Jump to content

Metallica

Staff
  • Content Count

    2,330
  • Joined

  • Last visited

4 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

165,063 profile views
  1. What is Free Streamz?The Malwarebytes research team has determined that Free Streamz is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service that is blocked by Malwarebytes for fraud.How do I know if my computer is affected by Free Streamz?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did Free Streamz get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Free Streamz?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Free Streamz? No, Malwarebytes removes Free Streamz completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Free Streamz hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.free-streamz.com/?q={searchTerms}&publisher=free-streamz&barcodeid=547990000000000 CHR DefaultSearchKeyword: Default -> FreeStreamz CHR DefaultSuggestURL: Default -> hxxps://suggest.free-streamz.com/suggest/get?q={searchTerms} CHR Extension: (FreeStreamz) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme [2019-04-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="4/19/2019 8:52 AM, 2318 bytes, A Adds the file popup.html"="2/25/2019 12:17 PM, 1154 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\_metadata Adds the file computed_hashes.json"="4/19/2019 8:52 AM, 2561 bytes, A Adds the file verified_contents.json"="2/25/2019 12:17 PM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images Adds the file how-1.png"="2/25/2019 12:17 PM, 2862 bytes, A Adds the file how-2.png"="2/25/2019 12:17 PM, 3247 bytes, A Adds the file logo-small.png"="2/25/2019 12:17 PM, 1173 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\icons Adds the file 128x128.png"="4/19/2019 8:52 AM, 12951 bytes, A Adds the file 16x16.png"="4/19/2019 8:52 AM, 699 bytes, A Adds the file 64x64.png"="4/19/2019 8:52 AM, 4984 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts Adds the file background.js"="3/25/2019 4:50 PM, 31406 bytes, A Adds the file jquery-3.3.1.min.js"="2/25/2019 12:17 PM, 86927 bytes, A Adds the file popup.js"="2/25/2019 12:17 PM, 542 bytes, A Adds the file sitecontent.js"="2/25/2019 12:17 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\styles Adds the file popup.css"="2/25/2019 12:17 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications Adds the file 000003.log"="4/19/2019 8:52 AM, 10226 bytes, A Adds the file CURRENT"="4/19/2019 8:50 AM, 16 bytes, A Adds the file LOCK"="4/19/2019 8:50 AM, 0 bytes, A Adds the file LOG"="4/19/2019 8:50 AM, 150 bytes, A Adds the file MANIFEST-000001"="4/19/2019 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jbkobccpdeopgakipgbodjmondkcaeme Adds the file Free Streamz.ico"="4/19/2019 8:52 AM, 207603 bytes, A Adds the file Free Streamz.ico.md5"="4/19/2019 8:52 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jbkobccpdeopgakipgbodjmondkcaeme"="REG_SZ", "D1B9AD0E0B7110C1E4001BEA3651A180914DC60B03C7A9ED2017D4B6780690C6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/19/19 Scan Time: 9:04 AM Log File: 6825d998-6271-11e9-ab0b-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10236 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236636 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 6 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FreeStreamz, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jbkobccpdeopgakipgbodjmondkcaeme, Quarantined, [309], [663243],1.0.10236 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\icons, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\_metadata, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\styles, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JBKOBCCPDEOPGAKIPGBODJMONDKCAEME, Quarantined, [309], [663243],1.0.10236 File: 21 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JBKOBCCPDEOPGAKIPGBODJMONDKCAEME\1.0.1_0\MANIFEST.JSON, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\icons\128x128.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\icons\16x16.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\icons\64x64.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\how-1.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\how-2.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\images\logo-small.png, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts\background.js, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts\jquery-3.3.1.min.js, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts\popup.js, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\scripts\sitecontent.js, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\styles\popup.css, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\_metadata\verified_contents.json, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\closer.js, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\popup.html, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkobccpdeopgakipgbodjmondkcaeme\1.0.1_0\tab.html, Quarantined, [309], [663243],1.0.10236 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [309], [655944],1.0.10236 PUP.Optional.FreeStreamz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [309], [655944],1.0.10236 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Songs Search?The Malwarebytes research team has determined that Songs Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Songs Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:After the install you may see an invitation to install more extensions:How did Songs Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Songs Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Songs Search? No, Malwarebytes removes Songs Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Songs Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://music.searchmedia.club/search/?category=web&s=c3ds&vert=music&q={searchTerms} CHR DefaultSearchKeyword: Default -> Songs Search CHR DefaultSuggestURL: Default -> hxxp://sug.searchmedia.club/search/index_sg.php?q={searchTerms} CHR Extension: (Songs Search) - C:\Users\{username}AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk [2019-04-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0 Adds the file background.js"="12/30/2018 6:02 PM, 8367 bytes, A Adds the file manifest.json"="4/18/2019 10:29 AM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\_metadata Adds the file computed_hashes.json"="4/18/2019 10:29 AM, 3901 bytes, A Adds the file verified_contents.json"="12/30/2018 6:00 PM, 3016 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action Adds the file browser_action.html"="8/13/2018 9:32 AM, 2239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action\js Adds the file main.js"="9/3/2018 2:29 PM, 366 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\icons Adds the file icon128.png"="4/18/2019 10:29 AM, 6348 bytes, A Adds the file icon16.png"="4/18/2019 10:29 AM, 582 bytes, A Adds the file icon38.png"="4/18/2019 10:29 AM, 1716 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images Adds the file icon128.png"="9/5/2018 12:23 PM, 5764 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare Adds the file close.png"="1/1/2018 3:27 PM, 1920 bytes, A Adds the file rate.jpg"="1/1/2018 3:27 PM, 102155 bytes, A Adds the file rate1.png"="1/1/2018 3:27 PM, 12334 bytes, A Adds the file share.jpg"="1/1/2018 3:27 PM, 17633 bytes, A Adds the file share1.png"="1/1/2018 3:27 PM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js Adds the file rate.js"="12/30/2018 6:20 PM, 3769 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js\jquery Adds the file jquery.min.js"="8/12/2018 8:26 AM, 83100 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "odbpkaabhhakgicnkmiiknenibnnefdk"="REG_SZ", "491D7F95A029DB8C0CEC1510FE22F3A32588D4285BA179DE7F4A263179AEA667" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/18/19 Scan Time: 10:37 AM Log File: 2eaed316-61b5-11e9-a770-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10220 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236649 Threats Detected: 32 Threats Quarantined: 32 Time Elapsed: 5 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GetMedia, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|odbpkaabhhakgicnkmiiknenibnnefdk, Quarantined, [415], [670449],1.0.10220 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action\js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js\jquery, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\_metadata, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\icons, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ODBPKAABHHAKGICNKMIIKNENIBNNEFDK, Quarantined, [415], [670449],1.0.10220 File: 21 PUP.Optional.GetMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ODBPKAABHHAKGICNKMIIKNENIBNNEFDK\1.0.1_0\MANIFEST.JSON, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action\js\main.js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\browser_action\browser_action.html, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\icons\icon128.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\icons\icon16.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\icons\icon38.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare\close.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare\rate.jpg, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare\rate1.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare\share.jpg, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\rateshare\share1.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\images\icon128.png, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js\jquery\jquery.min.js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\js\rate.js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\_metadata\verified_contents.json, Quarantined, [415], [670449],1.0.10220 PUP.Optional.GetMedia, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbpkaabhhakgicnkmiiknenibnnefdk\1.0.1_0\background.js, Quarantined, [415], [670449],1.0.10220 PUP.Optional.SearchMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [363], [670447],1.0.10220 PUP.Optional.SearchMedia, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [363], [670447],1.0.10220 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is MatchPop?The Malwarebytes research team has determined that MatchPop is a crypto currency miner. These miners are designed to earn cryptocurrency by using system resources.How do I know if my computer is affected by MatchPop?You may see an active process called matchpop.exeand you may have seen this warning during install:Users of affected systems may see this entry in their list of installed Programs and Features:How did MatchPop get on my computer?Miners use different methods for distributing themselves. This particular one was installed by a bundler.How do I remove MatchPop?Our program Malwarebytes can detect and remove this miner. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MatchPop? No, Malwarebytes removes MatchPop completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this miner.As you can see below the full version of Malwarebytes would have protected you against the MatchPop miner. It would have warned you before the miner could install itself, giving you a chance to stop it before it became too late. and we block the domain that hosts the coin-miner: Technical details for expertsPossible signs in FRST logs: (build Inc -> ) C:\Users\{username}\AppData\Roaming\matchpop\common\bin\matchpop.exe HKCU\...\Run: [MPgrd] => C:\Users\{username}\AppData\Roaming\MatchPop\common\bin\MatchPop.exe [521848 2019-04-12] (build Inc -> ) C:\Users\{username}\AppData\Roaming\matchpop C:\Users\{username}\Desktop\mango.exe MiBigData solution matchpop Report Platform (HKLM-x32\...\MatchPop) (Version: 7.0.1.8 - JK TheJMedia Corporation) Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\matchpop\common\bin Adds the file matchpop.exe"="4/12/2019 4:00 AM, 521848 bytes, A Adds the file MP_kwd.dat"="2/18/2019 2:53 AM, 337 bytes, A Adds the file MP_nsminfo.dat"="9/3/2018 11:43 AM, 1873 bytes, A Adds the file MP_ominfo.dat"="9/3/2018 11:43 AM, 2008 bytes, A Adds the file MP_recog.dat"="2/18/2019 2:53 AM, 299 bytes, A Adds the file MP_sku.dat"="2/18/2019 2:53 AM, 507 bytes, A Adds the file mpsch.exe"="4/12/2019 4:00 AM, 364152 bytes, A Adds the file rmmatchpop.exe"="4/12/2019 4:00 AM, 409720 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MatchPop] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MatchPop\common\bin\RmMatchPop.exe" "DisplayName"="REG_SZ", "MiBigData solution matchpop Report Platform " "DisplayVersion"="REG_SZ", "7.0.1.8" "EstimatedSize"="REG_DWORD", 1097 "Publisher"="REG_SZ", "JK TheJMedia Corporation" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MatchPop\common\bin\RmMatchPop.exe" [HKEY_CURRENT_USER\Software\MatchPop] "appver"="REG_SZ", "1001" "appverchk"="REG_DWORD", 7 "df_ver"="REG_SZ", "2013052903" "pi"="REG_SZ", "mango" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MPgrd"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MatchPop\common\bin\MatchPop.exe" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/19 Scan Time: 10:57 AM Log File: de77f358-60ee-11e9-a03a-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10204 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236525 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 7 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.MatchPop, C:\USERS\{username}\APPDATA\ROAMING\MATCHPOP\COMMON\BIN\MATCHPOP.EXE, Quarantined, [1270], [669004],1.0.10204 Module: 1 PUP.Optional.MatchPop, C:\USERS\{username}\APPDATA\ROAMING\MATCHPOP\COMMON\BIN\MATCHPOP.EXE, Quarantined, [1270], [669004],1.0.10204 Registry Key: 2 PUP.Optional.MatchPop, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MatchPop, Quarantined, [1270], [669003],1.0.10204 PUP.Optional.MatchPop, HKCU\SOFTWARE\MatchPop, Quarantined, [1270], [669002],1.0.10204 Registry Value: 1 PUP.Optional.MatchPop, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MPGRD, Quarantined, [1270], [669004],1.0.10204 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\USERS\{username}\APPDATA\ROAMING\MATCHPOP, Quarantined, [1270], [669001],1.0.10204 File: 9 PUP.Optional.MatchPop, C:\USERS\{username}\APPDATA\ROAMING\MATCHPOP\COMMON\BIN\MATCHPOP.EXE, Quarantined, [1270], [669004],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\mpsch.exe, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\MP_kwd.dat, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\MP_nsminfo.dat, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\MP_ominfo.dat, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\MP_recog.dat, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\MP_sku.dat, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\Users\{username}\AppData\Roaming\matchpop\common\bin\rmmatchpop.exe, Quarantined, [1270], [669001],1.0.10204 PUP.Optional.MatchPop, C:\USERS\{username}\DESKTOP\MANGO.EXE, Quarantined, [1270], [669000],1.0.10204 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Game Jungle?The Malwarebytes research team has determined that Game Jungle is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service that is blocked by Malwarebytes for fraud.How do I know if my computer is affected by Game Jungle?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Game Jungle get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Game Jungle?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Game Jungle? No, Malwarebytes removes Game Jungle completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Game Jungle hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.game-jungle.com/?q={searchTerms}&publisher=game-jungle&barcodeid=537570000000000 CHR DefaultSearchKeyword: Default -> GameJungle CHR DefaultSuggestURL: Default -> hxxps://api.game-jungle.com/suggest/get?q={searchTerms} CHR Extension: (GameJungle) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo [2019-04-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="4/16/2019 8:42 AM, 2292 bytes, A Adds the file popup.html"="1/7/2019 2:52 PM, 1151 bytes, A Adds the file tab.html"="1/7/2019 2:52 PM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\_metadata Adds the file computed_hashes.json"="4/16/2019 8:42 AM, 2451 bytes, A Adds the file verified_contents.json"="1/15/2019 8:06 AM, 2832 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images Adds the file how-1.png"="1/7/2019 2:53 PM, 2862 bytes, A Adds the file how-2.png"="1/7/2019 2:53 PM, 3247 bytes, A Adds the file logo-small.png"="1/7/2019 2:53 PM, 1997 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\icons Adds the file 128x128.png"="4/16/2019 8:42 AM, 4973 bytes, A Adds the file 16x16.png"="4/16/2019 8:42 AM, 525 bytes, A Adds the file 64x64.png"="4/16/2019 8:42 AM, 2742 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts Adds the file background.js"="1/17/2019 2:22 PM, 31607 bytes, A Adds the file jquery-3.3.1.min.js"="3/7/2018 2:07 PM, 86927 bytes, A Adds the file popup.js"="1/7/2019 4:43 PM, 631 bytes, A Adds the file sitecontent.js"="9/10/2017 6:52 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications Adds the file 000003.log"="4/16/2019 8:41 AM, 10194 bytes, A Adds the file CURRENT"="4/16/2019 8:41 AM, 16 bytes, A Adds the file LOCK"="4/16/2019 8:41 AM, 0 bytes, A Adds the file LOG"="4/16/2019 8:41 AM, 150 bytes, A Adds the file MANIFEST-000001"="4/16/2019 8:41 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ecihmmgjchcokdfbpinfokhambbbodpo Adds the file Game Jungle.ico"="4/16/2019 8:42 AM, 178623 bytes, A Adds the file Game Jungle.ico.md5"="4/16/2019 8:42 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ecihmmgjchcokdfbpinfokhambbbodpo"="REG_SZ", "9464D209A345D9A84144CADE28DE1DFAFBFBF95607ACD5DCDFAFD212BD0DBFE0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/16/19 Scan Time: 8:53 AM Log File: 57a91576-6014-11e9-862b-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10184 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236516 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 8 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GameJungle, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ecihmmgjchcokdfbpinfokhambbbodpo, Quarantined, [2558], [646244],1.0.10184 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\icons, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\_metadata, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\ecihmmgjchcokdfbpinfokhambbbodpo, Quarantined, [2558], [646244],1.0.10184 File: 18 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\icons\128x128.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\icons\16x16.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\icons\64x64.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\how-1.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\how-2.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\images\logo-small.png, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts\background.js, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts\popup.js, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\scripts\sitecontent.js, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\_metadata\computed_hashes.json, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\_metadata\verified_contents.json, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\closer.js, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\manifest.json, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\popup.html, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecihmmgjchcokdfbpinfokhambbbodpo\2.1.0_0\tab.html, Quarantined, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2558], [646244],1.0.10184 PUP.Optional.GameJungle, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2558], [646244],1.0.10184 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Mega Media Start?The Malwarebytes research team has determined that Mega Media Start is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Mega Media Start?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did Mega Media Start get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:as a follow up to installing a serach hijacker:How do I remove Mega Media Start?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Mega Media Start? No, Malwarebytes' Anti-Malware removes Mega Media Start completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Mega Media Start hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in a FRST log: CHR NewTab: Default -> Active:"chrome-extension://ipppaabbmnphdfjcnbjjbmimefomegjd/index.html" CHR Extension: (Mega Media Start) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd [2019-04-14] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0 Adds the file index.html"="10/16/2018 4:30 AM, 103 bytes, A Adds the file load.js"="2/20/2019 12:01 PM, 1862 bytes, A Adds the file manifest.json"="4/14/2019 11:15 AM, 1414 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\_metadata Adds the file computed_hashes.json"="4/14/2019 11:15 AM, 658 bytes, A Adds the file verified_contents.json"="2/20/2019 12:01 PM, 2088 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\imgs Adds the file icon128.png"="4/14/2019 11:15 AM, 6533 bytes, A Adds the file icon16.png"="4/14/2019 11:15 AM, 733 bytes, A Adds the file icon38.png"="4/1/2018 2:30 AM, 6009 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\js Adds the file load.js"="1/22/2019 5:11 PM, 6185 bytes, A Adds the file onInstallCallback.js"="1/2/2019 8:46 AM, 115 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ipppaabbmnphdfjcnbjjbmimefomegjd"="REG_SZ", "049E4F3EA66EF7ED78A47E1C6B8E0B446864624CBA5116C951E102FDF09018E9" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/14/19 Scan Time: 11:26 AM Log File: 6be0e560-5e97-11e9-b7b8-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10154 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236500 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 6 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GlobalAppz.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ipppaabbmnphdfjcnbjjbmimefomegjd, Quarantined, [14693], [586066],1.0.10154 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\_metadata, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\imgs, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\js, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPPPAABBMNPHDFJCNBJJBMIMEFOMEGJD, Quarantined, [14693], [586066],1.0.10154 File: 12 PUP.Optional.GlobalAppz.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IPPPAABBMNPHDFJCNBJJBMIMEFOMEGJD\1.0.3_0\MANIFEST.JSON, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\imgs\icon128.png, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\imgs\icon16.png, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\imgs\icon38.png, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\js\load.js, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\js\onInstallCallback.js, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\_metadata\verified_contents.json, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\index.html, Quarantined, [14693], [586066],1.0.10154 PUP.Optional.GlobalAppz.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipppaabbmnphdfjcnbjjbmimefomegjd\1.0.3_0\load.js, Quarantined, [14693], [586066],1.0.10154 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is MyScrapNook?The Malwarebytes research team has determined that MyScrapNook is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MyScrapNook is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MyScrapNook?You may see this Chrome extension:these warnings during install:You may see this new setting:this icon in the Chrome menu-bar:and this new startpage in the affected browser(s):How did MyScrapNook get on my computer?Browser hijackers use different methods for distributing themselves. This particular Chrome extension was downloaded from the webstore:and promoted by their website:How do I remove MyScrapNook?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyScrapNook? No, Malwarebytes' Anti-Malware removes MyScrapNook completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MyScrapNook hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in a FRST log: CHR NewTab: Default -> Active:"chrome-extension://lbapdklahcjljfincdglncfpdgfhckcf/newtabproduct.html" CHR Extension: (MyScrapNook) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf [2019-04-12] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0 Adds the file manifest.json"="4/12/2019 8:50 AM, 2561 bytes, A Adds the file newtabproduct.html"="4/7/2018 1:28 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 1:28 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\_metadata Adds the file computed_hashes.json"="4/12/2019 8:50 AM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 1:28 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\config Adds the file config.json"="4/7/2018 1:28 AM, 1726 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons Adds the file icon128.png"="4/12/2019 8:50 AM, 6200 bytes, A Adds the file icon16.png"="4/7/2018 1:28 AM, 1454 bytes, A Adds the file icon19disabled.png"="4/7/2018 1:28 AM, 1421 bytes, A Adds the file icon19on.png"="4/12/2019 8:50 AM, 590 bytes, A Adds the file icon48.png"="4/12/2019 8:50 AM, 2314 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js Adds the file ajax.js"="4/7/2018 1:28 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 1:28 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 1:28 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 1:28 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 1:28 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 1:28 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 1:28 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 1:28 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 1:28 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 1:28 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 1:28 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 1:28 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 1:28 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 1:28 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 1:28 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 1:28 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 1:28 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 1:28 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 1:28 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 1:28 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 1:28 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 1:28 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 1:28 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf Adds the file 000003.log"="4/12/2019 8:50 AM, 1890 bytes, A Adds the file CURRENT"="4/12/2019 8:50 AM, 16 bytes, A Adds the file LOCK"="4/12/2019 8:50 AM, 0 bytes, A Adds the file LOG"="4/12/2019 8:50 AM, 185 bytes, A Adds the file MANIFEST-000001"="4/12/2019 8:50 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lbapdklahcjljfincdglncfpdgfhckcf"="REG_SZ", "53DC83B630939F2085C966B420DFAD81ED442879EAABB4B2C4B884DDEA78722B" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/12/19 Scan Time: 9:06 AM Log File: 8d27f544-5cf1-11e9-a71a-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10122 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236621 Threats Detected: 49 Threats Quarantined: 49 Time Elapsed: 6 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lbapdklahcjljfincdglncfpdgfhckcf, Quarantined, [1742], [456843],1.0.10122 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\_metadata, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\config, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBAPDKLAHCJLJFINCDGLNCFPDGFHCKCF, Quarantined, [1742], [456843],1.0.10122 File: 41 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf\000003.log, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf\CURRENT, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf\LOCK, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf\LOG, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbapdklahcjljfincdglncfpdgfhckcf\MANIFEST-000001, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LBAPDKLAHCJLJFINCDGLNCFPDGFHCKCF\13.611.13.2785_0\MANIFEST.JSON, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\config\config.json, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons\icon128.png, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons\icon16.png, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons\icon19disabled.png, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons\icon19on.png, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\icons\icon48.png, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\ajax.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\background.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\chrome.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\content_script.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\dlp.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\dlpHelper.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\extension_detect.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\genericLoadRemoteSettings.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\index.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\initOfferCEF.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\logger.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\offerService.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\pageUtils.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\PartnerId.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\product.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\storage.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\TabManager.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\TemplateParser.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\ul.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\urlFragmentActions.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\urlUtils.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\util.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\js\webtooltabAPI.js, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\_metadata\computed_hashes.json, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\_metadata\verified_contents.json, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\newtabproduct.html, Quarantined, [1742], [456843],1.0.10122 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbapdklahcjljfincdglncfpdgfhckcf\13.611.13.2785_0\stubby.html, Quarantined, [1742], [456843],1.0.10122 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Multy App?The Malwarebytes research team has determined that Multy App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Multy App?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this changed setting:How did Multy App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Multy App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Multy App? No, Malwarebytes removes Multy App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Multy App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchmulty.com/results.php?pub=2233&v=400&q={searchTerms} CHR DefaultSearchKeyword: Default -> Multy CHR DefaultSuggestURL: Default -> hxxps://searchmulty.com/gjson.php?q={searchTerms} CHR Extension: (Multy) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic [2019-04-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0 Adds the file background.js"="4/5/2019 1:16 PM, 4758 bytes, A Adds the file index.html"="7/26/2018 11:16 AM, 12982 bytes, A Adds the file manifest.json"="4/11/2019 8:22 AM, 1817 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\_metadata Adds the file computed_hashes.json"="4/11/2019 8:22 AM, 2975 bytes, A Adds the file verified_contents.json"="4/5/2019 1:22 PM, 2293 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\c Adds the file s.css"="7/26/2018 11:18 AM, 17980 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons Adds the file button.png"="4/11/2019 8:22 AM, 941 bytes, A Adds the file icon128.png"="4/11/2019 8:22 AM, 16644 bytes, A Adds the file icon48.png"="4/11/2019 8:22 AM, 253 bytes, A Adds the file icon64.png"="4/11/2019 8:22 AM, 5713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\s Adds the file jquery.js"="8/2/2016 4:07 PM, 97166 bytes, A Adds the file s.js"="3/8/2019 1:56 PM, 61670 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bjbojaompnnjfoooanphgjogjaoenhic Adds the file Multy App.ico"="4/11/2019 8:22 AM, 229503 bytes, A Adds the file Multy App.ico.md5"="4/11/2019 8:22 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bjbojaompnnjfoooanphgjogjaoenhic"="REG_SZ", "25703A3685FBA33B0A0ABDADBA81345C6D893C2CAA6E8D8F39CCF212EEF7595B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/11/19 Scan Time: 8:29 AM Log File: 2e60316c-5c23-11e9-bead-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10100 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236515 Threats Detected: 26 Threats Quarantined: 26 Time Elapsed: 4 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchMulty.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bjbojaompnnjfoooanphgjogjaoenhic, Quarantined, [14732], [605550],1.0.10100 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.MultyApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\WEB APPLICATIONS\_crx_bjbojaompnnjfoooanphgjogjaoenhic, Quarantined, [4929], [660322],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\_metadata, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\c, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\s, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BJBOJAOMPNNJFOOOANPHGJOGJAOENHIC, Quarantined, [14732], [605550],1.0.10100 File: 18 PUP.Optional.MultyApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\WEB APPLICATIONS\_crx_bjbojaompnnjfoooanphgjogjaoenhic\Multy App.ico, Quarantined, [4929], [660322],1.0.10100 PUP.Optional.MultyApp, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bjbojaompnnjfoooanphgjogjaoenhic\Multy App.ico.md5, Quarantined, [4929], [660322],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BJBOJAOMPNNJFOOOANPHGJOGJAOENHIC\1.2_0\MANIFEST.JSON, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\c\s.css, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons\button.png, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons\icon128.png, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons\icon48.png, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\icons\icon64.png, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\s\jquery.js, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\s\s.js, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\_metadata\computed_hashes.json, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\_metadata\verified_contents.json, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\background.js, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjbojaompnnjfoooanphgjogjaoenhic\1.2_0\index.html, Quarantined, [14732], [605550],1.0.10100 PUP.Optional.SearchMulty, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [362], [557473],1.0.10100 PUP.Optional.SearchMulty, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [362], [557473],1.0.10100 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Qbit Clean Pro?The Malwarebytes research team has determined that Qbit Clean Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Qbit Clean Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Qbit Clean Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Qbit Clean Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Qbit Clean Pro? No, Malwarebytes removes Qbit Clean Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Qbit Clean Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (ADEQUATE SOFTWARES -> ) C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe C:\Windows\System32\Tasks\Qbit Clean Pro_Logon C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername} C:\ProgramData\Qbit Clean Pro for {computername} C:\Users\Public\Desktop\Qbit Clean Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Qbit Clean Pro for {computername} C:\Program Files\Qbit Clean Pro for {computername} Qbit Clean Pro (HKLM\...\{D9FB05BA-016B-4400-8EB1-660016062BF7}_is1) (Version: 1.0.0.0 - ) Task: {AAC31745-030D-4546-B7A6-1F396CD73B84} - System32\Tasks\Qbit Clean Pro_Logon => C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe (ADEQUATE SOFTWARES -> ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Qbit Clean Pro for {computername} Adds the file application.ico"="2/21/2019 2:11 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 11:25 AM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 11:25 AM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 11:25 AM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 11:25 AM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 11:25 AM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 11:25 AM, 2658 bytes, A Adds the file gmtrs.dll"="3/15/2019 1:42 PM, 1958448 bytes, A Adds the file HtmlRenderer.dll"="3/15/2019 1:42 PM, 235568 bytes, A Adds the file HtmlRenderer.WinForms.dll"="3/15/2019 1:42 PM, 74288 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="3/15/2019 1:42 PM, 63024 bytes, A Adds the file Interop.SHDocVw.dll"="3/15/2019 1:42 PM, 177712 bytes, A Adds the file italian_iss.ini"="5/16/2018 11:25 AM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 11:25 AM, 1844 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="3/15/2019 1:42 PM, 184880 bytes, A Adds the file NAudio.dll"="3/15/2019 1:42 PM, 484912 bytes, A Adds the file Newtonsoft.Json.dll"="3/15/2019 1:42 PM, 474672 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 11:25 AM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="3/15/2019 1:42 PM, 72752 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 11:25 AM, 2424 bytes, A Adds the file rtc.exe"="3/15/2019 1:41 PM, 2434096 bytes, A Adds the file rtc.exe.config"="3/15/2019 1:41 PM, 6355 bytes, A Adds the file russian_iss.ini"="5/16/2018 11:25 AM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 11:25 AM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 11:25 AM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="3/15/2019 1:42 PM, 304688 bytes, A Adds the file TAFactory.IconPack.dll"="3/15/2019 1:42 PM, 50736 bytes, A Adds the file unins000.dat"="4/10/2019 11:06 AM, 84947 bytes, A Adds the file unins000.exe"="4/10/2019 11:06 AM, 1242672 bytes, A Adds the file unins000.msg"="4/10/2019 11:06 AM, 22701 bytes, A Adds the folder C:\Program Files\Qbit Clean Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="3/15/2019 1:41 PM, 1189424 bytes, A Adds the folder C:\Program Files\Qbit Clean Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="3/15/2019 1:41 PM, 868400 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Qbit Clean Pro for {computername} Adds the file Buy Qbit Clean Pro.lnk"="4/10/2019 11:06 AM, 972 bytes, A Adds the file Qbit Clean Pro.lnk"="4/10/2019 11:06 AM, 960 bytes, A Adds the file Uninstall Qbit Clean Pro.lnk"="4/10/2019 11:06 AM, 991 bytes, A Adds the folder C:\ProgramData\Qbit Clean Pro for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername} Adds the file Errorlog.txt"="4/10/2019 11:09 AM, 29964 bytes, A Adds the file exlist.bin"="4/10/2019 11:07 AM, 258011 bytes, A Adds the file notifier.xml"="4/10/2019 11:07 AM, 12978 bytes, A Adds the file param.ini"="4/10/2019 11:06 AM, 958 bytes, A Adds the file res.xml"="4/10/2019 11:09 AM, 24722 bytes, A Adds the file update.xml"="4/10/2019 11:07 AM, 35994 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Qbit Clean Pro.lnk"="4/10/2019 11:06 AM, 942 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Qbit Clean Pro_Logon"="4/10/2019 11:07 AM, 3070 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9FB05BA-016B-4400-8EB1-660016062BF7}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "Qbit Clean Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18672 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Qbit Clean Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190410" "InstallLocation"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Qbit Clean Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Qbit Clean Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Qbit Clean Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/qbcp/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "buybowinapp"="REG_SZ", "http://store.tunepcutils.live/qbcp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 62 "lstscandate"="REG_SZ", "4/10/2019 11:09:14 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 62 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "pdtm"="REG_DWORD", 45 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trkinstl.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.tunepcutils.live/qbcp/price?" "pxl"="REG_SZ", "WTN4307_WTN4209_RUNT" "referurl"="REG_SZ", "http%253a%252f%252ftrkur2.com%252f262955%252f43255%253fs2%253dAGlsmlwCUQAAzwMCAFVTGQASADsjyUEA" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.tunepcutils.live/qbcp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.tunepcutils.live/help/" "TELNO"="REG_SZ", "844-394-7312" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "844-394-7312" "utm_campaign"="REG_SZ", "wtncns" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "prf_tectool" "utm_source"="REG_SZ", "wtncns" "WebURL"="REG_SZ", "http://www.tunepcutils.live/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "" "x-ccode"="REG_SZ", "us" "x-context"="REG_SZ", "LJKYNZTG8i2dQVjFm75JsXTbu3unFOfzurfGlL45s2J-bWooSs9gA98cywkYamDfP8hnjsZtMZfS7QPylh0da89aQvA5YuEdDJqzg5TxwBz1Ym3CSAfvrekibKrKWDysunBWCCPSlqVV9yUvQKUtRJE8a2QyD5_IuYNNYn8c" "x-datetime"="REG_SZ", "04-10-2019 09:06:55 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "89_187_177_130" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WTN4307_WTN4209_RUNT" "referUrl"="REG_SZ", "http%253a%252f%252ftrkur2.com%252f262955%252f43255%253fs2%253dAGlsmlwCUQAAzwMCAFVTGQASADsjyUEA" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wtncns" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "prf_tectool" "utm_source"="REG_SZ", "wtncns" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "LJKYNZTG8i2dQVjFm75JsXTbu3unFOfzurfGlL45s2J-bWooSs9gA98cywkYamDfP8hnjsZtMZfS7QPylh0da89aQvA5YuEdDJqzg5TxwBz1Ym3CSAfvrekibKrKWDysunBWCCPSlqVV9yUvQKUtRJE8a2QyD5_IuYNNYn8c" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\UWJpdCBDbGVhbiBQcm8=\ACT] "data"="REG_BINARY, ..............................................................................................................................................................................................................................................................................................................................................................................................._............................... [HKEY_CURRENT_USER\Software\Qbit Clean Pro For {computername}] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WTN4307_WTN4209_RUNT" "referurl"="REG_SZ", "http%253a%252f%252ftrkur2.com%252f262955%252f43255%253fs2%253dAGlsmlwCUQAAzwMCAFVTGQASADsjyUEA" "TELNO"="REG_SZ", "844-394-7312" "TELNO_us"="REG_SZ", "844-394-7312" "utm_campaign"="REG_SZ", "wtncns" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "prf_tectool" "utm_source"="REG_SZ", "wtncns" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "LJKYNZTG8i2dQVjFm75JsXTbu3unFOfzurfGlL45s2J-bWooSs9gA98cywkYamDfP8hnjsZtMZfS7QPylh0da89aQvA5YuEdDJqzg5TxwBz1Ym3CSAfvrekibKrKWDysunBWCCPSlqVV9yUvQKUtRJE8a2QyD5_IuYNNYn8c" "x-datetime"="REG_SZ", "04-10-2019 09:06:55 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "89_187_177_130" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Qbit Clean Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Qbit Clean Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/10/19 Scan Time: 11:14 AM Log File: 0b3eb18f-5b71-11e9-a093-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10080 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236485 Threats Detected: 83 Threats Quarantined: 83 Time Elapsed: 6 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe, Quarantined, [450], [656659],1.0.10080 Module: 7 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [450], [656659],1.0.10080 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Qbit Clean Pro_Logon, Quarantined, [450], [656656],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AAC31745-030D-4546-B7A6-1F396CD73B84}, Quarantined, [450], [656656],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{AAC31745-030D-4546-B7A6-1F396CD73B84}, Quarantined, [450], [656656],1.0.10080 PUP.Optional.PCVARK, HKCU\SOFTWARE\Qbit Clean Pro For {computername}, Quarantined, [450], [659007],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{D9FB05BA-016B-4400-8EB1-660016062BF7}_is1, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\UWJpdCBDbGVhbiBQcm8=, Quarantined, [450], [656694],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\Qbit Clean Pro For {computername}, Quarantined, [450], [656657],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [450], [540842],1.0.10080 Registry Value: 6 PUP.Optional.PCVARK, HKCU\SOFTWARE\Qbit Clean Pro For {computername}|TELNO, Quarantined, [450], [659007],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AAC31745-030D-4546-B7A6-1F396CD73B84}|PATH, Quarantined, [450], [656654],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{D9FB05BA-016B-4400-8EB1-660016062BF7}_is1|INSTALLLOCATION, Quarantined, [450], [656666],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\Qbit Clean Pro For {computername}|AFFIRED, Quarantined, [450], [656657],1.0.10080 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [450], [540842],1.0.10080 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1197], [484510],1.0.10080 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\x64, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\x86, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAM FILES\Qbit Clean Pro for {computername}, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\ProgramData\Qbit Clean Pro for {computername}\offers, Quarantined, [450], [656661],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAMDATA\Qbit Clean Pro for {computername}, Quarantined, [450], [656661],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Qbit Clean Pro for {computername}, Quarantined, [450], [656660],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\smico, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Qbit Clean Pro For {computername}, Quarantined, [450], [656662],1.0.10080 File: 53 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Qbit Clean Pro_Logon, Quarantined, [450], [656656],1.0.10080 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\QBIT CLEAN PRO.LNK, Quarantined, [450], [667275],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAM FILES\Qbit Clean Pro for {computername}\unins000.dat, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\application.ico, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\danish_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Dutch_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\english_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\finish_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\French_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\german_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\gmtrs.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\HtmlRenderer.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\italian_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\japanese_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\langs.db, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\NAudio.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\norwegian_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\portuguese_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\rtc.exe.config, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\russian_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\spanish_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\swedish_iss.ini, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\unins000.exe, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\Program Files\Qbit Clean Pro for {computername}\unins000.msg, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Qbit Clean Pro.lnk, Quarantined, [450], [656659],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAMDATA\Qbit Clean Pro for {computername}\mdb.db, Quarantined, [450], [656661],1.0.10080 PUP.Optional.PCVARK, C:\ProgramData\Qbit Clean Pro for {computername}\offers\a_p_t.exe, Quarantined, [450], [656661],1.0.10080 PUP.Optional.PCVARK, C:\ProgramData\Qbit Clean Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [450], [656661],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Qbit Clean Pro for {computername}\Buy Qbit Clean Pro.lnk, Quarantined, [450], [656660],1.0.10080 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Qbit Clean Pro for {computername}\Qbit Clean Pro.lnk, Quarantined, [450], [656660],1.0.10080 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Qbit Clean Pro for {computername}\Uninstall Qbit Clean Pro.lnk, Quarantined, [450], [656660],1.0.10080 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Qbit Clean Pro For {computername}\Errorlog.txt, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\a_p_t_2.xml, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\exlist.bin, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\notifier.xml, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\param.ini, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\res.xml, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Qbit Clean Pro For {computername}\update.xml, Quarantined, [450], [656662],1.0.10080 PUP.Optional.PCVARK, C:\PROGRAMDATA\QBIT CLEAN PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [450], [583068],1.0.10080 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [450], [583068],1.0.10080 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\QBCPSETUP.EXE, Quarantined, [450], [531751],1.0.10080 PUP.Optional.PCVARK, C:\USERS\{username}\DOWNLOADS\QBCPSETUP.EXE, Quarantined, [450], [531751],1.0.10080 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Movie Browsing?The Malwarebytes research team has determined that Movie Browsing is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Movie Browsing?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Movie Browsing get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Movie Browsing?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Movie Browsing? No, Malwarebytes removes Movie Browsing completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Movie Browsing hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://movie.searchmedia.online/search/?category=web&s=b7ds&vert=movie&q={searchTerms} CHR DefaultSearchKeyword: Default -> Movie Browsing CHR DefaultSuggestURL: Default -> hxxp://sug.searchmedia.online/search/index_sg.php?q={searchTerms} CHR Extension: (Movie Browsing) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn [2019-04-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0 Adds the file background.js"="9/2/2018 5:45 PM, 8530 bytes, A Adds the file manifest.json"="4/9/2019 10:53 AM, 2189 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\_metadata Adds the file computed_hashes.json"="4/9/2019 10:53 AM, 1534 bytes, A Adds the file verified_contents.json"="9/2/2018 5:55 PM, 2152 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\browser_action Adds the file browser_action.html"="8/13/2018 11:32 AM, 2239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\browser_action\js Adds the file main.js"="9/2/2018 5:48 PM, 366 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\icons Adds the file icon128.png"="4/9/2019 10:53 AM, 1279 bytes, A Adds the file icon16.png"="4/9/2019 10:53 AM, 156 bytes, A Adds the file icon38.png"="4/9/2019 10:53 AM, 674 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\js\jquery Adds the file jquery.min.js"="8/12/2018 10:26 AM, 83100 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpphicholibkljkoddjfoiphjpccmhkn"="REG_SZ", "2015A096A0629629BF1D8B5473A19A12CF47FE04421D6FB686E552E5C60F02CB" Malwarebytes log: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0 Adds the file background.js"="9/2/2018 5:45 PM, 8530 bytes, A Adds the file manifest.json"="4/9/2019 10:53 AM, 2189 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\_metadata Adds the file computed_hashes.json"="4/9/2019 10:53 AM, 1534 bytes, A Adds the file verified_contents.json"="9/2/2018 5:55 PM, 2152 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\browser_action Adds the file browser_action.html"="8/13/2018 11:32 AM, 2239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\browser_action\js Adds the file main.js"="9/2/2018 5:48 PM, 366 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\icons Adds the file icon128.png"="4/9/2019 10:53 AM, 1279 bytes, A Adds the file icon16.png"="4/9/2019 10:53 AM, 156 bytes, A Adds the file icon38.png"="4/9/2019 10:53 AM, 674 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpphicholibkljkoddjfoiphjpccmhkn\1.0.0_0\js\jquery Adds the file jquery.min.js"="8/12/2018 10:26 AM, 83100 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpphicholibkljkoddjfoiphjpccmhkn"="REG_SZ", "2015A096A0629629BF1D8B5473A19A12CF47FE04421D6FB686E552E5C60F02CB" As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Driver Tonic?The Malwarebytes research team has determined that Driver Tonic is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Driver Tonic?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Driver Tonic get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Driver Tonic?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Driver Tonic? No, Malwarebytes removes Driver Tonic completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Driver Tonic installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (PC Tonics Inc -> pctonics.com) C:\Program Files\Driver Tonic\dtn.exe C:\Users\Public\Desktop\Driver Tonic.lnk C:\Windows\System32\Tasks\Driver Tonic_Logon C:\Users\{username}\AppData\Roaming\pctonics.com C:\ProgramData\pctonics.com C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Tonic C:\Program Files\Driver Tonic Driver Tonic (HKLM\...\{4C7CA6F1-4691-449D-B574-559726CDA825}_is1) (Version: 1.0.1.6 - pctonics.com) Task: {A25E30FE-1291-4529-82C2-AA4D55A8CADF} - System32\Tasks\Driver Tonic_Logon => C:\Program Files\Driver Tonic\dtn.exe (PC Tonics Inc -> pctonics.com) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Driver Tonic Adds the file Application_icon.png"="9/11/2018 12:07 PM, 3459 bytes, A Adds the file Delimon.Win32.IO.dll"="1/22/2019 12:07 PM, 961472 bytes, A Adds the file dtn.exe"="1/22/2019 12:08 PM, 4669888 bytes, A Adds the file dtn.exe.config"="1/22/2019 11:00 AM, 3896 bytes, A Adds the file dtonic.ttf"="12/11/2018 1:47 PM, 50192 bytes, A Adds the file HtmlRenderer.dll"="1/22/2019 12:06 PM, 232896 bytes, A Adds the file HtmlRenderer.WPF.dll"="1/22/2019 12:06 PM, 59328 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/22/2019 12:06 PM, 60352 bytes, A Adds the file Interop.SHDocVw.dll"="1/22/2019 12:07 PM, 175040 bytes, A Adds the file langs.db"="1/22/2019 10:57 AM, 1398784 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/22/2019 12:06 PM, 182208 bytes, A Adds the file Microsoft.WindowsAPICodePack.dll"="1/22/2019 12:06 PM, 109504 bytes, A Adds the file Microsoft.WindowsAPICodePack.Shell.dll"="1/22/2019 12:06 PM, 553408 bytes, A Adds the file Newtonsoft.Json.dll"="1/22/2019 12:06 PM, 472000 bytes, A Adds the file PaddleCheckoutSDK.dll"="1/22/2019 12:06 PM, 70080 bytes, A Adds the file PresentationCore.dll"="1/22/2019 12:07 PM, 1424320 bytes, A Adds the file System.Data.SQLite.DLL"="1/22/2019 12:07 PM, 342976 bytes, A Adds the file System.Threading.dll"="9/11/2018 12:07 PM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="1/22/2019 12:07 PM, 48064 bytes, A Adds the file unins000.dat"="4/8/2019 8:57 AM, 69313 bytes, A Adds the file unins000.exe"="4/8/2019 8:57 AM, 1242560 bytes, A Adds the file unins000.msg"="4/8/2019 8:57 AM, 22701 bytes, A Adds the file WPFToolkit.dll"="9/11/2018 12:07 PM, 467288 bytes, A Adds the folder C:\Program Files\Driver Tonic\dp Adds the file 7z.dll"="1/22/2019 12:07 PM, 1084864 bytes, A Adds the file 7z.exe"="1/22/2019 12:07 PM, 276416 bytes, A Adds the file difxapi.dll"="9/11/2018 12:09 PM, 323464 bytes, A Adds the file difxapi64.dll"="9/11/2018 12:09 PM, 519048 bytes, A Adds the file DPInst32.exe"="1/22/2019 12:08 PM, 556480 bytes, A Adds the file DPInst64.exe"="1/22/2019 12:08 PM, 681920 bytes, A Adds the file DrvReposPath.exe"="1/22/2019 12:08 PM, 270272 bytes, A Adds the file DrvSignerVerifier.exe"="1/22/2019 12:08 PM, 278464 bytes, A Adds the folder C:\Program Files\Driver Tonic\websec Adds the file ICSharpCode.SharpZipLib.dll"="1/22/2019 12:06 PM, 203712 bytes, A Adds the file langs.db"="11/7/2017 10:09 AM, 65536 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/22/2019 12:06 PM, 182208 bytes, A Adds the file Newtonsoft.Json.dll"="1/22/2019 12:07 PM, 458688 bytes, A Adds the file System.Data.SQLite.DLL"="1/22/2019 12:07 PM, 342976 bytes, A Adds the file System.Data.SQLite.Linq.dll"="1/22/2019 12:07 PM, 207808 bytes, A Adds the file System.Threading.dll"="9/11/2018 12:07 PM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="1/22/2019 12:07 PM, 48064 bytes, A Adds the file WebExtNotifier.exe"="1/22/2019 12:07 PM, 1002944 bytes, A Adds the file WebExtNotifier.exe.config"="9/22/2017 4:16 PM, 1321 bytes, A Adds the folder C:\Program Files\Driver Tonic\websec\x64 Adds the file SQLite.Interop.dll"="1/22/2019 12:07 PM, 1491392 bytes, A Adds the folder C:\Program Files\Driver Tonic\websec\x86 Adds the file SQLite.Interop.dll"="1/22/2019 12:07 PM, 1058240 bytes, A Adds the folder C:\Program Files\Driver Tonic\x64 Adds the file SQLite.Interop.dll"="1/22/2019 12:07 PM, 1491392 bytes, A Adds the folder C:\Program Files\Driver Tonic\x86 Adds the file SQLite.Interop.dll"="1/22/2019 12:07 PM, 1058240 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Tonic Adds the file Buy Driver Tonic.lnk"="4/8/2019 8:57 AM, 837 bytes, A Adds the file Driver Tonic.lnk"="4/8/2019 8:57 AM, 827 bytes, A Adds the file Uninstall Driver Tonic.lnk"="4/8/2019 8:57 AM, 858 bytes, A Adds the folder C:\ProgramData\pctonics.com Adds the folder C:\ProgramData\pctonics.com\Driver Tonic Adds the file mdb.db"="2/20/2018 6:15 PM, 838656 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Ad-BlockerPro Adds the file langs.db"="11/7/2017 10:09 AM, 65536 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Driver Tonic Adds the file act.xml"="4/8/2019 8:57 AM, 119548 bytes, A Adds the file bkp.xml"="4/8/2019 8:59 AM, 369 bytes, A Adds the file Errorlog.txt"="4/8/2019 9:02 AM, 49340 bytes, A Adds the file exlist.bin"="4/8/2019 8:57 AM, 275673 bytes, A Adds the file notifier.xml"="4/8/2019 8:57 AM, 3445 bytes, A Adds the file param.ini"="4/8/2019 8:57 AM, 158 bytes, A Adds the file res.bin"="4/8/2019 9:00 AM, 34552 bytes, A Adds the file Result.cb"="4/8/2019 9:03 AM, 105153 bytes, A Adds the file update.xml"="4/8/2019 8:57 AM, 10728 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Driver Tonic\Backups Adds the file dtcbackup_08042019_085744.zip"="4/8/2019 8:59 AM, 16976428 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Driver Tonic\DrvBackups Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Driver Tonic\DrvDownload Adds the folder C:\Users\{username}\AppData\Roaming\pctonics.com\Driver Tonic\icon Adds the file 090324.ico"="4/8/2019 9:03 AM, 62600 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Driver Tonic.lnk"="4/8/2019 9:03 AM, 1844 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Driver Tonic_Logon"="4/8/2019 8:57 AM, 3028 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\cGN0b25pY3MuY29t\RHJpdmVyIFRvbmlj\ACT] "data"="REG_BINARY, ........................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\dtc-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "referurl"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-base"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4C7CA6F1-4691-449D-B574-559726CDA825}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Driver Tonic\dtn.exe" "DisplayName"="REG_SZ", "Driver Tonic" "DisplayVersion"="REG_SZ", "1.0.1.6" "EstimatedSize"="REG_DWORD", 33863 "HelpLink"="REG_SZ", "https://www.pctonics.com/dtn/support/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Driver Tonic" "Inno Setup: Icon Group"="REG_SZ", "Driver Tonic" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190408" "InstallLocation"="REG_SZ", "C:\Program Files\Driver Tonic\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "pctonics.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Driver Tonic\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Driver Tonic\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "https://www.pctonics.com/dtn/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\pctonics.com\Driver Tonic] "affired"="REG_DWORD", 0 "afterInstallUrl"="REG_SZ", "http://www.winactiv.com/install/dtn/?" "apst"="REG_DWORD", 0 "bdInst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "cclst"="REG_SZ", "" "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delay"="REG_DWORD", 0 "devicesscanned"="REG_DWORD", 56 "expired"="REG_DWORD", 0 "gclid"="REG_SZ", "" "hdata"="REG_BINARY, ........................................................................................................................................................................................................................................................................................................................................................................................................................................................ "ignoreddrivercount"="REG_DWORD", 0 "InstallString"="REG_SZ", "C:\Program Files\Driver Tonic" "ipaddrurl"="REG_SZ", "http://www.winactiv.com/getip/" "isinstfont"="REG_DWORD", 1 "isSchedule"="REG_DWORD", 0 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lastscandate"="REG_SZ", "4/8/2019 7:00:37 AM" "lastscanstatus"="REG_DWORD", 2 "lastupdatedate"="REG_SZ", "1/1/0001 12:00:00 AM" "lpid"="REG_SZ", "" "lstscnsett"="REG_BINARY, .............................................................!............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................... "msclkid"="REG_SZ", "" "nointernetdrvrslt"="REG_DWORD", 0 "oldmissingdrivercount"="REG_DWORD", 2 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.winactiv.com/ipfiles/" "pdtm"="REG_DWORD", 45 "playsound"="REG_DWORD", 0 "ppid"="REG_DWORD", 63 "ppinag"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.pctonics.com/dtn/plan/" "referurl"="REG_SZ", "" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "https://store.pctonics.com/dtn/renewal/" "rescan"="REG_DWORD", 0 "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runpub"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "scntype"="REG_DWORD", 0 "showpriceplan"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 1 "shwtutrl"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "https://www.pctonics.com/dtn/support/" "tcfl"="REG_DWORD", 1 "TELNO"="REG_SZ", "" "uptodatedrivercount"="REG_DWORD", 50 "utm_medium"="REG_SZ", "" "vendorLogo"="REG_SZ", "common_logo.jpg" "WebURL"="REG_SZ", "https://www.pctonics.com/dtn/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "" "x-base"="REG_SZ", "" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "" "x-datetime"="REG_SZ", "04-08-2019 06:57:08 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-uid"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\pctonics.com\Driver Tonic] "bdlinstm"="REG_DWORD", 120 "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Driver Tonic" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "ppid"="REG_DWORD", 63 "referurl"="REG_SZ", "" "showpriceplan"="REG_DWORD", 1 "shwtutrl"="REG_DWORD", 0 "utm_medium"="REG_SZ", "" "x-at"="REG_SZ", "" "x-base"="REG_SZ", "" "x-context"="REG_SZ", "" "x-datetime"="REG_SZ", "04-08-2019 06:57:08 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\pctonics.com\Driver Tonic\1.0.1.6] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/8/19 Scan Time: 9:13 AM Log File: bf02b4ea-59cd-11e9-9ecf-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10044 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236266 Threats Detected: 81 Threats Quarantined: 81 Time Elapsed: 7 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dtn.exe, Quarantined, [2936], [505858],1.0.10044 Module: 9 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\x64\SQLite.Interop.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dtn.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\HtmlRenderer.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\HtmlRenderer.WPF.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Interop.IWshRuntimeLibrary.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\PaddleCheckoutSDK.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\System.Data.SQLite.DLL, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\WPFToolkit.dll, Quarantined, [2936], [505858],1.0.10044 Registry Key: 8 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Tonic_Logon, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A25E30FE-1291-4529-82C2-AA4D55A8CADF}, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{A25E30FE-1291-4529-82C2-AA4D55A8CADF}, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4C7CA6F1-4691-449D-B574-559726CDA825}_is1, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, HKCU\SOFTWARE\PCTONICS.COM\Driver Tonic, Quarantined, [2936], [505865],1.0.10044 PUP.Optional.Jawego, HKLM\SOFTWARE\DTC-PR, Quarantined, [600], [543113],1.0.10044 PUP.Optional.WinTonic, HKLM\SOFTWARE\cGN0b25pY3MuY29t, Quarantined, [1394], [491485],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\PCTONICS.COM\Driver Tonic, Quarantined, [2936], [505863],1.0.10044 Registry Value: 3 PUP.Optional.Jawego, HKLM\SOFTWARE\DTC-PR|AFFILIATEID, Quarantined, [600], [543113],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A25E30FE-1291-4529-82C2-AA4D55A8CADF}|PATH, Quarantined, [2936], [582488],1.0.10044 PUP.Optional.DriverTonic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4C7CA6F1-4691-449D-B574-559726CDA825}_IS1|DISPLAYNAME, Quarantined, [2936], [505864],1.0.10044 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\x64, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\x86, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\x64, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\x86, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\PROGRAM FILES\DRIVER TONIC, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVER TONIC, Quarantined, [2936], [505860],1.0.10044 File: 52 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\7z.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\7z.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\difxapi.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\difxapi64.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\DPInst32.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\DPInst64.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\DrvReposPath.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dp\DrvSignerVerifier.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\x64\SQLite.Interop.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\x86\SQLite.Interop.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\ICSharpCode.SharpZipLib.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\langs.db, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\Newtonsoft.Json.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\System.Data.SQLite.DLL, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\System.Data.SQLite.Linq.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\System.Threading.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\TAFactory.IconPack.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\WebExtNotifier.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\websec\WebExtNotifier.exe.config, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\x64\SQLite.Interop.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\x86\SQLite.Interop.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Application_icon.png, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Delimon.Win32.IO.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dtn.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dtn.exe.config, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\dtonic.ttf, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\HtmlRenderer.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\HtmlRenderer.WPF.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Interop.IWshRuntimeLibrary.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Interop.SHDocVw.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\langs.db, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Microsoft.WindowsAPICodePack.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Microsoft.WindowsAPICodePack.Shell.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\Newtonsoft.Json.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\PaddleCheckoutSDK.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\PresentationCore.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\System.Data.SQLite.DLL, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\System.Threading.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\TAFactory.IconPack.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\unins000.dat, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\unins000.exe, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\unins000.msg, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\Program Files\Driver Tonic\WPFToolkit.dll, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\WINDOWS\SYSTEM32\TASKS\Driver Tonic_Logon, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Driver Tonic.lnk, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\USERS\PUBLIC\Desktop\Driver Tonic.lnk, Quarantined, [2936], [505858],1.0.10044 PUP.Optional.DriverTonic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Tonic\Buy Driver Tonic.lnk, Quarantined, [2936], [505860],1.0.10044 PUP.Optional.DriverTonic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Tonic\Driver Tonic.lnk, Quarantined, [2936], [505860],1.0.10044 PUP.Optional.DriverTonic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Tonic\Uninstall Driver Tonic.lnk, Quarantined, [2936], [505860],1.0.10044 PUP.Optional.DriverTonic, C:\USERS\{username}\DESKTOP\DRIVERTONIC.EXE, Quarantined, [2936], [509861],1.0.10044 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is SD App?The Malwarebytes research team has determined that SD App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SD App?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this changed setting:How did SD App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SD App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SD App? No, Malwarebytes removes SD App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SD App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchprivacyplus.com/results.php?p=9011&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> Secure CHR DefaultSuggestURL: Default -> hxxps://searchprivacyplus.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld [2019-04-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0 Adds the file background.js"="2/26/2019 7:40 PM, 8917 bytes, A Adds the file manifest.json"="4/5/2019 11:04 AM, 1828 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\_metadata Adds the file computed_hashes.json"="4/5/2019 11:04 AM, 451 bytes, A Adds the file verified_contents.json"="2/26/2019 7:46 PM, 1651 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\icons Adds the file icon128.png"="4/5/2019 11:04 AM, 2188 bytes, A Adds the file icon48.png"="4/5/2019 11:04 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld Adds the file 000003.log"="4/5/2019 11:06 AM, 184 bytes, A Adds the file CURRENT"="4/5/2019 11:05 AM, 16 bytes, A Adds the file LOCK"="4/5/2019 11:05 AM, 0 bytes, A Adds the file LOG"="4/5/2019 11:05 AM, 183 bytes, A Adds the file MANIFEST-000001"="4/5/2019 11:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_lnlfjeagcjplpnfkgjamnpmdlenmbeld Adds the file SD App.ico"="4/5/2019 11:05 AM, 162813 bytes, A Adds the file SD App.ico.md5"="4/5/2019 11:05 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lnlfjeagcjplpnfkgjamnpmdlenmbeld"="REG_SZ", "A009BF40C2D6C1739A9C085D96D11506AC7383D2B0AC0BF3EE6FB8E2AB68FD76" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/5/19 Scan Time: 11:16 AM Log File: 7ece3cf7-5783-11e9-97ea-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10012 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236118 Threats Detected: 21 Threats Quarantined: 21 Time Elapsed: 5 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lnlfjeagcjplpnfkgjamnpmdlenmbeld, Quarantined, [357], [570731],1.0.10012 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\_metadata, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\icons, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LNLFJEAGCJPLPNFKGJAMNPMDLENMBELD, Quarantined, [357], [570731],1.0.10012 File: 15 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld\000003.log, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld\CURRENT, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld\LOCK, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld\LOG, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lnlfjeagcjplpnfkgjamnpmdlenmbeld\MANIFEST-000001, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LNLFJEAGCJPLPNFKGJAMNPMDLENMBELD\2.1.0.9_0\MANIFEST.JSON, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\icons\icon128.png, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\icons\icon48.png, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\_metadata\computed_hashes.json, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\_metadata\verified_contents.json, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnlfjeagcjplpnfkgjamnpmdlenmbeld\2.1.0.9_0\background.js, Quarantined, [357], [570731],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [357], [570730],1.0.10012 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [357], [570730],1.0.10012 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is BitcoinPriceSearch?The Malwarebytes research team has determined that BitcoinPriceSearch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.BitcoinPriceSearch is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by BitcoinPriceSearch?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did BitcoinPriceSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove BitcoinPriceSearch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of BitcoinPriceSearch? No, Malwarebytes' Anti-Malware removes BitcoinPriceSearch completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the BitcoinPriceSearch hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/bitcoinpricesearch/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _r0Members_@free.bitcoinpricesearch.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _r0Members_@free.bitcoinpricesearch.com FF Extension: (BitcoinPriceSearch) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_r0Members_@free.bitcoinpricesearch.com.xpi [2019-04-04] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id={id}&version=8.885.14.36451&track=TTAB02&trackRevision=1&fromId=_r0Members_%40free.bitcoinpricesearch.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://gilkckpjbneflhmghfljlacoljlogfik/newtabproduct.html" CHR Extension: (BitcoinPriceSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik [2019-04-04] C:\Users\{username}\AppData\Local\BitcoinPriceSearchTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Downloads\bitcoinpricesearch.exe BitcoinPriceSearch Internet Explorer Homepage and New Tab (HKCU\...\BitcoinPriceSearchTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\BitcoinPriceSearchTooltab Adds the file TooltabExtension.dll"="8/20/2018 8:35 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0 Adds the file manifest.json"="4/4/2019 9:05 AM, 2714 bytes, A Adds the file newtabproduct.html"="3/6/2019 11:57 AM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_metadata Adds the file computed_hashes.json"="4/4/2019 9:05 AM, 5641 bytes, A Adds the file verified_contents.json"="3/6/2019 11:57 AM, 7177 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\config Adds the file config.json"="3/6/2019 11:57 AM, 1529 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons Adds the file icon128.png"="4/4/2019 9:05 AM, 5788 bytes, A Adds the file icon16.png"="3/6/2019 11:57 AM, 472 bytes, A Adds the file icon19disabled.png"="3/6/2019 11:57 AM, 425 bytes, A Adds the file icon19on.png"="4/4/2019 9:05 AM, 639 bytes, A Adds the file icon48.png"="4/4/2019 9:05 AM, 2137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js Adds the file ajax.js"="3/6/2019 11:57 AM, 3263 bytes, A Adds the file babAPI.js"="3/6/2019 11:57 AM, 5703 bytes, A Adds the file babClickHandler.js"="3/6/2019 11:57 AM, 11414 bytes, A Adds the file babContentScript.js"="3/6/2019 11:57 AM, 3275 bytes, A Adds the file babContentScriptAPI.js"="3/6/2019 11:57 AM, 5934 bytes, A Adds the file background.js"="3/6/2019 11:57 AM, 22384 bytes, A Adds the file browserUtils.js"="3/6/2019 11:57 AM, 1532 bytes, A Adds the file chrome.js"="3/6/2019 11:57 AM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="3/6/2019 11:57 AM, 22629 bytes, A Adds the file dateTimeUtils.js"="3/6/2019 11:57 AM, 1213 bytes, A Adds the file dlp.js"="3/6/2019 11:57 AM, 5815 bytes, A Adds the file dlpHelper.js"="3/6/2019 11:57 AM, 1835 bytes, A Adds the file extensionDetect.js"="3/6/2019 11:57 AM, 4354 bytes, A Adds the file index.js"="3/6/2019 11:57 AM, 49 bytes, A Adds the file localStorageContentScript.js"="3/6/2019 11:57 AM, 2236 bytes, A Adds the file logger.js"="3/6/2019 11:57 AM, 516 bytes, A Adds the file meta.js"="3/6/2019 11:57 AM, 516 bytes, A Adds the file offerService.js"="3/6/2019 11:57 AM, 16950 bytes, A Adds the file pageUtils.js"="3/6/2019 11:57 AM, 3577 bytes, A Adds the file PartnerId.js"="3/6/2019 11:57 AM, 16402 bytes, A Adds the file polyfill.js"="3/6/2019 11:57 AM, 875 bytes, A Adds the file product.js"="3/6/2019 11:57 AM, 8604 bytes, A Adds the file remoteConfigLoader.js"="3/6/2019 11:57 AM, 4961 bytes, A Adds the file splashPageLocalStorageSetter.js"="3/6/2019 11:57 AM, 88 bytes, A Adds the file splashPageRedirectHandler.js"="3/6/2019 11:57 AM, 2868 bytes, A Adds the file storageUtils.js"="3/6/2019 11:57 AM, 1718 bytes, A Adds the file TemplateParser.js"="3/6/2019 11:57 AM, 3153 bytes, A Adds the file ul.js"="3/6/2019 11:57 AM, 3969 bytes, A Adds the file urlFragmentActions.js"="3/6/2019 11:57 AM, 2498 bytes, A Adds the file urlUtils.js"="3/6/2019 11:57 AM, 5906 bytes, A Adds the file util.js"="3/6/2019 11:57 AM, 2779 bytes, A Adds the file webtooltabAPI.js"="3/6/2019 11:57 AM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="3/6/2019 11:57 AM, 7589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik Adds the file 000003.log"="4/4/2019 9:06 AM, 5872 bytes, A Adds the file CURRENT"="4/4/2019 9:05 AM, 16 bytes, A Adds the file LOCK"="4/4/2019 9:05 AM, 0 bytes, A Adds the file LOG"="4/4/2019 9:06 AM, 184 bytes, A Adds the file MANIFEST-000001"="4/4/2019 9:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_r0Members_@free.bitcoinpricesearch.com Adds the file storage.js"="4/4/2019 9:04 AM, 2768 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _r0Members_@free.bitcoinpricesearch.com.xpi"="4/4/2019 9:04 AM, 67297 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file bitcoinpricesearch.exe"="4/4/2019 8:59 AM, 373248 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\BitcoinPriceSearch] "Start Page"="REG_SZ", "http://hp.myway.com/bitcoinpricesearch/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2%3Fc%3D{ptb}%26ptb%3D{p2}TAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gilkckpjbneflhmghfljlacoljlogfik"="REG_SZ", "7131FF6644F47BB730191B60F955CB6A3AA8A620C4FD4BD1092C67B4C18605C0" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/bitcoinpricesearch/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitcoinPriceSearchTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "BitcoinPriceSearch Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\BitcoinPriceSearchTooltab\TooltabExtension.dll" U uninstall:BitcoinPriceSearch" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/4/19 Scan Time: 9:17 AM Log File: aa9ebd22-56a9-11e9-8b1e-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.9998 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235986 Threats Detected: 88 Threats Quarantined: 88 Time Elapsed: 4 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BitcoinPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1737], [356944],1.0.9998 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BitcoinPriceSearchTooltab Uninstall Internet Explorer, Quarantined, [1737], [356944],1.0.9998 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\BitcoinPriceSearch, Quarantined, [1737], [444113],1.0.9998 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BitcoinPriceSearchTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [620], [352442],1.0.9998 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\BitcoinPriceSearch|START PAGE, Quarantined, [1737], [444113],1.0.9998 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gilkckpjbneflhmghfljlacoljlogfik, Quarantined, [1737], [443121],1.0.9998 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [620], [293497],1.0.9998 Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BitcoinPriceSearchTooltab, Quarantined, [1737], [356944],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_r0Members_@free.bitcoinpricesearch.com, Quarantined, [1737], [468075],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\es_419, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\pt_BR, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\pt_PT, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\de, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\en, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\es, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\fr, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\it, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\ja, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_metadata, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\config, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GILKCKPJBNEFLHMGHFLJLACOLJLOGFIK, Quarantined, [1737], [443121],1.0.9998 File: 62 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BitcoinPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1737], [356944],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_r0Members_@free.bitcoinpricesearch.com.xpi, Quarantined, [1737], [457930],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_r0Members_@free.bitcoinpricesearch.com\storage.js, Quarantined, [1737], [468075],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik\000003.log, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik\CURRENT, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik\LOCK, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik\LOG, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gilkckpjbneflhmghfljlacoljlogfik\MANIFEST-000001, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GILKCKPJBNEFLHMGHFLJLACOLJLOGFIK\13.855.14.60975_0\MANIFEST.JSON, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\config\config.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons\icon128.png, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons\icon16.png, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons\icon19disabled.png, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons\icon19on.png, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\icons\icon48.png, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\meta.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\ajax.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\babAPI.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\babClickHandler.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\babContentScript.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\babContentScriptAPI.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\background.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\browserUtils.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\chrome.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\contentScriptConnectionManager.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\dateTimeUtils.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\dlp.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\dlpHelper.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\extensionDetect.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\index.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\localStorageContentScript.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\logger.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\offerService.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\pageUtils.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\PartnerId.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\polyfill.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\product.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\remoteConfigLoader.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\splashPageLocalStorageSetter.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\splashPageRedirectHandler.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\storageUtils.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\TemplateParser.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\ul.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\urlFragmentActions.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\urlUtils.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\util.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\webtooltabAPI.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\js\webTooltabAPIProxy.js, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\de\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\en\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\es\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\es_419\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\fr\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\it\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\ja\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\pt_BR\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_locales\pt_PT\messages.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_metadata\computed_hashes.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\_metadata\verified_contents.json, Quarantined, [1737], [443121],1.0.9998 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gilkckpjbneflhmghfljlacoljlogfik\13.855.14.60975_0\newtabproduct.html, Quarantined, [1737], [443121],1.0.9998 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is EasyPDF?The Malwarebytes research team has determined that EasyPDF is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service that is blocked by Malwarebytes for fraud.How do I know if my computer is affected by EasyPDF?You may see these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did EasyPDF get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove EasyPDF?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of EasyPDF? No, Malwarebytes removes EasyPDF completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the EasyPDF hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.easy-pdf.com/?q={searchTerms}&publisher=easypdf&barcodeid=531950000000000 CHR DefaultSearchKeyword: Default -> EasyPDF CHR DefaultSuggestURL: Default -> hxxps://api.easy-pdf.com/suggest/get?q={searchTerms} CHR Extension: (EasyPDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno [2019-04-03] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="4/3/2019 9:43 AM, 2250 bytes, A Adds the file popup.html"="4/12/2018 3:27 PM, 1143 bytes, A Adds the file tab.html"="9/13/2017 11:07 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\_metadata Adds the file computed_hashes.json"="4/3/2019 9:43 AM, 2608 bytes, A Adds the file verified_contents.json"="1/15/2019 8:06 AM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images Adds the file how-1.png"="4/12/2018 3:27 PM, 2862 bytes, A Adds the file how-2.png"="4/12/2018 3:27 PM, 3247 bytes, A Adds the file logo-small.png"="4/12/2018 3:27 PM, 6196 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\icons Adds the file 128x128.png"="4/3/2019 9:43 AM, 2677 bytes, A Adds the file 16x16.png"="4/3/2019 9:43 AM, 472 bytes, A Adds the file 64x64.png"="4/3/2019 9:43 AM, 1830 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts Adds the file background.js"="1/17/2019 2:22 PM, 31603 bytes, A Adds the file jquery-3.3.1.min.js"="4/12/2018 3:27 PM, 86927 bytes, A Adds the file popup.js"="4/12/2018 3:27 PM, 569 bytes, A Adds the file sitecontent.js"="4/12/2018 3:27 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\styles Adds the file popup.css"="4/12/2018 3:27 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications Adds the file 000003.log"="4/3/2019 9:41 AM, 7649 bytes, A Adds the file CURRENT"="4/3/2019 9:41 AM, 16 bytes, A Adds the file LOCK"="4/3/2019 9:41 AM, 0 bytes, A Adds the file LOG"="4/3/2019 9:41 AM, 150 bytes, A Adds the file MANIFEST-000001"="4/3/2019 9:41 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jcbifileifaoaanepoclaojicaollmno Adds the file Easy PDF.ico"="4/3/2019 9:43 AM, 163756 bytes, A Adds the file Easy PDF.ico.md5"="4/3/2019 9:43 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jcbifileifaoaanepoclaojicaollmno"="REG_SZ", "42782563A7E7864AAB20831974E54BC1B7FFD96054E8CBF7DC4D44D3A1A41925" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/3/19 Scan Time: 9:58 AM Log File: 491675eb-55e6-11e9-9b47-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.9984 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235831 Threats Detected: 27 Threats Quarantined: 27 Time Elapsed: 4 min, 41 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.EasyPDF, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jcbifileifaoaanepoclaojicaollmno, Quarantined, [14675], [649140],1.0.9984 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\icons, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\_metadata, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\styles, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCBIFILEIFAOAANEPOCLAOJICAOLLMNO, Quarantined, [14675], [649140],1.0.9984 File: 19 PUP.Optional.EasyPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCBIFILEIFAOAANEPOCLAOJICAOLLMNO\3.1.0_0\MANIFEST.JSON, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\icons\128x128.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\icons\16x16.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\icons\64x64.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\how-1.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\how-2.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\images\logo-small.png, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts\background.js, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts\popup.js, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\scripts\sitecontent.js, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\styles\popup.css, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\_metadata\computed_hashes.json, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\_metadata\verified_contents.json, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\closer.js, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\popup.html, Quarantined, [14675], [649140],1.0.9984 PUP.Optional.EasyPDF, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcbifileifaoaanepoclaojicaollmno\3.1.0_0\tab.html, Quarantined, [14675], [649140],1.0.9984 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is ConvertoPDF?The Malwarebytes research team has determined that ConvertoPDF is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by ConvertoPDF?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did ConvertoPDF get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove ConvertoPDF?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ConvertoPDF? No, Malwarebytes' Anti-Malware removes ConvertoPDF completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.Technical details for expertsPossible signs in a FRST log: CHR NewTab: Default -> Active:"chrome-extension://hnhjkkeengkiofpddioocmdhokejgncj/html/newtab.html" CHR Extension: (ConvertoPDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj [2019-04-02] Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0 Adds the file Archive created by free jZip.url"="11/26/2013 10:21 AM, 58 bytes, A Adds the file manifest.json"="4/2/2019 9:44 AM, 1279 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\_metadata Adds the file computed_hashes.json"="4/2/2019 9:44 AM, 15528 bytes, A Adds the file verified_contents.json"="2/21/2019 11:18 AM, 2611 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\css Adds the file style.css"="2/21/2019 11:17 AM, 6685 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\html Adds the file newtab.html"="2/21/2019 11:17 AM, 3689 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\icons Adds the file checker.gif"="2/21/2019 11:17 AM, 1095 bytes, A Adds the file ConvertoPDF-128.png"="4/2/2019 9:44 AM, 9006 bytes, A Adds the file sprite.png"="2/21/2019 11:17 AM, 1234262 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js Adds the file brand.js"="2/21/2019 11:17 AM, 612 bytes, A Adds the file common.js"="2/21/2019 11:17 AM, 336 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\bg Adds the file background.js"="2/21/2019 11:17 AM, 11958 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\newtab Adds the file clock.js"="2/21/2019 11:17 AM, 5855 bytes, A Adds the file searchItem.js"="2/21/2019 11:17 AM, 6055 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hnhjkkeengkiofpddioocmdhokejgncj"="REG_SZ", "3B7F459F2068EE2300EB2802C769E92928DEBDB27FB5CF04BDEBB0F0E976B6CC" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/2/19 Scan Time: 9:55 AM Log File: ae95cce2-551c-11e9-849a-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.9964 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235921 Threats Detected: 27 Threats Quarantined: 27 Time Elapsed: 4 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.BlpSearch.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hnhjkkeengkiofpddioocmdhokejgncj, Quarantined, [14642], [443081],1.0.9964 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\newtab, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\_metadata, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\images, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\icons, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\bg, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\html, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\css, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HNHJKKEENGKIOFPDDIOOCMDHOKEJGNCJ\1.0.833.445_0, Quarantined, [14642], [443081],1.0.9964 File: 16 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HNHJKKEENGKIOFPDDIOOCMDHOKEJGNCJ\1.0.833.445_0\JS\BRAND.JS, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\css\style.css, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\html\newtab.html, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\icons\checker.gif, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\icons\ConvertoPDF-128.png, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\icons\sprite.png, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\bg\background.js, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\newtab\clock.js, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\newtab\searchItem.js, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\js\common.js, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\_metadata\computed_hashes.json, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\_metadata\verified_contents.json, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\Archive created by free jZip.url, Quarantined, [14642], [443081],1.0.9964 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnhjkkeengkiofpddioocmdhokejgncj\1.0.833.445_0\manifest.json, Quarantined, [14642], [443081],1.0.9964 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) The full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is E-Books Club?The Malwarebytes research team has determined that E-Books Club is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service.How do I know if my computer is affected by E-Books Club?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did E-Books Club get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove E-Books Club?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of E-Books Club? No, Malwarebytes removes E-Books Club completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the E-Books Club hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.ebooks-club.com/?q={searchTerms}&publisher=ebooks-club&barcodeid=548590000000000 CHR DefaultSearchKeyword: Default -> ebooksclub CHR DefaultSuggestURL: Default -> hxxps://api.ebooks-club.com/suggest/get?q={searchTerms} CHR Extension: (ebooksclub) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi [2019-04-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="4/1/2019 9:01 AM, 2276 bytes, A Adds the file popup.html"="2/25/2019 12:17 PM, 1154 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\_metadata Adds the file computed_hashes.json"="4/1/2019 9:01 AM, 2561 bytes, A Adds the file verified_contents.json"="2/25/2019 12:24 PM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images Adds the file how-1.png"="2/25/2019 12:17 PM, 2862 bytes, A Adds the file how-2.png"="2/25/2019 12:17 PM, 3247 bytes, A Adds the file logo-small.png"="2/25/2019 12:17 PM, 913 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\icons Adds the file 128x128.png"="4/1/2019 9:01 AM, 2940 bytes, A Adds the file 16x16.png"="4/1/2019 9:01 AM, 470 bytes, A Adds the file 64x64.png"="4/1/2019 9:01 AM, 1392 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts Adds the file background.js"="2/25/2019 12:32 PM, 31405 bytes, A Adds the file jquery-3.3.1.min.js"="2/25/2019 12:17 PM, 86927 bytes, A Adds the file popup.js"="2/25/2019 12:31 PM, 561 bytes, A Adds the file sitecontent.js"="2/25/2019 12:17 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\styles Adds the file popup.css"="2/25/2019 12:17 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications Adds the file 000003.log"="4/1/2019 9:01 AM, 9975 bytes, A Adds the file CURRENT"="4/1/2019 9:00 AM, 16 bytes, A Adds the file LOCK"="4/1/2019 9:00 AM, 0 bytes, A Adds the file LOG"="4/1/2019 9:00 AM, 149 bytes, A Adds the file MANIFEST-000001"="4/1/2019 9:00 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fbphgebomlfmfkknlaggpigbboinidoi Adds the file E-Books Club.ico"="4/1/2019 9:01 AM, 163043 bytes, A Adds the file E-Books Club.ico.md5"="4/1/2019 9:01 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fbphgebomlfmfkknlaggpigbboinidoi"="REG_SZ", "CEE5459AFB763558C738C5C6762588179B96450BE1550A90DC5EE813EAEB8FA0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/1/19 Scan Time: 9:14 AM Log File: bd13ad90-544d-11e9-8cb8-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.9946 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235748 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 4 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.EBooksClub, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fbphgebomlfmfkknlaggpigbboinidoi, Quarantined, [302], [661023],1.0.9946 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\icons, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\_metadata, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\styles, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FBPHGEBOMLFMFKKNLAGGPIGBBOINIDOI, Quarantined, [302], [661023],1.0.9946 File: 21 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FBPHGEBOMLFMFKKNLAGGPIGBBOINIDOI\1.0.1_0\MANIFEST.JSON, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\icons\128x128.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\icons\16x16.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\icons\64x64.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\how-1.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\how-2.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\images\logo-small.png, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts\background.js, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts\jquery-3.3.1.min.js, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts\popup.js, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\scripts\sitecontent.js, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\styles\popup.css, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\_metadata\verified_contents.json, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\closer.js, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\popup.html, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbphgebomlfmfkknlaggpigbboinidoi\1.0.1_0\tab.html, Quarantined, [302], [661023],1.0.9946 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [302], [661024],1.0.9946 PUP.Optional.EBooksClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [302], [661024],1.0.9946 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.