 8:23 AM, 1019 bytes, A Adds the file Uninstall Auto~Fixer~Pro2018.lnk"="4/4/2018 8:23 AM, 1019 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername} Adds the file Errorlog.txt"="4/4/2018 8:24 AM, 15550 bytes, A Adds the file exlist.bin"="4/4/2018 8:24 AM, 258025 bytes, A Adds the file res.xml"="4/4/2018 8:24 AM, 8287 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Auto~Fixer~Pro2018.lnk"="4/4/2018 8:23 AM, 989 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Auto~Fixer~Pro2018_Logon"="4/4/2018 8:24 AM, 3084 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Auto~Fixer~Pro2018 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.entireactiv.com/install/aufp/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}" "ipaddrurl"="REG_SZ", "http://www.entireactiv.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 20 "lstscandate"="REG_SZ", "4/4/2018 8:24:54 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 20 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.entireactiv.com/ipfiles/" "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.mycomputerupdate.com/aufp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.mycomputerupdate.com/aufp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.mycomputerupdate.com/help/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "WebURL"="REG_SZ", "http://www.mycomputerupdate.com/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "nl" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "163_158_213_181" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{005AF398-AE06-414E-91E6-55546E205240}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe" "DisplayName"="REG_SZ", "Auto~Fixer~Pro2018" "DisplayVersion"="REG_SZ", "3.5.0.0" "EstimatedSize"="REG_DWORD", 11396 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Auto~Fixer~Pro2018 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180404" "InstallLocation"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 5 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Auto~Fixer~Pro2018 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Auto~Fixer~Pro2018 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QXV0b35GaXhlcn5Qcm8yMDE4\ACT] "data"="REG_BINARY, ....................................................................................................................................................................................................................................................................................................._......................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto~Fixer~Pro2018 for {computername}] "InstallString"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}" "LangCode"="REG_SZ", "en" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "163_158_213_181" [HKEY_CURRENT_USER\Software\Auto~Fixer~Pro2018 for {computername}\3.5.0.0] "Installstring"="REG_SZ", "C:\Program Files\Auto~Fixer~Pro2018 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/4/18 Scan Time: 8:35 AM Log File: 5e1f4b71-37d2-11e8-a9bc-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4608 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245069 Threats Detected: 68 Threats Quarantined: 68 Time Elapsed: 2 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe, Quarantined, [3498], [506391],1.0.4608 Module: 6 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe, Quarantined, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3498], [506391],1.0.4608 Registry Key: 9 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Auto~Fixer~Pro2018_Logon, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{08EAEC81-91A5-4E55-8D82-3D51595359D5}, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{08EAEC81-91A5-4E55-8D82-3D51595359D5}, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{005AF398-AE06-414E-91E6-55546E205240}_is1, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, HKCU\SOFTWARE\Auto~Fixer~Pro2018 for {computername}, Delete-on-Reboot, [3498], [506399],1.0.4608 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\Auto~Fixer~Pro2018 For {computername}, Delete-on-Reboot, [3498], [506398],1.0.4608 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASAPI32, Delete-on-Reboot, [1265], [501684],1.0.4608 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASMANCS, Delete-on-Reboot, [1265], [501684],1.0.4608 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR, Delete-on-Reboot, [1103], [484510],1.0.4608 Registry Value: 3 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{08EAEC81-91A5-4E55-8D82-3D51595359D5}|PATH, Delete-on-Reboot, [3498], [506402],1.0.4608 PUP.Optional.AutoFixerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{005AF398-AE06-414E-91E6-55546E205240}_is1|DISPLAYNAME, Delete-on-Reboot, [3498], [506400],1.0.4608 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Delete-on-Reboot, [1103], [484510],1.0.4608 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.AutoFixerPro, C:\PROGRAMDATA\Auto~Fixer~Pro2018 for {computername}, Delete-on-Reboot, [3498], [506392],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x64, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x86, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\PROGRAM FILES\Auto~Fixer~Pro2018 for {computername}, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername}\smico, Delete-on-Reboot, [3498], [506395],1.0.4608 PUP.Optional.AutoFixerPro, C:\USERS\{username}\APPDATA\ROAMING\Auto~Fixer~Pro2018 For {computername}, Delete-on-Reboot, [3498], [506395],1.0.4608 PUP.Optional.AutoFixerPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Auto~Fixer~Pro2018 for {computername}, Delete-on-Reboot, [3498], [506394],1.0.4608 File: 42 PUP.Optional.AutoFixerPro, C:\PROGRAMDATA\Auto~Fixer~Pro2018 for {computername}\mdb.db, Delete-on-Reboot, [3498], [506392],1.0.4608 PUP.Optional.AutoFixerPro, C:\ProgramData\Auto~Fixer~Pro2018 for {computername}\pcspstartrepair_en.mp3, Delete-on-Reboot, [3498], [506392],1.0.4608 PUP.Optional.AutoFixerPro, C:\PROGRAM FILES\Auto~Fixer~Pro2018 for {computername}\unins000.dat, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x64\SQLite.Interop.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\x86\SQLite.Interop.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\italian_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\application.ico, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\danish_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\Dutch_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\english_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\finish_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\French_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\german_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\gtcmg.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\HtmlRenderer.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\HtmlRenderer.WinForms.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\japanese_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\langs.db, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\mysysm.exe.config, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\NAudio.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\norwegian_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\portuguese_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\russian_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\spanish_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\swedish_iss.ini, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\System.Data.SQLite.DLL, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\TAFactory.IconPack.dll, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\unins000.exe, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\Program Files\Auto~Fixer~Pro2018 for {computername}\unins000.msg, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\WINDOWS\SYSTEM32\TASKS\Auto~Fixer~Pro2018_Logon, Delete-on-Reboot, [3498], [506391],1.0.4608 PUP.Optional.AutoFixerPro, C:\USERS\PUBLIC\DESKTOP\Auto~Fixer~Pro2018.lnk, Delete-on-Reboot, [3498], [506397],1.0.4608 PUP.Optional.AutoFixerPro, C:\USERS\{username}\APPDATA\ROAMING\Auto~Fixer~Pro2018 For {computername}\Errorlog.txt, Delete-on-Reboot, [3498], [506395],1.0.4608 PUP.Optional.AutoFixerPro, C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername}\exlist.bin, Delete-on-Reboot, [3498], [506395],1.0.4608 PUP.Optional.AutoFixerPro, C:\Users\{username}\AppData\Roaming\Auto~Fixer~Pro2018 For {computername}\res.xml, Delete-on-Reboot, [3498], [506395],1.0.4608 PUP.Optional.AutoFixerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~Fixer~Pro2018 for {computername}\Auto~Fixer~Pro2018.lnk, Delete-on-Reboot, [3498], [506394],1.0.4608 PUP.Optional.AutoFixerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~Fixer~Pro2018 for {computername}\Buy Auto~Fixer~Pro2018.lnk, Delete-on-Reboot, [3498], [506394],1.0.4608 PUP.Optional.AutoFixerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~Fixer~Pro2018 for {computername}\Uninstall Auto~Fixer~Pro2018.lnk, Delete-on-Reboot, [3498], [506394],1.0.4608 PUP.Optional.AutoFixerPro, C:\USERS\{username}\DESKTOP\AUFPSETUP.EXE, Delete-on-Reboot, [3498], [506404],1.0.4608 PUP.Optional.AutoFixerPro, C:\USERS\{username}\DOWNLOADS\AUFPSETUP.EXE, Delete-on-Reboot, [3498], [506404],1.0.4608 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Memory Game?The Malwarebytes research team has determined that Memory Game is adware and a forced Chrome extension.How do I know if my computer is affected by Memory Game?You may see these warnings during install:And you will see this entry in your list of installed Chrome extensions:How did Memory Game get on my computer?Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore.How do I remove Memory Game?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Memory Game? No, Malwarebytes removes Memory Game completely. If you are using an older version of Malwarebytes you may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Memory Game entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them:Technical details for expertsPossible signs in FRST logs: CHR Extension: (Memory Game) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg [2018-04-02] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0 Adds the file background.html"="1/3/2018 2:26 PM, 4228 bytes, A Adds the file manifest.json"="4/3/2018 8:28 AM, 1085 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\_metadata Adds the file computed_hashes.json"="4/3/2018 8:28 AM, 3663 bytes, A Adds the file verified_contents.json"="3/23/2018 11:46 AM, 2469 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\assets Adds the file 128.png"="4/3/2018 8:28 AM, 6321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\css Adds the file option.css"="1/3/2018 1:33 PM, 3392 bytes, A Adds the file popup.css"="1/3/2018 1:33 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\html Adds the file popup.html"="1/3/2018 2:25 PM, 453 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js Adds the file background.bundle.js"="3/23/2018 11:46 AM, 2311 bytes, A Adds the file content.bundle.js"="1/3/2018 2:25 PM, 721 bytes, A Adds the file option.bundle.js"="1/3/2018 2:23 PM, 5995 bytes, A Adds the file popup.bundle.js"="1/3/2018 2:25 PM, 199 bytes, A Adds the file vendor.bundle.js"="3/23/2018 11:45 AM, 224008 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mjagjljkalnniphbckgioopkndidhkjg"="REG_SZ", "6471576EFE49F8541B3B89D9E7078F832965ACECCEB5A149A94E3343B80A2D29" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/3/18 Scan Time: 8:32 AM Log File: bedc23eb-3708-11e8-908a-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4594 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244804 Threats Detected: 22 Threats Quarantined: 22 Time Elapsed: 3 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\_metadata, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\assets, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\html, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\css, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\mjagjljkalnniphbckgioopkndidhkjg, Quarantined, [1033], [505924],1.0.4594 File: 15 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\assets\128.png, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\css\option.css, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\css\popup.css, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\html\popup.html, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js\background.bundle.js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js\content.bundle.js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js\option.bundle.js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js\popup.bundle.js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\js\vendor.bundle.js, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\_metadata\computed_hashes.json, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\_metadata\verified_contents.json, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\background.html, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjagjljkalnniphbckgioopkndidhkjg\8.12.10_0\manifest.json, Quarantined, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1033], [505924],1.0.4594 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1033], [505924],1.0.4594 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Newtab-Media?The Malwarebytes research team has determined that Newtab-Media is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Newtab-Media?You may see these browser add-ons:and these warnings during install:and these changed search settings:How did Newtab-Media get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was pushed by ad-rotators.The Chrome version was also available in the webstore.How do I remove Newtab-Media?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Newtab-Media? No, Malwarebytes removes Newtab-Media completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Newtab-Media hijacker. It would have blocked the installing site, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{5773b5f8-f9b8-4e6d-94cf-85cce03e4bb4}.xpi [2018-03-30] CHR Extension: (Newtab-Media) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn [2018-03-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0 Adds the file background.js"="11/27/2016 3:00 PM, 4099 bytes, A Adds the file logo.png"="3/30/2018 8:44 AM, 11039 bytes, A Adds the file manifest.json"="3/30/2018 8:44 AM, 1093 bytes, A Adds the file popup.html"="10/26/2016 12:11 PM, 555 bytes, A Adds the file redirect.html"="10/26/2016 12:11 PM, 52 bytes, A Adds the file redirect.js"="11/27/2016 3:00 PM, 1188 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\_metadata Adds the file computed_hashes.json"="3/30/2018 8:44 AM, 499 bytes, A Adds the file verified_contents.json"="11/27/2016 3:00 PM, 1941 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {5773b5f8-f9b8-4e6d-94cf-85cce03e4bb4}.xpi"="3/30/2018 8:47 AM, 22377 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lejepdegagejhcpfkhnlaldbipjlelpn"="REG_SZ", "FB1DCA7FF0F616A6709BA367C199EB2E61CCFEF1CDA1A1DDFEB25D6C20286317" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/30/18 Scan Time: 8:52 AM Log File: dee69492-33e6-11e8-9dd7-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4542 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244603 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 2 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\_metadata, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LEJEPDEGAGEJHCPFKHNLALDBIPJLELPN, Delete-on-Reboot, [4792], [443405],1.0.4542 File: 11 PUP.Optional.NewTabMedia, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{5773B5F8-F9B8-4E6D-94CF-85CCE03E4BB4}.XPI, Delete-on-Reboot, [4792], [495180],1.0.4542 PUP.Optional.NewTabMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LEJEPDEGAGEJHCPFKHNLALDBIPJLELPN\0.7_0\MANIFEST.JSON, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\_metadata\computed_hashes.json, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\_metadata\verified_contents.json, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\background.js, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\logo.png, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\popup.html, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\redirect.html, Delete-on-Reboot, [4792], [443405],1.0.4542 PUP.Optional.NewTabMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lejepdegagejhcpfkhnlaldbipjlelpn\0.7_0\redirect.js, Delete-on-Reboot, [4792], [443405],1.0.4542 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Free Malware Removal Tool?The Malwarebytes research team has determined that Free Malware Removal Tool is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Free Malware Removal Tool?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen when you want to fix the found "problems":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Free Malware Removal Tool get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Free Malware Removal Tool?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Free Malware Removal Tool? No, Malwarebytes removes Free Malware Removal Tool completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Free Malware Removal Tool installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (FreeMalwareRemovalTool.com) C:\Program Files\Free Malware Removal Tool\FMRT.exe C:\Windows\System32\Tasks\Free Malware Removal Tool C:\Windows\System32\Tasks\Free Malware Removal Tool_Logon C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com C:\ProgramData\FreeMalwareRemovalTool.com C:\Program Files\Free Malware Removal Tool C:\Users\Public\Desktop\Free Malware Removal Tool.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Malware Removal Tool Free Malware Removal Tool (HKLM\...\F5000FCC-7382-447E-A08C-9BC17438C64E_is1) (Version: 1.0.0.42197 - FreeMalwareRemovalTool.Com) Task: {3123F391-4805-41D7-A822-84E3259DB592} - System32\Tasks\Free Malware Removal Tool => C:\Program Files\Free Malware Removal Tool\FMRT.exe [2017-12-11] (FreeMalwareRemovalTool.com) Task: {61A07691-0C36-414B-ADF0-7E68B948665B} - System32\Tasks\Free Malware Removal Tool_Logon => C:\Program Files\Free Malware Removal Tool\FMRT.exe [2017-12-11] (FreeMalwareRemovalTool.com) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Free Malware Removal Tool Adds the file 7z.dll"="12/11/2017 2:02 PM, 1081208 bytes, A Adds the file 7z.exe"="12/11/2017 2:02 PM, 272760 bytes, A Adds the file Buy Free Malware Removal Tool.lnk"="3/29/2018 8:53 AM, 937 bytes, A Adds the file danish_iss.ini"="6/24/2017 2:17 PM, 2424 bytes, A Adds the file Dutch_iss.ini"="6/24/2017 2:17 PM, 2622 bytes, A Adds the file english_iss.ini"="6/24/2017 2:17 PM, 2278 bytes, A Adds the file finish_iss.ini"="6/24/2017 2:17 PM, 2390 bytes, A Adds the file FMRT.exe"="12/11/2017 2:30 PM, 3642232 bytes, A Adds the file FMRT.exe.config"="8/14/2017 3:16 PM, 2874 bytes, A Adds the file fmrtlog.xsl"="6/24/2017 5:03 PM, 39015 bytes, A Adds the file French_iss.ini"="6/24/2017 2:17 PM, 2814 bytes, A Adds the file german_iss.ini"="6/24/2017 2:17 PM, 2680 bytes, A Adds the file ICSharpCode.SharpZipLib.dll"="12/11/2017 2:03 PM, 200056 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="12/11/2017 2:03 PM, 56696 bytes, A Adds the file italian_iss.ini"="6/24/2017 2:17 PM, 2554 bytes, A Adds the file japanese_iss.ini"="6/24/2017 2:17 PM, 1866 bytes, A Adds the file langs.db"="12/11/2017 1:04 PM, 501760 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/11/2017 2:03 PM, 178552 bytes, A Adds the file Microsoft.WindowsAPICodePack.dll"="12/11/2017 2:03 PM, 105848 bytes, A Adds the file Microsoft.WindowsAPICodePack.Shell.dll"="12/11/2017 2:03 PM, 549752 bytes, A Adds the file Newtonsoft.Json.dll"="12/11/2017 2:03 PM, 472952 bytes, A Adds the file norwegian_iss.ini"="6/24/2017 2:17 PM, 2380 bytes, A Adds the file portuguese_iss.ini"="6/24/2017 2:17 PM, 2446 bytes, A Adds the file PresentationCore.dll"="6/24/2017 10:55 AM, 1419104 bytes, A Adds the file russian_iss.ini"="6/24/2017 2:17 PM, 2516 bytes, A Adds the file spanish_iss.ini"="6/24/2017 2:17 PM, 2570 bytes, A Adds the file swedish_iss.ini"="6/24/2017 2:17 PM, 2292 bytes, A Adds the file System.Data.SQLite.DLL"="12/11/2017 2:03 PM, 298360 bytes, A Adds the file System.Windows.Controls.Input.Toolkit.dll"="6/24/2017 10:55 AM, 109400 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="6/24/2017 10:55 AM, 95064 bytes, A Adds the file TAFactory.IconPack.dll"="12/11/2017 2:03 PM, 44408 bytes, A Adds the file unins000.dat"="3/29/2018 8:53 AM, 125010 bytes, A Adds the file unins000.exe"="3/29/2018 8:53 AM, 1358200 bytes, A Adds the file unins000.msg"="3/29/2018 8:53 AM, 22701 bytes, A Adds the file upload.log"="3/29/2018 8:56 AM, 850 bytes, A Adds the file WpfAnimatedGif.dll"="12/11/2017 2:30 PM, 47992 bytes, A Adds the file WPFToolkit.dll"="6/24/2017 10:55 AM, 467288 bytes, A Adds the folder C:\Program Files\Free Malware Removal Tool\x64 Adds the file SQLite.Interop.dll"="12/11/2017 2:03 PM, 1183096 bytes, A Adds the folder C:\Program Files\Free Malware Removal Tool\x86 Adds the file SQLite.Interop.dll"="12/11/2017 2:03 PM, 862072 bytes, A Adds the folder C:\ProgramData\FreeMalwareRemovalTool.com\Free Malware Removal Tool Adds the file QTine.cb"="3/29/2018 8:54 AM, 3072 bytes, A Adds the folder C:\ProgramData\FreeMalwareRemovalTool.com\Free Malware Removal Tool\Definition Adds the file Browsers.cb"="3/29/2018 8:55 AM, 736 bytes, A Adds the file ChromeExtentions.cb"="3/29/2018 8:54 AM, 133464 bytes, A Adds the file ChromeFiles.cb"="3/29/2018 8:54 AM, 225296 bytes, A Adds the file ChromeSearch.cb"="3/29/2018 8:54 AM, 27680 bytes, A Adds the file CLSID.cb"="3/29/2018 8:54 AM, 477912 bytes, A Adds the file CompleteDatabase.db"="3/28/2018 5:44 PM, 36765696 bytes, A Adds the file FileNames.cb"="3/29/2018 8:54 AM, 77792 bytes, A Adds the file FilesPath.cb"="3/29/2018 8:54 AM, 3468624 bytes, A Adds the file FirefoxExtentions.cb"="3/29/2018 8:54 AM, 103400 bytes, A Adds the file FirefoxFiles.cb"="3/29/2018 8:54 AM, 62864 bytes, A Adds the file FirefoxSearch.cb"="3/29/2018 8:54 AM, 26928 bytes, A Adds the file FolderNames.cb"="3/29/2018 8:54 AM, 163592 bytes, A Adds the file FoldersPath.cb"="3/29/2018 8:54 AM, 697552 bytes, A Adds the file IEExtension.cb"="3/29/2018 8:54 AM, 720 bytes, A Adds the file IESearch.cb"="3/29/2018 8:54 AM, 3576 bytes, A Adds the file MalwareDetails.cb"="3/29/2018 8:54 AM, 1630824 bytes, A Adds the file Md5Hash.cb"="3/29/2018 8:54 AM, 17104328 bytes, A Adds the file Plugins.cb"="3/29/2018 8:54 AM, 11528 bytes, A Adds the file Registry.cb"="3/29/2018 8:54 AM, 5174432 bytes, A Adds the file RegistrySetting.cb"="3/29/2018 8:55 AM, 1514144 bytes, A Adds the file Services.cb"="3/29/2018 8:54 AM, 41952 bytes, A Adds the file StartupTask.cb"="3/29/2018 8:54 AM, 49512 bytes, A Adds the file URLS.cb"="3/29/2018 8:54 AM, 30608 bytes, A Adds the folder C:\ProgramData\FreeMalwareRemovalTool.com\Free Malware Removal Tool\Definition\Update Adds the file 281completedatabase.zip"="3/29/2018 8:54 AM, 20251056 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Malware Removal Tool Adds the file Free Malware Removal Tool.lnk"="3/29/2018 8:53 AM, 925 bytes, A Adds the file Uninstall Free Malware Removal Tool.lnk"="3/29/2018 8:53 AM, 965 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com\Free Malware Removal Tool Adds the file common_desktop.gif"="3/29/2018 8:54 AM, 0 bytes, A Adds the file DatabaseUpdate.xml"="3/29/2018 8:54 AM, 1090 bytes, A Adds the file Errorlog.txt"="3/29/2018 8:55 AM, 9720 bytes, A Adds the file logbkp.xml"="3/29/2018 8:55 AM, 581 bytes, A Adds the file Result.cb"="3/29/2018 8:55 AM, 6504 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com\Free Malware Removal Tool\icon Adds the file 085539.ico"="3/29/2018 8:55 AM, 46164 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com\Free Malware Removal Tool\LogBackups Adds the file fmrtbackup_29032018_085538.bin"="3/29/2018 8:55 AM, 10381 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com\Free Malware Removal Tool\smico Adds the folder C:\Users\{username}\AppData\Roaming\FreeMalwareRemovalTool.com\Free Malware Removal Tool\Temp In the existing folder C:\Users\Public\Desktop Adds the file Free Malware Removal Tool.lnk"="3/29/2018 8:55 AM, 1970 bytes, A In the existing folder C:\Windows\Fonts Adds the file FMRTPro.ttf"="6/26/2017 7:20 PM, 31788 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Free Malware Removal Tool"="3/29/2018 8:54 AM, 3390 bytes, A Adds the file Free Malware Removal Tool_Logon"="3/29/2018 8:53 AM, 3060 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\fmrt-pr] "affid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "phone"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\FreeMalwareRemovalTool.com\Free Malware Removal Tool] "affid"="REG_SZ", "" "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://www.freemalwareremovaltool.com/fmrt/afterinstall/?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "delay"="REG_DWORD", 0 "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ..................................................................................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Free Malware Removal Tool" "issilent"="REG_DWORD", 1 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstscnsett"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................................................................................................................._..... "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://malwarecrusher.esecureshoppe.com/price.asp?" "pxl"="REG_SZ", "fmr2265_fmr2216_fmr1180" "reg"="REG_DWORD", 1 "RenewURL"="REG_SZ", "http://malwarecrusher.esecureshoppe.com/renewal.asp?" "runcam"="REG_SZ", "0" "runpixel"="REG_SZ", "0" "runsrc"="REG_SZ", "0" "showballoontip"="REG_DWORD", 0 "showphone"="REG_DWORD", 0 "showseal"="REG_DWORD", 0 "showtn"="REG_DWORD", 1 "showunins"="REG_DWORD", 1 "showwfo"="REG_DWORD", 1 "supporturl"="REG_SZ", "http://www.freemalwareremovaltool.com/support/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "(800)-180-0926" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "(334)-88627945" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "0120-993-506" "TELNO_jp"="REG_SZ", "0120-993-506" "TELNO_lu"="REG_SZ", "(800)-180-0926" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "fmrtsite" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "fmrtsite" "vendorLogo"="REG_SZ", "common_logo.jpg" "vendorMachineAvi"="REG_SZ", "common_desktop.gif" "WebURL"="REG_SZ", "http://www.freemalwareremovaltool.com/" "wfoset"="REG_DWORD", 1 "x-base"="REG_SZ", "" "x-ccode"="REG_SZ", "nl" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "90_145_230_242" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\F5000FCC-7382-447E-A08C-9BC17438C64E_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Free Malware Removal Tool\FMRT.exe" "DisplayName"="REG_SZ", "Free Malware Removal Tool" "DisplayVersion"="REG_SZ", "1.0.0.42197" "EstimatedSize"="REG_DWORD", 12746 "HelpLink"="REG_SZ", "http://www.freemalwareremovaltool.com/support/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Free Malware Removal Tool" "Inno Setup: Icon Group"="REG_SZ", "Free Malware Removal Tool" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180329" "InstallLocation"="REG_SZ", "C:\Program Files\Free Malware Removal Tool\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "FreeMalwareRemovalTool.Com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Free Malware Removal Tool\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Free Malware Removal Tool\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "FreeMalwareRemovalTool.Com" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts] "FMRTPro (TrueType)"="REG_SZ", "FMRTPro.ttf" [HKEY_LOCAL_MACHINE\SOFTWARE\RnJlZU1hbHdhcmVSZW1vdmFsVG9vbC5jb20=\RnJlZSBNYWx3YXJlIFJlbW92YWwgVG9vbA==\ACT] "data"="REG_BINARY, ...................................................................................................................................................................................................................................................................................................................._........................................... [HKEY_CURRENT_USER\Software\FreeMalwareRemovalTool.com\Free Malware Removal Tool] "affid"="REG_SZ", "" "Installstring"="REG_SZ", "C:\Program Files\Free Malware Removal Tool" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "fmr2265_fmr2216_fmr1180" "utm_campaign"="REG_SZ", "fmrtsite" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "fmrtsite" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "90_145_230_242" [HKEY_CURRENT_USER\Software\FreeMalwareRemovalTool.com\Free Malware Removal Tool\1.0.0.42197] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/29/18 Scan Time: 9:05 AM Log File: 91bf3114-331f-11e8-b820-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4530 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244704 Threats Detected: 74 Threats Quarantined: 74 Time Elapsed: 3 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\PROGRAM FILES\FREE MALWARE REMOVAL TOOL\FMRT.EXE, Quarantined, [5337], [502497],1.0.4530 Module: 8 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\PROGRAM FILES\FREE MALWARE REMOVAL TOOL\FMRT.EXE, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\x64\SQLite.Interop.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Newtonsoft.Json.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\System.Data.SQLite.DLL, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\WpfAnimatedGif.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\WPFToolkit.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Interop.IWshRuntimeLibrary.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Microsoft.Win32.TaskScheduler.dll, Quarantined, [966], [502494],1.0.4530 Registry Key: 16 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Free Malware Removal Tool, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3123F391-4805-41D7-A822-84E3259DB592}, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{3123F391-4805-41D7-A822-84E3259DB592}, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Free Malware Removal Tool_Logon, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{61A07691-0C36-414B-ADF0-7E68B948665B}, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{61A07691-0C36-414B-ADF0-7E68B948665B}, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Free Malware Removal Tool, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3123F391-4805-41D7-A822-84E3259DB592}, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3123F391-4805-41D7-A822-84E3259DB592}, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Free Malware Removal Tool_Logon, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{61A07691-0C36-414B-ADF0-7E68B948665B}, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{61A07691-0C36-414B-ADF0-7E68B948665B}, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool, HKCU\SOFTWARE\FreeMalwareRemovalTool.com, Quarantined, [966], [502512],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, HKLM\SOFTWARE\FreeMalwareRemovalTool.com, Quarantined, [966], [502504],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\F5000FCC-7382-447E-A08C-9BC17438C64E_is1, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, HKLM\SOFTWARE\FMRT-PR, Quarantined, [966], [502501],1.0.4530 Registry Value: 2 PUP.Optional.FreeMalwareRemovalTool, HKLM\SOFTWARE\FMRT-PR|UTM_PUBID, Quarantined, [966], [502501],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\F5000FCC-7382-447E-A08C-9BC17438C64E_IS1|DISPLAYNAME, Quarantined, [966], [502509],1.0.4530 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\x64, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\x86, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\PROGRAM FILES\FREE MALWARE REMOVAL TOOL, Quarantined, [966], [502494],1.0.4530 File: 44 PUP.Optional.FreeMalwareRemovalTool, C:\USERS\PUBLIC\DESKTOP\FREE MALWARE REMOVAL TOOL.LNK, Quarantined, [966], [502496],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Free Malware Removal Tool, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Free Malware Removal Tool_Logon, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\PROGRAM FILES\FREE MALWARE REMOVAL TOOL\FMRT.EXE, Quarantined, [5337], [502497],1.0.4530 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Free Malware Removal Tool, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Free Malware Removal Tool_Logon, Quarantined, [5337], [-1],0.0.0 PUP.Optional.FreeMalwareRemovalTool, C:\PROGRAM FILES\FREE MALWARE REMOVAL TOOL\FMRT.EXE.CONFIG, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\x64\SQLite.Interop.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\x86\SQLite.Interop.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\7z.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\7z.exe, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Buy Free Malware Removal Tool.lnk, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\danish_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Dutch_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\english_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\finish_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\fmrtlog.xsl, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\French_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Newtonsoft.Json.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\norwegian_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\portuguese_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\PresentationCore.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\russian_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\spanish_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\swedish_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\System.Data.SQLite.DLL, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\System.Windows.Controls.Input.Toolkit.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\System.Windows.Controls.Layout.Toolkit.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\TAFactory.IconPack.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\unins000.dat, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\unins000.exe, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\unins000.msg, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\upload.log, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\WpfAnimatedGif.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\WPFToolkit.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\german_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\ICSharpCode.SharpZipLib.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Interop.IWshRuntimeLibrary.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\italian_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\japanese_iss.ini, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\langs.db, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Microsoft.Win32.TaskScheduler.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Microsoft.WindowsAPICodePack.dll, Quarantined, [966], [502494],1.0.4530 PUP.Optional.FreeMalwareRemovalTool, C:\Program Files\Free Malware Removal Tool\Microsoft.WindowsAPICodePack.Shell.dll, Quarantined, [966], [502494],1.0.4530 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.