Metallica

Staff
  • Content count

    2,045
  • Joined

  • Last visited

3 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

158,696 profile views
  1. What is kotcatkcomksz? The Malwarebytes research team has determined that kotcatkcomksz is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one uses a Scheduled Task to open an ad-rotator window in the default browser. How do I know if my computer is affected by kotcatkcomksz? You may see this Scheduled Task: How did kotcatkcomksz get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a bundler. How do I remove kotcatkcomksz? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of kotcatkcomksz? No, Malwarebytes removes kotcatkcomksz completely. This adware creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the kotcatkcomksz adware. It would have blocked their domain. and stopped the bundler from executing. Technical details for experts Possible signs in FRST logs: C:\Windows\System32\Tasks\kotcatkcomksz Task: {BA2CA154-9D82-4FCE-86D5-3291A1D55983} - System32\Tasks\kotcatkcomksz => "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" kotcatk.com/ksz Significant changes made by the installer: In the existing folder C:\Windows\Tasks Adds the file kotcatkcomksz.job"="2/22/2018 9:01 AM, 310 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/22/18 Scan Time: 9:06 AM Log File: 52b32325-17a7-11e8-9e11-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4044 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243596 Threats Detected: 13 Threats Quarantined: 13 Time Elapsed: 1 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\KOTCATKCOMKSZ, Quarantined, [7758], [491051],1.0.4044 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA2CA154-9D82-4FCE-86D5-3291A1D55983}, Quarantined, [7758], [491051],1.0.4044 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{BA2CA154-9D82-4FCE-86D5-3291A1D55983}, Quarantined, [7758], [491051],1.0.4044 Registry Value: 1 Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA2CA154-9D82-4FCE-86D5-3291A1D55983}|PATH, Quarantined, [7758], [491053],1.0.4044 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Adware.StartPage.BatBitRst, C:\WINDOWS\SYSTEM32\TASKS\KOTCATKCOMKSZ, Quarantined, [7758], [491051],1.0.4044 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [7758], [-1],0.0.0 Adware.StartPage.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [7758], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Your Transit Info Now? The Malwarebytes research team has determined that Your Transit Info Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Your Transit Info Now is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Your Transit Info Now? You may see these browser extensions/add-ons: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did Your Transit Info Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Your Transit Info Now? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Transit Info Now? No, Malwarebytes removes Your Transit Info Now completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Your Transit Info Now entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Your Transit Info Now hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30 SearchScopes: HKCU -> DefaultScope {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} SearchScopes: HKCU -> {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Transit.xpi [2018-02-21] CHR Extension: (Your Transit Info Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh [2018-02-21] C:\Users\{username}\Downloads\YourTransitInfoNow.exe Your Transit Info Now (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.8 - Cloud Installer) Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0 Adds the file after.js"="12/12/2017 1:18 PM, 803 bytes, A Adds the file background.js"="12/12/2017 1:18 PM, 13524 bytes, A Adds the file chromeRestore.js"="12/12/2017 1:18 PM, 2256 bytes, A Adds the file contentscript.js"="12/12/2017 1:18 PM, 1243 bytes, A Adds the file icon.png"="2/21/2018 8:47 AM, 1507 bytes, A Adds the file manifest.json"="2/21/2018 8:47 AM, 1450 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en Adds the file messages.json"="2/21/2018 8:47 AM, 282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata Adds the file computed_hashes.json"="2/21/2018 8:47 AM, 1401 bytes, A Adds the file verified_contents.json"="12/12/2017 1:18 PM, 2825 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css Adds the file description.css"="12/12/2017 1:18 PM, 1008 bytes, A Adds the file popup.css"="12/12/2017 1:18 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup Adds the file description.html"="12/12/2017 1:18 PM, 272 bytes, A Adds the file popup.html"="12/12/2017 1:18 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js Adds the file userNewTab.js"="12/12/2017 1:18 PM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup Adds the file popup.js"="12/12/2017 1:18 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab Adds the file slimtransit__newtab.html"="12/12/2017 1:18 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh Adds the file 000003.log"="2/21/2018 8:47 AM, 363 bytes, A Adds the file CURRENT"="2/21/2018 8:47 AM, 16 bytes, A Adds the file LOCK"="2/21/2018 8:47 AM, 0 bytes, A Adds the file LOG"="2/21/2018 8:47 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/21/2018 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="2/21/2018 8:53 AM, 324664 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Transit Adds the file storage.js"="2/21/2018 8:56 AM, 423 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Transit.xpi"="2/21/2018 8:56 AM, 11422 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file YourTransitInfoNow.exe"="2/21/2018 8:51 AM, 267856 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "icbgeaafimbjdfpcbgnkpokfcamiimoh"="REG_SZ", "9CC392D8125F111129856A98B3C2F4086ED3D8F1966885726FAF0A23D6CCA827" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Transit Info Now" "DisplayVersion"="REG_SZ", "4.2.0.8" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" "UninstallHomepage"="REG_SZ", "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" "UninstallImpression"="REG_SZ", "http://imp.yourtransitinfonow.com/impression.do?source={source}&sub_id=20180221&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus65&user_id={uid}&implementation_id=transit__1.30&subid2=11.0.9600.18920&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/18 Scan Time: 9:11 AM Log File: cfdf441f-16de-11e8-834c-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243403 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}, Quarantined, [2109], [368913],1.0.4028 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [599], [373879],1.0.4028 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}|URL, Quarantined, [2109], [368913],1.0.4028 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2109], [373048],1.0.4028 Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH, Quarantined, [2109], [454579],1.0.4028 File: 25 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\000003.log, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\CURRENT, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOCK, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOG, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\MANIFEST-000001, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH\1.10_0\CHROMERESTORE.JS, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\description.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\popup.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\description.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\popup.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup\popup.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\userNewTab.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab\slimtransit__newtab.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en\messages.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\computed_hashes.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\verified_contents.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\after.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\background.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\contentscript.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\icon.png, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\manifest.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot, C:\USERS\{username}\DOWNLOADS\YOURTRANSITINFONOW.EXE, Quarantined, [599], [455961],1.0.4028 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Shield-Plus History Cleaner? The Malwarebytes research team has determined that Shield-Plus History Cleaner is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one adds advertisements to the search results. How do I know if my computer is affected by Shield-Plus History Cleaner? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this newtab search site: and you will see this icon in your Chrome menu bar: How did Shield-Plus History Cleaner get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was pushed by an ad-rotator and also available in the webstore. How do I remove Shield-Plus History Cleaner? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Shield-Plus History Cleaner? No, Malwarebytes removes Shield-Plus History Cleaner completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Shield-Plus History Cleaner hijacker. It would have blocked you from visiting the hijackers site. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://clean.shield-plus.com?babsrc=SP_&q={searchTerms} CHR DefaultSearchKeyword: Default -> Shield-Plus, History Cleaner, Privacy, Search History CHR DefaultSuggestURL: Default -> hxxp://clean.shield-plus.com/suggest?q={searchTerms} CHR Extension: (Shield-Plus History Cleaner) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf [2018-02-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0 Adds the file background.js"="1/25/2018 3:42 PM, 4831 bytes, A Adds the file manifest.json"="2/20/2018 8:37 AM, 2228 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\_metadata Adds the file computed_hashes.json"="2/20/2018 8:37 AM, 416 bytes, A Adds the file verified_contents.json"="1/22/2018 12:49 PM, 2132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images Adds the file icon128.png"="2/20/2018 8:37 AM, 5971 bytes, A Adds the file icon16.png"="2/20/2018 8:37 AM, 717 bytes, A Adds the file icon32.png"="11/6/2017 9:50 AM, 1621 bytes, A Adds the file icon48.png"="2/20/2018 8:37 AM, 2342 bytes, A Adds the file shieldPlus.png"="2/20/2018 8:37 AM, 1988 bytes, A Adds the file shieldPlusdisable.png"="11/6/2017 9:50 AM, 1733 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf Adds the file 000003.log"="2/20/2018 8:37 AM, 37 bytes, A Adds the file CURRENT"="2/20/2018 8:37 AM, 16 bytes, A Adds the file LOCK"="2/20/2018 8:37 AM, 0 bytes, A Adds the file LOG"="2/20/2018 8:37 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/20/2018 8:37 AM, 41 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/20/18 Scan Time: 8:50 AM Log File: bda4a4d2-1612-11e8-90a3-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4010 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243154 Threats Detected: 22 Threats Quarantined: 22 Time Elapsed: 1 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\_metadata, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\kocnbiohdcjphcbalmlbpgbhgbelkmdf, Quarantined, [14924], [492135],1.0.4010 File: 17 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\icon128.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\icon16.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\icon32.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\icon48.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\shieldPlus.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\images\shieldPlusdisable.png, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\_metadata\computed_hashes.json, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\_metadata\verified_contents.json, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\background.js, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kocnbiohdcjphcbalmlbpgbhgbelkmdf\2.1_0\manifest.json, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf\000003.log, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf\CURRENT, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf\LOCK, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf\LOG, Quarantined, [14924], [492135],1.0.4010 PUP.Optional.ShieldHistoryCleaner, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kocnbiohdcjphcbalmlbpgbhgbelkmdf\MANIFEST-000001, Quarantined, [14924], [492135],1.0.4010 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is exinariuminix.info? The Malwarebytes research team has determined that exinariuminix.info is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one creates a Scheduled Task to create a registry value that opens a browser window at startup of the system pointing to exinariuminix.info. How do I know if my computer is affected by exinariuminix.info? You may see a Scheduled Tasks similar to this: How did exinariuminix.info get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove exinariuminix.info? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of exinariuminix.info? No, Malwarebytes removes exinariuminix.info completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the exinariuminix.info hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. And it blocks the site the hijacker tries to open at system boot: Technical details for experts Possible signs in FRST logs: HKCU\...\Run: [{username}] => explorer.exe hxxp://exinariuminix.info C:\Users\{username}\Desktop\{username} - Changes.txt C:\Windows\System32\Tasks\{username} Task: {DD698A10-BF77-401B-AF85-C2DE294957AD} - System32\Tasks\{username} => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v {username} /t REG_SZ /d "explorer.exe hxxp://exinariuminix.info" Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\Tasks Adds the file {username}"="2/19/2018 9:07 AM, 3150 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "{username}"="REG_SZ", "explorer.exe http://exinariuminix.info" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/19/18 Scan Time: 10:41 AM Log File: 1908216b-1559-11e8-99dd-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3998 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243077 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 2 min, 35 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 Adware.StartPage.USACVAR, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\{username}, Delete-on-Reboot, [14871], [-1],0.0.0 Registry Value: 1 Adware.StartPage.USACVAR, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{username}, Delete-on-Reboot, [14871], [491786],1.0.3998 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Adware.StartPage.USACVAR, C:\WINDOWS\SYSTEM32\TASKS\{username}, Delete-on-Reboot, [14871], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is AmazingFilms Search? The Malwarebytes research team has determined that AmazingFilms Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by AmazingFilms Search? You may see these warnings during install: this Chrome extension: and you will see this icon in your Chrome browser menu: How did AmazingFilms Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was pushed by advertisements as a search engine for movies. But it was also available in the webstore: How do I remove AmazingFilms Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of AmazingFilms Search? No, Malwarebytes removes AmazingFilms Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the AmazingFilms Search hijacker. It would have blocked the site pushing the extension. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.amazeappz.com/search/?category=web&s=51ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> AmazingFilms Search CHR DefaultSuggestURL: Default -> hxxp://sug.amazeappz.com/search/index_sg.php?q={searchTerms} CHR Extension: (AmazingFilms Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog [2018-02-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0 Adds the file EULA.txt"="1/31/2018 11:20 AM, 9799 bytes, A Adds the file init.js"="1/31/2018 11:20 AM, 8404 bytes, A Adds the file jquery.min.js"="1/9/2018 7:44 AM, 85656 bytes, A Adds the file manifest.json"="2/16/2018 8:51 AM, 1993 bytes, A Adds the file privacy.txt"="1/31/2018 11:20 AM, 6612 bytes, A Adds the file rate_and_share.js"="1/31/2018 11:20 AM, 19132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/16/2018 8:51 AM, 4022 bytes, A Adds the file verified_contents.json"="1/31/2018 11:20 AM, 2721 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images Adds the file icon128.png"="2/16/2018 8:51 AM, 10768 bytes, A Adds the file icon16.png"="2/16/2018 8:51 AM, 739 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare Adds the file close.png"="12/27/2017 12:41 PM, 1920 bytes, A Adds the file rate.jpg"="12/27/2017 12:41 PM, 102155 bytes, A Adds the file rate1.png"="12/27/2017 12:41 PM, 12334 bytes, A Adds the file share.jpg"="12/27/2017 12:41 PM, 17633 bytes, A Adds the file share1.png"="12/27/2017 12:41 PM, 4466 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "oacgkhambnkkjbindjdifhfofepmelog"="REG_SZ", "86CA9903E843ECD5A22C747DB9710BE35AC45F2B4DADE1856C7DD09B2A7E35F7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/16/18 Scan Time: 9:02 AM Log File: c6d6a33d-12ef-11e8-a0d7-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3964 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242627 Threats Detected: 22 Threats Quarantined: 22 Time Elapsed: 2 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\_metadata, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OACGKHAMBNKKJBINDJDIFHFOFEPMELOG, Quarantined, [8326], [490503],1.0.3964 File: 17 PUP.Optional.AmazeApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OACGKHAMBNKKJBINDJDIFHFOFEPMELOG\1.0.0_0\MANIFEST.JSON, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare\close.png, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare\rate.jpg, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare\rate1.png, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare\share.jpg, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\rateshare\share1.png, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\icon128.png, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\images\icon16.png, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\_metadata\verified_contents.json, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\EULA.txt, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\init.js, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\jquery.min.js, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\privacy.txt, Quarantined, [8326], [490503],1.0.3964 PUP.Optional.AmazeApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\oacgkhambnkkjbindjdifhfofepmelog\1.0.0_0\rate_and_share.js, Quarantined, [8326], [490503],1.0.3964 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Web Picture Gallery? The Malwarebytes research team has determined that Web Picture Gallery is a forced Firefox extension. The extensions that belong to this family are capable of downloading code after the installation to perform several functions: search hijackers crypto-currency miners adware How do I know if my computer is affected by Web Picture Gallery? You may see these prompts to keep visitors trapped on the site: and these warnings during install: After install you may see this entry in your list of installed Firefox extensions: How did Web Picture Gallery get on my computer? Forced extensions use typical methods for distributing themselves. They try to keep users trapped until they agree to install the extension. How do I remove Web Picture Gallery? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Web Picture Gallery? No, Malwarebytes removes Web Picture Gallery completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this forced extension. We protect our customers from these extensions by blocking the sites that spread them and the domains they contact for additional code: Technical details for experts Possible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{a42e5d48-6175-49e3-9e40-0188cde9c5c6}.xpi [2018-02-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {a42e5d48-6175-49e3-9e40-0188cde9c5c6}.xpi"="2/15/2018 8:44 AM, 7832 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/18 Scan Time: 8:49 AM Log File: c9dce83d-1224-11e8-8dc5-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3957 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242482 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.ForcedInstalledExtensionFF, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{A42E5D48-6175-49E3-9E40-0188CDE9C5C6}.XPI, Quarantined, [4672], [490863],1.0.3957 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is PerfectRegistry? The Malwarebytes research team has determined that PerfectRegistry is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with PerfectRegistry? This is how the main screen of the registry cleaning application looks: You will find these icons in your taskbar, startmenu, and on your desktop: And see this warning during install: and these screens during "operations": You may see this entry in your list of installed programs: and these tasks in your Task Scheduler: How did PerfectRegistry get on my computer? These so-called registry cleaners use different methods of getting installed. This particular one was downloaded from their website. How do I remove PerfectRegistry? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PerfectRegistry? No, Malwarebytes removes PerfectRegistry completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this registry cleaner. As you can see below the full version of Malwarebytes would have protected you against the PerfectRegistry installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (Raxco Software, Inc.) C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe C:\Windows\System32\Tasks\PerfectRegistry C:\Windows\System32\Tasks\PerfectRegistry_UPDATES C:\Windows\System32\Tasks\PerfectRegistry_DEFAULT C:\Users\Public\Desktop\PerfectRegistry.lnk C:\Windows\Tasks\PerfectRegistry_UPDATES.job C:\Windows\Tasks\PerfectRegistry_DEFAULT.job C:\Users\{username}\AppData\Roaming\Raxco C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco C:\Program Files (x86)\Raxco (Raxco Software, Inc) C:\Windows\system32\roboot64.exe PerfectRegistry (HKLM-x32\...\PerfectRegistry_is1) (Version: 2.0 - Raxco Software Inc) Task: {099B320F-06C7-477E-B862-1C05011E2A85} - System32\Tasks\PerfectRegistry_DEFAULT => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.) Task: {20E5E4B6-666E-4527-A04A-824F3CC589A2} - System32\Tasks\PerfectRegistry => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.) Task: {D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A} - System32\Tasks\PerfectRegistry_UPDATES => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.) Task: C:\Windows\Tasks\PerfectRegistry_DEFAULT.job => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe Task: C:\Windows\Tasks\PerfectRegistry_UPDATES.job => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe Significant cghanges made by the installer: Monitored program File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Raxco\PerfectRegistry Adds the file Chinese_rcp.ini"="8/24/2011 1:24 PM, 47800 bytes, A Adds the file CleanSchedule.exe"="7/16/2015 11:12 AM, 261056 bytes, A Adds the file Danish_rcp.ini"="8/24/2011 1:24 PM, 88222 bytes, A Adds the file Dutch_rcp.ini"="8/24/2011 1:27 PM, 91586 bytes, A Adds the file eng_rcp.ini"="8/24/2011 1:24 PM, 82272 bytes, A Adds the file Finnish_rcp_fi.ini"="8/24/2011 1:27 PM, 85844 bytes, A Adds the file French_rcp.ini"="8/24/2011 1:27 PM, 98062 bytes, A Adds the file German_rcp.ini"="8/24/2011 1:27 PM, 97476 bytes, A Adds the file greek_rcp_el.ini"="8/24/2011 1:27 PM, 97198 bytes, A Adds the file install_left_image.bmp"="6/2/2011 2:02 PM, 156296 bytes, A Adds the file isxdl.dll"="7/16/2015 11:12 AM, 156608 bytes, A Adds the file Italian_rcp.ini"="8/24/2011 1:27 PM, 94736 bytes, A Adds the file Japanese_rcp.ini"="8/24/2011 1:27 PM, 59640 bytes, A Adds the file korean_rcp_ko.ini"="8/24/2011 1:27 PM, 67956 bytes, A Adds the file Norwegian_rcp.ini"="8/24/2011 1:27 PM, 85064 bytes, A Adds the file PerfectRegistry.exe"="7/16/2015 11:12 AM, 7891904 bytes, A Adds the file polish_rcp_pl.ini"="8/24/2011 1:27 PM, 88730 bytes, A Adds the file portugese_rcp_pt.ini"="8/24/2011 1:27 PM, 91568 bytes, A Adds the file Portuguese_rcp.ini"="8/24/2011 1:27 PM, 89250 bytes, A Adds the file PRUninstall.exe"="7/16/2015 11:12 AM, 1103296 bytes, A Adds the file RegCleanPro.dll"="7/15/2015 12:33 PM, 2076672 bytes, A Adds the file russian_rcp_ru.ini"="8/24/2011 1:27 PM, 91436 bytes, A Adds the file Spanish_rcp.ini"="8/24/2011 1:27 PM, 92600 bytes, A Adds the file Swedish_rcp.ini"="8/24/2011 1:27 PM, 83538 bytes, A Adds the file TraditionalCn_rcp_zh-tw.ini"="8/24/2011 1:27 PM, 48306 bytes, A Adds the file turkish_rcp_tr.ini"="8/24/2011 1:27 PM, 89660 bytes, A Adds the file unins000.dat"="2/14/2018 9:01 AM, 29826 bytes, A Adds the file unins000.exe"="2/14/2018 9:00 AM, 1352640 bytes, A Adds the file unins000.msg"="2/14/2018 9:01 AM, 22357 bytes, A Adds the file xmllite.dll"="5/31/2011 12:09 PM, 126976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco\PerfectRegistry Adds the file PerfectRegistry.lnk"="2/14/2018 9:01 AM, 1221 bytes, A Adds the file Uninstall PerfectRegistry.lnk"="2/14/2018 9:01 AM, 1186 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Raxco\PerfectRegistry Adds the file log_02-14-2018.log"="2/14/2018 9:01 AM, 0 bytes, A Adds the file results.rcp"="2/14/2018 9:04 AM, 10010 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PerfectRegistry.lnk"="2/14/2018 9:01 AM, 1197 bytes, A In the existing folder C:\Windows\System32 Adds the file roboot64.exe"="7/16/2015 11:12 AM, 19392 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PerfectRegistry"="2/14/2018 9:01 AM, 3134 bytes, A Adds the file PerfectRegistry_DEFAULT"="2/14/2018 9:01 AM, 2920 bytes, A Adds the file PerfectRegistry_UPDATES"="2/14/2018 9:01 AM, 3076 bytes, A In the existing folder C:\Windows\Tasks Adds the file PerfectRegistry_DEFAULT.job"="2/14/2018 9:01 AM, 310 bytes, A Adds the file PerfectRegistry_UPDATES.job"="2/14/2018 9:01 AM, 318 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "PerfectRegistry_DEFAULT.job"="REG_BINARY, ................................ "PerfectRegistry_DEFAULT.job.fp"="REG_DWORD", -1124049317 "PerfectRegistry_UPDATES.job"="REG_BINARY, ................................ "PerfectRegistry_UPDATES.job.fp"="REG_DWORD", 653122257 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PerfectRegistry_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe" "DisplayName"="REG_SZ", "PerfectRegistry" "DisplayVersion"="REG_SZ", "2.0" "EstimatedSize"="REG_DWORD", 14449 "HelpLink"="REG_SZ", "http://links.raxco.com/go.rax?id=PR2_HELP" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Raxco\PerfectRegistry" "Inno Setup: Icon Group"="REG_SZ", "Raxco\PerfectRegistry" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.2 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180214" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Raxco\PerfectRegistry\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Raxco Software Inc" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.exe" /silent" "URLInfoAbout"="REG_SZ", "http://links.raxco.com/go.rax?id=PR2_HELP" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Raxco\PerfectRegistry] "affiliateid"="REG_SZ", "" "Expired"="REG_DWORD", 0 "INSTALLWEB"="REG_SZ", "http://register.raxco.com/pd/pop/prsignup.aspx" "KeyDoubleVerify"="REG_DWORD", 0 "RCPURL"="REG_SZ", "http://links.raxco.com/go.rax?id=PR2_BUY&utm_source=raxco&utm_campaign=raxco&utm_medium=raxco&affiliateid=" "UNSITALLWEB"="REG_SZ", "http://links.raxco.com/go.rax?id=PR2_PreUninstall" "utm_campaign"="REG_SZ", "raxco" "utm_source"="REG_SZ", "raxco" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Raxco\PerfectRegistry\LANG] "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Raxco\PerfectRegistry] "AutoRepair"="REG_DWORD", 0 "ConfirmBkUps"="REG_DWORD", 1 "CurrentScanTime"="REG_BINARY, ........ "FirstRun"="REG_DWORD", 1 "GoToSystemTrayOnClose"="REG_DWORD", 0 "ImprovementProgram"="REG_DWORD", 1 "NumTimesRCPRunned"="REG_DWORD", 1 "RegErrFoundTillDate"="REG_DWORD", 0 "RegErrsFixedLast"="REG_DWORD", 0 "RegErrsFixedTillDate"="REG_DWORD", 0 "ScheduledTime"="REG_SZ", "" "SetChkREmovableMedia"="REG_DWORD", 1 "SetChkSkipEmptyKeys"="REG_DWORD", 1 "StartAutoScanOnLaunch"="REG_DWORD", 0 "StartAutoScanPMUI"="REG_DWORD", 0 "StartMinimized"="REG_DWORD", 0 "StartScan"="REG_DWORD", 0 "StartWhenWinBoots"="REG_DWORD", 1 "StrLastOptimizeTime"="REG_SZ", "" "StrLastScan"="REG_SZ", "Wed. February 14, 2018. 09:04 AM" "StrLastScanResults"="REG_SZ", "25" "StrLastStartupOpt"="REG_SZ", "" "StrLatestRegDefrag"="REG_SZ", "" "StrLatestRestorePoint"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Raxco\PerfectRegistry\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/14/18 Scan Time: 9:19 AM Log File: c47a3d42-115f-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3948 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242410 Threats Detected: 62 Threats Quarantined: 61 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948 Module: 4 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\isxdl.dll, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\RegCleanPro.dll, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\xmllite.dll, Quarantined, [1013], [395661],1.0.3948 Registry Key: 12 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{20E5E4B6-666E-4527-A04A-824F3CC589A2}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{20E5E4B6-666E-4527-A04A-824F3CC589A2}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry_DEFAULT, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{099B320F-06C7-477E-B862-1C05011E2A85}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{099B320F-06C7-477E-B862-1C05011E2A85}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry_UPDATES, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A}, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PerfectRegistry_is1, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, HKCU\SOFTWARE\RAXCO\PerfectRegistry, Quarantined, [1013], [395667],1.0.3948 PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\WOW6432NODE\RAXCO\PerfectRegistry, Quarantined, [1013], [396319],1.0.3948 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.PerfectRegistry, C:\PROGRAM FILES (X86)\RAXCO\PERFECTREGISTRY, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\RAXCO\PERFECTREGISTRY, Quarantined, [1013], [395662],1.0.3948 PUP.Optional.PerfectRegistry, C:\USERS\{username}\APPDATA\ROAMING\RAXCO\PERFECTREGISTRY, Removal Failed, [1013], [396318],1.0.3948 File: 42 PUP.Optional.PerfectRegistry, C:\USERS\PUBLIC\DESKTOP\PERFECTREGISTRY.LNK, Quarantined, [1013], [395663],1.0.3948 PUP.Optional.PerfectRegistry, C:\WINDOWS\TASKS\PerfectRegistry_DEFAULT.job, Quarantined, [1013], [395665],1.0.3948 PUP.Optional.PerfectRegistry, C:\WINDOWS\TASKS\PerfectRegistry_UPDATES.job, Quarantined, [1013], [395665],1.0.3948 PUP.Optional.SysTweak, C:\WINDOWS\SYSTEM32\ROBOOT64.EXE, Quarantined, [217], [395666],1.0.3948 PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry_DEFAULT, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry_UPDATES, Quarantined, [1013], [395664],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Chinese_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\CleanSchedule.exe, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Danish_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Dutch_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\eng_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Finnish_rcp_fi.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\French_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\German_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\greek_rcp_el.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\install_left_image.bmp, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\isxdl.dll, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Italian_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Japanese_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\korean_rcp_ko.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Norwegian_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\polish_rcp_pl.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\portugese_rcp_pt.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Portuguese_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PRUninstall.exe, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\RegCleanPro.dll, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\russian_rcp_ru.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Spanish_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Swedish_rcp.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\TraditionalCn_rcp_zh-tw.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\turkish_rcp_tr.ini, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.dat, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.exe, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.msg, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\xmllite.dll, Quarantined, [1013], [395661],1.0.3948 PUP.Optional.PerfectRegistry, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco\PerfectRegistry\PerfectRegistry.lnk, Quarantined, [1013], [395662],1.0.3948 PUP.Optional.PerfectRegistry, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco\PerfectRegistry\Uninstall PerfectRegistry.lnk, Quarantined, [1013], [395662],1.0.3948 PUP.Optional.PerfectRegistry, C:\Users\{username}\AppData\Roaming\Raxco\PerfectRegistry\log_02-14-2018.log, Quarantined, [1013], [396318],1.0.3948 PUP.Optional.PerfectRegistry, C:\Users\{username}\AppData\Roaming\Raxco\PerfectRegistry\results.rcp, Quarantined, [1013], [396318],1.0.3948 PUP.Optional.PerfectRegistry, C:\USERS\{username}\DESKTOP\PRSETUP.EXE, Quarantined, [1013], [395680],1.0.3948 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Cartwise? The Malwarebytes research team has determined that Cartwise is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Cartwise? You may see these warnings during install: and this Chrome extension in your list of installed extensions: How did Cartwise get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by the adult content website, but it was also available in the webstore: How do I remove Cartwise? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Cartwise? No, Malwarebytes removes Cartwise completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Cartwise entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. The full version of Malwarebytes would have protected you against the Cartwise adware by blocking their domain. Technical details for experts Possible signs in FRST logs: HKCU\...\Run: [GoogleChromeAutoLaunch_3332BBCF0B575FD73CBC7F043B799440] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1453400 2018-02-01] (Google Inc.) CHR Extension: (Cartwise) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp [2018-02-13] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0 Adds the file background.js"="1/18/2018 4:14 PM, 3645 bytes, A Adds the file content_script.js"="1/14/2018 9:41 PM, 3288 bytes, A Adds the file fav.png"="2/13/2018 9:32 AM, 83 bytes, A Adds the file manifest.json"="2/13/2018 9:32 AM, 1090 bytes, A Adds the file popup.html"="11/3/2017 11:43 PM, 457 bytes, A Adds the file price-tag.png"="11/3/2017 11:41 PM, 7057 bytes, A Adds the file style.css"="11/3/2017 11:44 PM, 575 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\_metadata Adds the file computed_hashes.json"="2/13/2018 9:32 AM, 608 bytes, A Adds the file verified_contents.json"="1/18/2018 4:14 PM, 1959 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp Adds the file 000003.log"="2/13/2018 9:32 AM, 0 bytes, A Adds the file CURRENT"="2/13/2018 9:32 AM, 16 bytes, A Adds the file LOCK"="2/13/2018 9:32 AM, 0 bytes, A Adds the file LOG"="2/13/2018 9:32 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/13/2018 9:32 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\VideoDecodeStats Adds the file 000003.log"="2/13/2018 9:34 AM, 124 bytes, A Adds the file CURRENT"="2/13/2018 9:34 AM, 16 bytes, A Adds the file LOCK"="2/13/2018 9:34 AM, 0 bytes, A Adds the file LOG"="2/13/2018 9:34 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/13/2018 9:34 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "GoogleChromeAutoLaunch_3332BBCF0B575FD73CBC7F043B799440"="REG_SZ", ""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/13/18 Scan Time: 10:28 AM Log File: 368482dc-10a0-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3930 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242258 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\_metadata, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PKPBJBMDCFBHLFIDAECFEGGPHCKCLCJP, Quarantined, [14836], [483372],1.0.3930 File: 16 PUP.Optional.ShoppingWise.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp\000003.log, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp\CURRENT, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp\LOCK, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp\LOG, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkpbjbmdcfbhlfidaecfeggphckclcjp\MANIFEST-000001, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PKPBJBMDCFBHLFIDAECFEGGPHCKCLCJP\2.5.2_0\BACKGROUND.JS, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\_metadata\computed_hashes.json, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\_metadata\verified_contents.json, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\content_script.js, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\fav.png, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\manifest.json, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\popup.html, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\price-tag.png, Quarantined, [14836], [483372],1.0.3930 PUP.Optional.ShoppingWise.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkpbjbmdcfbhlfidaecfeggphckclcjp\2.5.2_0\style.css, Quarantined, [14836], [483372],1.0.3930 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Global System Mechanic? The Malwarebytes research team has determined that Global System Mechanic is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Global System Mechanic? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and these screens during "operations": You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did Global System Mechanic get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was promoted by a site scaring you into thinking your system is infected. How do I remove Global System Mechanic? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Global System Mechanic? No, Malwarebytes removes Global System Mechanic completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Global System Mechanic installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain and the sites it contacts: Technical details for experts You may see these entries in FRST logs: () C:\Program Files\Global System Mechanic on {computername}\oscm.exe C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername} C:\Windows\System32\Tasks\Global System Mechanic_Logon C:\Users\Public\Desktop\Global System Mechanic.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Global System Mechanic on {computername} C:\ProgramData\Global System Mechanic on {computername} C:\Program Files\Global System Mechanic on {computername} Global System Mechanic (HKLM\...\{9A5335DA-0F54-495A-8FE9-9370C8A4136E}_is1) (Version: 1.0.0.1343 - ) Task: {C4D882AC-DC78-4C0F-8BD0-6B462CDBD56D} - System32\Tasks\Global System Mechanic_Logon => C:\Program Files\Global System Mechanic on {computername}\oscm.exe [2018-01-31] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Global System Mechanic on {computername} Adds the file AppRes.dll"="1/31/2018 1:54 PM, 681336 bytes, A Adds the file HtmlRenderer.dll"="1/31/2018 1:54 PM, 228216 bytes, A Adds the file HtmlRenderer.WinForms.dll"="1/31/2018 1:54 PM, 66936 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/31/2018 1:54 PM, 55672 bytes, A Adds the file Microsoft.TeamFoundation.Common.dll"="1/31/2018 1:54 PM, 636792 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/31/2018 1:54 PM, 177528 bytes, A Adds the file oscm.exe"="1/31/2018 1:54 PM, 2986360 bytes, A Adds the file oscm.exe.config"="1/31/2018 1:54 PM, 4626 bytes, A Adds the file System.Data.SQLite.DLL"="1/31/2018 1:54 PM, 297336 bytes, A Adds the file TAFactory.IconPack.dll"="1/31/2018 1:54 PM, 43384 bytes, A Adds the file TaskScheduler.dll"="1/31/2018 1:54 PM, 47480 bytes, A Adds the file unins000.dat"="2/12/2018 8:08 AM, 87585 bytes, A Adds the file unins000.exe"="2/12/2018 8:07 AM, 1273208 bytes, A Adds the file unins000.msg"="2/12/2018 8:08 AM, 22701 bytes, A Adds the folder C:\Program Files\Global System Mechanic on {computername}\langs Adds the file danish_apc_da.ini"="11/10/2017 6:20 PM, 45856 bytes, A Adds the file Dutch_apc_nl.ini"="11/10/2017 6:21 PM, 46468 bytes, A Adds the file english_apc_en.ini"="12/20/2017 5:07 PM, 49468 bytes, A Adds the file finish_apc_fi.ini"="11/10/2017 6:22 PM, 46090 bytes, A Adds the file French_apc_fr.ini"="11/10/2017 6:23 PM, 50222 bytes, A Adds the file german_apc_de.ini"="11/10/2017 6:23 PM, 47854 bytes, A Adds the file italian_apc_it.ini"="11/10/2017 6:23 PM, 48368 bytes, A Adds the file japanese_apc_ja.ini"="12/20/2017 5:46 PM, 35540 bytes, A Adds the file norwegian_apc_no.ini"="11/10/2017 6:23 PM, 45262 bytes, A Adds the file portuguese_apc_ptbr.ini"="11/10/2017 6:23 PM, 47806 bytes, A Adds the file russian_apc_ru.ini"="11/10/2017 6:24 PM, 49706 bytes, A Adds the file spanish_apc_es.ini"="11/10/2017 6:24 PM, 50684 bytes, A Adds the file swedish_apc_sv.ini"="11/10/2017 6:24 PM, 44882 bytes, A Adds the folder C:\Program Files\Global System Mechanic on {computername}\x64 Adds the file SQLite.Interop.dll"="1/31/2018 1:54 PM, 1182072 bytes, A Adds the folder C:\Program Files\Global System Mechanic on {computername}\x86 Adds the file SQLite.Interop.dll"="1/31/2018 1:54 PM, 861048 bytes, A Adds the folder C:\ProgramData\Global System Mechanic on {computername} Adds the file mpc.db"="10/3/2017 5:30 PM, 835584 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Global System Mechanic on {computername} Adds the file Buy Global System Mechanic.lnk"="2/12/2018 8:08 AM, 1028 bytes, A Adds the file Global System Mechanic.lnk"="2/12/2018 8:08 AM, 1016 bytes, A Adds the file Uninstall Global System Mechanic.lnk"="2/12/2018 8:08 AM, 1040 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername} Adds the file Errorlog.txt"="2/12/2018 8:12 AM, 10992 bytes, A Adds the file exlist.bin"="2/12/2018 8:09 AM, 258269 bytes, A Adds the file param.ini"="2/12/2018 8:09 AM, 251 bytes, A Adds the file res.xml"="2/12/2018 8:12 AM, 18259 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Global System Mechanic.lnk"="2/12/2018 8:08 AM, 998 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Global System Mechanic_Logon"="2/12/2018 8:09 AM, 3090 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\aHR0cDovL3d3dy53aXNlc3lzdGVtdG9vbHMuY29tLw==\R2xvYmFsIFN5c3RlbSBNZWNoYW5pYw==\ACT] "data"="REG_BINARY, ........................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\Global System Mechanic on {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.entireactiv.com/install/wsm/?" "btnid"="REG_SZ", "" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delay"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "efosetting"="REG_DWORD", 1 "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "fpxl"="REG_DWORD", 1 "hdata"="REG_BINARY, ...................................................................... "Installstring"="REG_SZ", "C:\Program Files\Global System Mechanic on {computername}" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "islswc"="REG_DWORD", 0 "isphone"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "issrantv"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 40 "lstscandate"="REG_SZ", "2/12/2018 8:12:26 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 40 "msl"="REG_DWORD", 1 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://d8l61qux1ke73.cloudfront.net/" "phone"="REG_SZ", "" "Phone_at"="REG_SZ", "+43 (0)720 902 309" "Phone_au"="REG_SZ", "(61)280-733403" "Phone_ch"="REG_SZ", "+41 (0)44 508 70 37" "Phone_de"="REG_SZ", "0800 1822 974" "Phone_fr"="REG_SZ", "05 82 84 04 06" "Phone_gb"="REG_SZ", "0800-031-5066" "Phone_ja"="REG_SZ", "0120-993-506" "Phone_jp"="REG_SZ", "0120-993-506" "Phone_lu"="REG_SZ", "0800 1822 974" "Phone_uk"="REG_SZ", "0800-031-5066" "Phone_us"="REG_SZ", "(855)-332-0124" "playsound"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.wisesystemtools.com/wsm/price?" "pxl"="REG_SZ", "ALF3093_ALF3024_RUNT" "referurl"="REG_SZ", "" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.wisesystemtools.com/wsm/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "sentantv"="REG_DWORD", 1 "showefo"="REG_DWORD", 0 "showtn"="REG_DWORD", 0 "showudurec"="REG_DWORD", 1 "showunins"="REG_DWORD", 0 "supporturl"="REG_SZ", "http://www.wisesystemtools.com/help/" "utm_campaign"="REG_SZ", "alfgsm" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "7460be23-23ac-4083-a94f-bf778f5b2577" "utm_source"="REG_SZ", "alfgsm" "WebURL"="REG_SZ", "http://www.wisesystemtools.com/" "x-at"="REG_SZ", "XXXXX" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "dQ3QVEM08QNKV0NBHEBMQD6K" "x-datetime"="REG_SZ", "02-12-2018 07:09:11 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "{ip-address}" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A5335DA-0F54-495A-8FE9-9370C8A4136E}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Global System Mechanic on {computername}\oscm.exe" "DisplayName"="REG_SZ", "Global System Mechanic" "DisplayVersion"="REG_SZ", "1.0.0.1343" "EstimatedSize"="REG_DWORD", 9800 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Global System Mechanic on {computername}" "Inno Setup: Icon Group"="REG_SZ", "Global System Mechanic on {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180212" "InstallLocation"="REG_SZ", "C:\Program Files\Global System Mechanic on {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Global System Mechanic on {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Global System Mechanic on {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\spct-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "pxl"="REG_SZ", "ALF3093_ALF3024_RUNT" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "alfgsm" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "7460be23-23ac-4083-a94f-bf778f5b2577" "utm_source"="REG_SZ", "alfgsm" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "dQ3QVEM08QNKV0NBHEBMQD6K" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Global System Mechanic on {computername}] "btnid"="REG_SZ", "" "Installstring"="REG_SZ", "C:\Program Files\Global System Mechanic on {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "ALF3093_ALF3024_RUNT" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "alfgsm" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "7460be23-23ac-4083-a94f-bf778f5b2577" "utm_source"="REG_SZ", "alfgsm" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "dQ3QVEM08QNKV0NBHEBMQD6K" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Global System Mechanic on {computername}\1.0.0.1343] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/18 Scan Time: 8:36 AM Log File: 786c9ac4-0fc7-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3921 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242159 Threats Detected: 68 Threats Quarantined: 68 Time Elapsed: 4 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\oscm.exe, Quarantined, [1714], [489253],1.0.3921 Module: 7 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\x64\SQLite.Interop.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Microsoft.TeamFoundation.Common.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\oscm.exe, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\System.Data.SQLite.DLL, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\TAFactory.IconPack.dll, Quarantined, [1714], [489253],1.0.3921 Registry Key: 8 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Global System Mechanic_Logon, Quarantined, [1714], [489259],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C4D882AC-DC78-4C0F-8BD0-6B462CDBD56D}, Quarantined, [1714], [489259],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C4D882AC-DC78-4C0F-8BD0-6B462CDBD56D}, Quarantined, [1714], [489259],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{9A5335DA-0F54-495A-8FE9-9370C8A4136E}_is1, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKCU\SOFTWARE\Global System Mechanic on {computername}, Quarantined, [1714], [489255],1.0.3921 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\aHR0cDovL3d3dy53aXNlc3lzdGVtdG9vbHMuY29tLw==, Quarantined, [4464], [440348],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\Global System Mechanic on {computername}, Quarantined, [1714], [489254],1.0.3921 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SPCT-PR, Quarantined, [4464], [484509],1.0.3921 Registry Value: 4 PUP.Optional.GlobalSystemMechanic, HKCU\SOFTWARE\Global System Mechanic on {computername}|REFERURL, Quarantined, [1714], [489255],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C4D882AC-DC78-4C0F-8BD0-6B462CDBD56D}|PATH, Quarantined, [1714], [489261],1.0.3921 PUP.Optional.GlobalSystemMechanic, HKLM\SOFTWARE\Global System Mechanic on {computername}|PURCHASEURL, Quarantined, [1714], [489254],1.0.3921 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SPCT-PR|PXL, Quarantined, [4464], [484509],1.0.3921 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.GlobalSystemMechanic, C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername}\smico, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\USERS\{username}\APPDATA\ROAMING\Global System Mechanic on {computername}, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Global System Mechanic on {computername}, Quarantined, [1714], [489250],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAMDATA\Global System Mechanic on {computername}, Quarantined, [1714], [489248],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\x64, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\x86, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAM FILES\Global System Mechanic on {computername}, Quarantined, [1714], [489253],1.0.3921 File: 40 PUP.Optional.GlobalSystemMechanic, C:\WINDOWS\SYSTEM32\TASKS\Global System Mechanic_Logon, Quarantined, [1714], [489259],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\USERS\{username}\APPDATA\ROAMING\Global System Mechanic on {computername}\Errorlog.txt, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername}\exlist.bin, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername}\param.ini, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Users\{username}\AppData\Roaming\Global System Mechanic on {computername}\res.xml, Quarantined, [1714], [489249],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Global System Mechanic on {computername}\Buy Global System Mechanic.lnk, Quarantined, [1714], [489250],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Global System Mechanic on {computername}\Global System Mechanic.lnk, Quarantined, [1714], [489250],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Global System Mechanic on {computername}\Uninstall Global System Mechanic.lnk, Quarantined, [1714], [489250],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAMDATA\Global System Mechanic on {computername}\mpc.db, Quarantined, [1714], [489248],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\PROGRAM FILES\Global System Mechanic on {computername}\unins000.msg, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\danish_apc_da.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\Dutch_apc_nl.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\english_apc_en.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\finish_apc_fi.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\French_apc_fr.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\german_apc_de.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\italian_apc_it.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\japanese_apc_ja.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\norwegian_apc_no.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\portuguese_apc_ptbr.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\russian_apc_ru.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\spanish_apc_es.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\langs\swedish_apc_sv.ini, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\x64\SQLite.Interop.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\x86\SQLite.Interop.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\AppRes.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\HtmlRenderer.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\HtmlRenderer.WinForms.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Microsoft.TeamFoundation.Common.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\oscm.exe, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\oscm.exe.config, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\System.Data.SQLite.DLL, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\TAFactory.IconPack.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\TaskScheduler.dll, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\unins000.dat, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\Program Files\Global System Mechanic on {computername}\unins000.exe, Quarantined, [1714], [489253],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\USERS\PUBLIC\DESKTOP\GLOBAL SYSTEM MECHANIC.LNK, Quarantined, [1714], [489251],1.0.3921 PUP.Optional.GlobalSystemMechanic, C:\USERS\{username}\DESKTOP\GSMSETUP.EXE, Quarantined, [1714], [489247],1.0.3921 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Taskhostw Miner? The Malwarebytes research team has determined that Taskhostw Miner is a Monero miner. These miners earn money for the threat actor by using your system resources. This one uses so many resources you will notice a very slow system plus it opens an ad-rotator in your default browser. How do I know if my computer is affected by Taskhostw Miner? You may notice a process called taskhostw.exe using up almost all your CPU cycles: How did Taskhostw Miner get on my computer? Miners use different methods for distributing themselves. This particular one was offered as a Flash player update. How do I remove Taskhostw Miner? Our program Malwarebytes can detect and remove this Monero miner. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Taskhostw Miner? No, Malwarebytes removes Taskhostw Miner completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you remove this miner. As you can see below the full version of Malwarebytes would have protected you against the Taskhostw Miner. It would have warned you before the miner could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks the ad-rotator the miner opens. Technical details for experts Possible signs in FRST logs: (Microsoft Corporation) C:\Users\{username}\AppData\Local\Microsoft\WindowsUpdate\updatechecker.exe (Microsoft Corporation) C:\Users\{username}\AppData\Local\Microsoft\WindowsUpdate\taskhostw.exe HKCU\...\Run: [WindowsUpdateChecker] => C:\Users\{username}\AppData\Local\Microsoft\WindowsUpdate\updatechecker.exe [265216 2018-01-31] (Microsoft Corporation) ( Adobe Systems Incorporated) C:\Users\{username}\Downloads\FlashPlayer.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Microsoft\WindowsUpdate Adds the file config.json"="1/7/2018 10:47 AM, 850 bytes, A Adds the file contacts.txt"="2/1/2018 4:33 PM, 24 bytes, A Adds the file libgcc_s_dw2-1.dll"="8/15/2017 9:25 PM, 121524 bytes, A Adds the file libstdc++-6.dll"="8/15/2017 9:25 PM, 1544523 bytes, A Adds the file libwinpthread-1.dll"="7/13/2017 8:38 AM, 65693 bytes, A Adds the file taskhostw.exe"="1/30/2018 9:43 PM, 717824 bytes, A Adds the file taskhostw.exe.local"="1/7/2018 4:22 PM, 21 bytes, A Adds the file update.bin"="2/9/2018 9:16 AM, 10 bytes, A Adds the file update.exe"="1/31/2018 2:53 PM, 289792 bytes, A Adds the file updatechecker.exe"="1/31/2018 2:53 PM, 265216 bytes, A Adds the file updates.zip"="2/9/2018 9:16 AM, 1091906 bytes, A Adds the file ver.bin"="2/9/2018 9:16 AM, 17 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file FlashPlayer.exe"="2/7/2018 7:27 PM, 288768 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsUpdateChecker"="REG_SZ", "C:\Users\{username}\AppData\Local\Microsoft\WindowsUpdate\updatechecker.exe" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/9/18 Scan Time: 10:52 AM Log File: ebfe2413-0d7e-11e8-bf01-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3906 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241942 Threats Detected: 21 Threats Quarantined: 21 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\taskhostw.exe, Quarantined, [82], [488987],1.0.3906 Backdoor.Agent.E.Generic, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\UPDATECHECKER.EXE, Quarantined, [146], [371622],1.0.3906 Module: 5 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libgcc_s_dw2-1.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libstdc++-6.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libwinpthread-1.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\taskhostw.exe, Quarantined, [82], [488987],1.0.3906 Backdoor.Agent.E.Generic, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\UPDATECHECKER.EXE, Quarantined, [146], [371622],1.0.3906 Registry Key: 0 (No malicious items detected) Registry Value: 1 Backdoor.Agent.E.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WINDOWSUPDATECHECKER, Quarantined, [146], [371622],1.0.3906 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 13 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\VER.BIN, Quarantined, [82], [488988],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\CONFIG.JSON, Quarantined, [82], [488985],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libgcc_s_dw2-1.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libstdc++-6.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\libwinpthread-1.dll, Quarantined, [82], [488984],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\CONTACTS.TXT, Quarantined, [82], [488986],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\taskhostw.exe, Quarantined, [82], [488987],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\taskhostw.exe.local, Quarantined, [82], [488987],1.0.3906 Backdoor.Agent.E.Generic, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\UPDATECHECKER.EXE, Quarantined, [146], [371622],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\update.bin, Quarantined, [82], [488983],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\update.exe, Quarantined, [82], [488983],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\MICROSOFT\WINDOWSUPDATE\updates.zip, Quarantined, [82], [488983],1.0.3906 RiskWare.BitCoinMiner, C:\USERS\{username}\DOWNLOADS\FLASHPLAYER.EXE, Quarantined, [82], [488689],1.0.3906 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Driver Support? The Malwarebytes research team has determined that Driver Support is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Driver Support? This is how the main screen of the system optimizer looks: You will find this icon in your taskbar, and your startmenu: and see these warnings during install: and these screens during "operations": You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did Driver Support get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website. How do I remove Driver Support? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Driver Support? No, Malwarebytes removes Driver Support completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Driver Support installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: (PC Drivers Headquarters LP) C:\Program Files (x86)\Driver Support\DriverSupport.exe (PC Drivers HeadQuarters LP) C:\Program Files (x86)\Driver Support\svc\DriverSupportAOsvc.exe (PC Drivers HeadQuarters LP) C:\Program Files (x86)\Driver Support\svc\DriverSupportAO.exe C:\Windows\SysWOW64\rnd_chunk.bin C:\Users\{username}\Downloads\Driver Support C:\Windows\System32\Tasks\Driver Support-RTMUpdater C:\Windows\System32\Tasks\Driver Support-RTMRules C:\Windows\System32\Tasks\Driver Support-RTMScan C:\Windows\System32\Tasks\Driver Support C:\Windows\System32\Tasks\Driver Support-RTMScanRunOnce C:\Users\{username}\AppData\Local\PC_Drivers_Headquarters C:\ProgramData\UAB C:\ProgramData\Driver Support C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driver Support C:\Program Files (x86)\Driver Support C:\Users\{username}\AppData\Local\Temp\DriverSupport.exe Driver Support (HKLM-x32\...\DriverSupport) (Version: 10.1.4.82 - PC Drivers HeadQuarters LP) Task: {1137A309-D41F-4536-A30A-9984BE1F04DD} - System32\Tasks\Driver Support-RTMScanRunOnce => C:\Program Files (x86)\Driver Support\DriverSupport.exe [2018-01-17] (PC Drivers Headquarters LP) Task: {4C6396E8-2E53-4E94-A804-D122318A7DF0} - System32\Tasks\Driver Support-RTMUpdater => C:\Program Files (x86)\Driver Support\DriverSupport.exe [2018-01-17] (PC Drivers Headquarters LP) Task: {5E3E3E28-D1CA-458B-9C49-E9BE0A71870B} - System32\Tasks\Driver Support => C:\Program Files (x86)\Driver Support\DriverSupport.exe [2018-01-17] (PC Drivers Headquarters LP) Task: {622FA1D9-0F79-4CE0-B0F1-34529E64A222} - System32\Tasks\Driver Support-RTMScan => C:\Program Files (x86)\Driver Support\DriverSupport.exe [2018-01-17] (PC Drivers Headquarters LP) Task: {F792808D-3F2D-43C3-9CDE-0305848CA67E} - System32\Tasks\Driver Support-RTMRules => C:\Program Files (x86)\Driver Support\DriverSupport.exe [2018-01-17] (PC Drivers Headquarters LP) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Driver Support Adds the file Agent.Common.dll"="1/17/2018 3:53 PM, 658048 bytes, A Adds the file Agent.Common.XmlSerializers.dll"="1/17/2018 3:53 PM, 373888 bytes, A Adds the file Agent.Communication.dll"="1/17/2018 3:53 PM, 668288 bytes, A Adds the file Agent.Communication.XmlSerializers.dll"="1/17/2018 3:53 PM, 496768 bytes, A Adds the file Agent.CPU.exe"="1/17/2018 3:50 PM, 106624 bytes, A Adds the file Agent.CPU.exe.config"="1/17/2018 3:45 PM, 232 bytes, A Adds the file Agent.ExceptionLogging.dll"="1/17/2018 3:53 PM, 70784 bytes, A Adds the file Agent.ExceptionLogging.XmlSerializers.dll"="1/17/2018 3:53 PM, 42112 bytes, A Adds the file Common.dll"="1/17/2018 3:54 PM, 1967744 bytes, A Adds the file config.dat"="4/1/2014 4:31 PM, 1600 bytes, A Adds the file cpuidsdk.dll"="1/17/2018 3:45 PM, 973048 bytes, A Adds the file DriverSupport.chm"="11/3/2016 7:21 PM, 48206 bytes, A Adds the file DriverSupport.exe"="1/17/2018 3:52 PM, 9954432 bytes, A Adds the file DriverSupport.exe.config"="1/17/2018 3:45 PM, 2815 bytes, A Adds the file DriverSupport.Updater.exe"="1/17/2018 3:52 PM, 242816 bytes, A Adds the file DriverSupport.Updater.exe.config"="1/17/2018 3:45 PM, 2429 bytes, A Adds the file ExceptionLogging.dll"="1/17/2018 3:54 PM, 40064 bytes, A Adds the file ICSharpCode.SharpZipLib.dll"="1/17/2018 3:55 PM, 214144 bytes, A Adds the file Interop.WUApiLib.dll"="1/17/2018 3:55 PM, 99456 bytes, A Adds the file ISUninstall.exe"="1/17/2018 3:53 PM, 31872 bytes, A Adds the file ISUninstall.exe.config"="1/17/2018 3:45 PM, 213 bytes, A Adds the file Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll"="1/17/2018 3:55 PM, 103552 bytes, A Adds the file Microsoft.ApplicationBlocks.Updater.dll"="1/17/2018 3:55 PM, 132224 bytes, A Adds the file Microsoft.ApplicationBlocks.Updater.Downloaders.dll"="1/17/2018 3:55 PM, 42112 bytes, A Adds the file Microsoft.Practices.EnterpriseLibrary.Common.dll"="1/17/2018 3:55 PM, 103552 bytes, A Adds the file Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll"="1/17/2018 3:55 PM, 83072 bytes, A Adds the file Microsoft.Practices.ObjectBuilder.dll"="1/17/2018 3:55 PM, 60032 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/17/2018 3:56 PM, 143488 bytes, A Adds the file RuleEngine.dll"="1/17/2018 3:56 PM, 833664 bytes, A Adds the file RuleEngine.XmlSerializers.dll"="1/17/2018 3:56 PM, 78976 bytes, A Adds the file ThemePack.DriverSupport.dll"="1/17/2018 3:58 PM, 1266304 bytes, A Adds the file Uninstall.exe"="1/9/2017 7:02 PM, 429304 bytes, A Adds the file XPBurnComponent.dll"="1/17/2018 3:58 PM, 62592 bytes, A Adds the folder C:\Program Files (x86)\Driver Support\svc Adds the file DriverSupportAO.exe"="10/22/2016 7:12 PM, 4920784 bytes, A Adds the file DriverSupportAOsvc.exe"="10/22/2016 7:12 PM, 2033104 bytes, A Adds the file install.log"="2/8/2018 9:22 AM, 473 bytes, A Adds the file ipte_svc.log"="2/8/2018 9:22 AM, 256 bytes, A Adds the file ipterbg.exe"="10/22/2016 7:13 PM, 1246672 bytes, A Adds the file ipteup.exe"="10/22/2016 7:13 PM, 4486608 bytes, A Adds the file License.rtf"="1/26/2016 12:09 PM, 119855 bytes, A Adds the file pmtu.exe"="10/22/2016 7:13 PM, 1295824 bytes, A Adds the file reg.dat"="2/8/2018 9:22 AM, 14688 bytes, A Adds the file sigverify.exe"="10/22/2016 7:13 PM, 487952 bytes, A Adds the file uninstall.exe"="10/22/2016 7:13 PM, 487952 bytes, A Adds the file viometer.exe"="10/22/2016 7:13 PM, 4859344 bytes, A Adds the folder C:\ProgramData\Driver Support\Driver Support Adds the file AoServiceManager.dat"="2/8/2018 9:26 AM, 156594 bytes, A Adds the file CPUID.dat"="2/8/2018 9:22 AM, 704 bytes, A Adds the file dd.lic"="2/8/2018 9:21 AM, 144 bytes, RA Adds the file UXState.dat"="2/8/2018 9:21 AM, 2010 bytes, A Adds the file WL.dat"="2/8/2018 9:21 AM, 6962 bytes, A Adds the folder C:\ProgramData\Driver Support\Driver Support\DDRM Adds the file 11481334836f4f61b3c110920048cb93.exe"="2/8/2018 9:21 AM, 15837424 bytes, A Adds the file 215609eb3ff24c6ba9e214f5f6fb5867.png"="2/8/2018 9:22 AM, 36630 bytes, A Adds the file 312478443a844c18adeef845c32639c7.png"="2/8/2018 9:22 AM, 22041 bytes, A Adds the file 3360a50e06744fc08ffacdcb366a7310.png"="2/8/2018 9:22 AM, 25481 bytes, A Adds the file 3f2b867ce27641b4bfdc9d4a2ff92f51.png"="2/8/2018 9:22 AM, 14750 bytes, A Adds the file 444c8f293fac4d1b8ee44c97f5324951.png"="2/8/2018 9:22 AM, 55493 bytes, A Adds the file 5de611b8fd3c4f3dac06d6f80d4c0dba.jpg"="2/8/2018 9:22 AM, 17365 bytes, A Adds the file 6091981ea730431d9bf04d97348424d3.png"="2/8/2018 9:22 AM, 40826 bytes, A Adds the file 62f9d69a3c494d8c977596c5fc8bff96.png"="2/8/2018 9:22 AM, 9403 bytes, A Adds the file a49e775fcacc484ba1935d40bf35ce1d.png"="2/8/2018 9:22 AM, 20915 bytes, A Adds the file a8cf4b35c6b946b1abefd0e76d9f8704.png"="2/8/2018 9:22 AM, 4901 bytes, A Adds the file DownloadResourceManager.dat"="2/8/2018 9:22 AM, 15106 bytes, A Adds the file f8dc1c2d3a8f417aacd0142f3f1797c1.png"="2/8/2018 9:22 AM, 15399 bytes, A Adds the folder C:\ProgramData\Driver Support\Driver Support\DDSM Adds the file ScanManager.dat"="2/8/2018 9:22 AM, 332762 bytes, A Adds the folder C:\ProgramData\Driver Support\Driver Support\RuleEngine Adds the file GlobalActions.dat"="2/8/2018 9:22 AM, 640 bytes, A Adds the file GlobalEnvironmentEvents.dat"="2/8/2018 9:22 AM, 4992 bytes, A Adds the file GlobalEnvironmentProperties.dat"="2/8/2018 9:22 AM, 728 bytes, A Adds the file GlobalRules.dat"="2/8/2018 9:22 AM, 385920 bytes, A Adds the file RuleHistoryController.dat"="2/8/2018 9:22 AM, 986 bytes, A Adds the folder C:\ProgramData\UAB Adds the folder C:\Users\{username}\AppData\Local\PC_Drivers_Headquarters\DriverSupport.exe_Url_jky4qfl0bb42zyjk05xwcsyp4qrtcets\10.1.4.82 Adds the file user.config"="2/8/2018 9:25 AM, 3042 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driver Support Adds the file Driver Support.lnk"="2/8/2018 9:20 AM, 1211 bytes, A Adds the file Uninstall Driver Support.lnk"="2/8/2018 9:20 AM, 1090 bytes, A Adds the folder C:\Users\{username}\Downloads\Driver Support\Driver Support In the existing folder C:\Windows\System32\Tasks Adds the file Driver Support"="2/8/2018 9:21 AM, 3500 bytes, A Adds the file Driver Support-RTMRules"="2/8/2018 9:21 AM, 3772 bytes, A Adds the file Driver Support-RTMScan"="2/8/2018 9:21 AM, 3662 bytes, A Adds the file Driver Support-RTMScanRunOnce"="2/8/2018 9:21 AM, 3480 bytes, A Adds the file Driver Support-RTMUpdater"="2/8/2018 9:21 AM, 3784 bytes, A In the existing folder C:\Windows\SysWOW64 Adds the file rnd_chunk.bin"="2/8/2018 9:23 AM, 32832 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\DriverSupport] "APIPort"="REG_SZ", "65411" "UUID"="REG_SZ", "24055700-78ff-4df7-9986-78928e8723b5" [HKEY_LOCAL_MACHINE\SOFTWARE\DriverSupport\AoService] "InstallDate"="REG_SZ", "2/8/2018 8:22:16 AM" "InstallStatus"="REG_SZ", "0" "InstallStatusDescription"="REG_SZ", "Communication Success" "IsInstalled"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\DriverSupport\Install] "HasApplicationRun-Driver Support"="REG_SZ", "true" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\DriverSupport.exe] "(Default)"="REG_SZ", "C:\Program Files (x86)\Driver Support\DriverSupport.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverSupport] "InstallerLanguage"="REG_SZ", "1033" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ActiveOptimization\svc] "APIport"="REG_SZ", "8000" "DHQSessionID"="REG_SZ", "S-1-5-21-1350903546-318028887-1286703239-1003" "InstLicense"="REG_SZ", "" "InstPath"="REG_SZ", "C:\Program Files (x86)\driver support\svc\" "InstProxy"="REG_SZ", "" "InstServer"="REG_SZ", "front.activeoptimization.com" "InstServerPort"="REG_SZ", "5000" "InstVersion"="REG_SZ", "1.0.4.9077" "Path"="REG_SZ", "C:\Program Files (x86)\driver support\svc\" "Proxy"="REG_SZ", "" "Server"="REG_SZ", "front.activeoptimization.com" "ServerPort"="REG_SZ", "5000" "Version"="REG_SZ", "1.0.4.9077" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ActiveOptimization\svc\Backup] "(Default)"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ActiveOptimization\svc\Backup\0] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverSupport] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Driver Support\DriverSupport.exe,0" "DisplayName"="REG_SZ", "Driver Support" "DisplayVersion"="REG_SZ", "10.1.4.82" "EstimatedSize"="REG_DWORD", 18462 "HelpLink"="REG_SZ", "http://account.driversupport.com/support/contact?wlid=30" "HelpTelephone"="REG_SZ", "512.373.3518" "InstallerLanguage"="REG_SZ", "1033" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Driver Support" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "ProductID"="REG_SZ", "{597FB4A5-DD86-4316-A410-7E8074CC2CCE}" "Publisher"="REG_SZ", "PC Drivers HeadQuarters LP" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Driver Support\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.driversupport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DSAO] "Description"="REG_SZ", "Driver Support Active Optimization Service" "DisplayName"="REG_SZ", "Driver Support AO Service" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\driver support\svc\DriverSupportAOsvc.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\UrlAclInfo] "http://127.0.0.1:65411/"="REG_BINARY, ........................ "http://127.0.0.1:65411/client/apiinfo/"="REG_BINARY, ........................ "http://127.0.0.1:65411/client/reboot/"="REG_BINARY, ........................ "http://127.0.0.1:65411/client/status/"="REG_BINARY, ........................ "http://127.0.0.1:65411/driverscan/"="REG_BINARY, ........................ "http://127.0.0.1:65411/license/"="REG_BINARY, ........................ "http://127.0.0.1:65411/license/status/"="REG_BINARY, ........................ "http://127.0.0.1:65411/media/status/"="REG_BINARY, ........................ "http://127.0.0.1:65411/system/data/"="REG_BINARY, ........................ "http://127.0.0.1:65411/tests/progress/"="REG_BINARY, ........................ "http://127.0.0.1:65411/uxstate/"="REG_BINARY, ........................ "http://localhost:65411/"="REG_BINARY, ........................ "http://localhost:65411/client/apiinfo/"="REG_BINARY, ........................ "http://localhost:65411/client/reboot/"="REG_BINARY, ........................ "http://localhost:65411/client/status/"="REG_BINARY, ........................ "http://localhost:65411/driverscan/"="REG_BINARY, ........................ "http://localhost:65411/license/"="REG_BINARY, ........................ "http://localhost:65411/license/status/"="REG_BINARY, ........................ "http://localhost:65411/media/status/"="REG_BINARY, ........................ "http://localhost:65411/system/data/"="REG_BINARY, ........................ "http://localhost:65411/tests/progress/"="REG_BINARY, ........................ "http://localhost:65411/uxstate/"="REG_BINARY, ........................ [HKEY_CURRENT_USER\Software\DriverSupport] "APIPort"="REG_SZ", "65411" [HKEY_CURRENT_USER\Software\DriverSupport\AoService] "ClientStatus"="REG_SZ", "Online" "HandshakeStatus"="REG_SZ", "1" "InstallDate"="REG_SZ", "2/8/2018 8:22:16 AM" "InstallStatus"="REG_SZ", "0" "InstallStatusDescription"="REG_SZ", "Communication Success" "IsCommunicationEstablished"="REG_SZ", "true" "IsEnabled"="REG_SZ", "true" "IsInitialized"="REG_SZ", "true" "LicenseStatus"="REG_SZ", "NotPresent" "NetworkMediaASN"="REG_SZ", "29670" "NetworkMediaIP"="REG_SZ", "10.0.2.15" "NetworkMediaProvider"="REG_SZ", "Individual Network Berlin e.V." "ServiceStarted"="REG_SZ", "true" "SystemDataProcessorLoadPercentage"="REG_SZ", "74" "TestFinish"="REG_SZ", "2/8/2018 8:24:58 AM" "TestStage"="REG_SZ", "Analyzing" "TestStart"="REG_SZ", "2/8/2018 8:23:08 AM" "TestStatus"="REG_SZ", "100" "TestStatusCpu"="REG_SZ", "NA" "TestStatusDescription"="REG_SZ", "Report Is Ready" "TestStatusDisk"="REG_SZ", "NA" "TestStatusNetwork"="REG_SZ", "NA" [HKEY_CURRENT_USER\Software\DriverSupport\Install] "DhqScanFinish"="REG_SZ", "2/8/2018 8:22:40 AM" "DhqScanStart"="REG_SZ", "2/8/2018 8:22:13 AM" "DhqScanStatus"="REG_SZ", "4" "DhqScanStatusDescription"="REG_SZ", "Scan Complete" "HasApplicationRun-Driver Support"="REG_SZ", "true" "InstallStatus"="REG_SZ", "1" "OpenScanResultLanderUrl"="REG_SZ", "https://apps.driversupport.com/postinstall/scanresultsveloxum?cart=https%3a%2f%2fsecure.driversupport.com%2fregistration%2fcart%3faf%3ddriversupport&aff=driversupport&wlID=30&uuid=24055700-78ff-4df7-9986-78928e8723b5&appVer=10.1.4.82&systemDrivers=true&ap=65411&asn=29670&ddsrc=VeloxumScanResults" "ScanFinish"="REG_SZ", "2/8/2018 8:24:58 AM" "ScanProgress"="REG_SZ", "100" "ScanStart"="REG_SZ", "2/8/2018 8:22:13 AM" "ScanStatus"="REG_SZ", "4" "ScanStatusDescription"="REG_SZ", "Scan Complete" "SummaryFlags"="REG_SZ", "1856" "UILevel"="REG_SZ", "5" "UUID"="REG_SZ", "24055700-78ff-4df7-9986-78928e8723b5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/8/18 Scan Time: 10:51 AM Log File: b2de19cc-0cb5-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3897 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241875 Threats Detected: 148 Threats Quarantined: 148 Time Elapsed: 11 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 3 PUP.Optional.DriverSupport.TskLnk, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\DRIVERSUPPORT.EXE, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\SVC\DRIVERSUPPORTAOSVC.EXE, Quarantined, [2291], [484531],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\DriverSupportAO.exe, Quarantined, [2291], [484511],1.0.3897 Module: 18 PUP.Optional.DriverSupport.TskLnk, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\DRIVERSUPPORT.EXE, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\SVC\DRIVERSUPPORTAOSVC.EXE, Quarantined, [2291], [484531],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\DriverSupportAO.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Common.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Communication.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Communication.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ExceptionLogging.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Interop.WUApiLib.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.ApplicationBlocks.Updater.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.EnterpriseLibrary.Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.ObjectBuilder.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\RuleEngine.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\RuleEngine.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ThemePack.DriverSupport.dll, Quarantined, [2291], [484511],1.0.3897 Registry Key: 30 PUP.Optional.DriverSupport, HKCU\SOFTWARE\DriverSupport, Quarantined, [2291], [484532],1.0.3897 PUP.Optional.DriverSupport, HKLM\SOFTWARE\WOW6432NODE\ACTIVEOPTIMIZATION\SVC, Quarantined, [2291], [484957],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Support, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5E3E3E28-D1CA-458B-9C49-E9BE0A71870B}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{5E3E3E28-D1CA-458B-9C49-E9BE0A71870B}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Support-RTMRules, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F792808D-3F2D-43C3-9CDE-0305848CA67E}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{F792808D-3F2D-43C3-9CDE-0305848CA67E}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Support-RTMScan, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{622FA1D9-0F79-4CE0-B0F1-34529E64A222}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{622FA1D9-0F79-4CE0-B0F1-34529E64A222}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Support-RTMUpdater, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4C6396E8-2E53-4E94-A804-D122318A7DF0}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{4C6396E8-2E53-4E94-A804-D122318A7DF0}, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Support, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5E3E3E28-D1CA-458B-9C49-E9BE0A71870B}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5E3E3E28-D1CA-458B-9C49-E9BE0A71870B}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Support-RTMRules, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F792808D-3F2D-43C3-9CDE-0305848CA67E}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F792808D-3F2D-43C3-9CDE-0305848CA67E}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Support-RTMScan, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{622FA1D9-0F79-4CE0-B0F1-34529E64A222}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{622FA1D9-0F79-4CE0-B0F1-34529E64A222}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Support-RTMUpdater, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C6396E8-2E53-4E94-A804-D122318A7DF0}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4C6396E8-2E53-4E94-A804-D122318A7DF0}, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport, HKLM\SOFTWARE\DriverSupport, Quarantined, [2291], [484521],1.0.3897 PUP.Optional.DriverSupport, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DriverSupport, Quarantined, [2291], [484524],1.0.3897 PUP.Optional.DriverSupport, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DriverSupport, Quarantined, [2291], [484524],1.0.3897 PUP.Optional.DriverSupport, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DSAO, Quarantined, [2291], [484531],1.0.3897 Registry Value: 2 PUP.Optional.DriverSupport, HKLM\SOFTWARE\WOW6432NODE\ACTIVEOPTIMIZATION\SVC|SERVER, Quarantined, [2291], [484957],1.0.3897 PUP.Optional.DriverSupport, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DSAO|DESCRIPTION, Quarantined, [2291], [484531],1.0.3897 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\PROGRAM FILES (X86)\DRIVER SUPPORT, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDSM, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\PROGRAMDATA\DRIVER SUPPORT, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\AppData\Local\PC_Drivers_Headquarters\DriverSupport.exe_Url_jky4qfl0bb42zyjk05xwcsyp4qrtcets\10.1.4.82, Quarantined, [2291], [484513],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\AppData\Local\PC_Drivers_Headquarters\DriverSupport.exe_Url_jky4qfl0bb42zyjk05xwcsyp4qrtcets, Quarantined, [2291], [484513],1.0.3897 PUP.Optional.DriverSupport, C:\USERS\{username}\APPDATA\LOCAL\PC_Drivers_Headquarters, Quarantined, [2291], [484513],1.0.3897 PUP.Optional.DriverSupport, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVER SUPPORT, Quarantined, [2291], [484514],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\Downloads\Driver Support\Driver Support, Quarantined, [2291], [484517],1.0.3897 PUP.Optional.DriverSupport, C:\USERS\{username}\DOWNLOADS\DRIVER SUPPORT, Quarantined, [2291], [484517],1.0.3897 File: 82 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMRules, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMScan, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMUpdater, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\DRIVERSUPPORT.EXE, Quarantined, [14754], [484518],1.0.3897 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMRules, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMScan, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Driver Support-RTMUpdater, Quarantined, [14754], [-1],0.0.0 PUP.Optional.DriverSupport, C:\PROGRAM FILES (X86)\DRIVER SUPPORT\SVC\DRIVERSUPPORTAOSVC.EXE, Quarantined, [2291], [484531],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\DriverSupportAO.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\install.log, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\ipterbg.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\ipteup.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\ipte_svc.log, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\License.rtf, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\pmtu.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\reg.dat, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\sigverify.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\uninstall.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\svc\viometer.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Common.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Communication.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.Communication.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.CPU.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.CPU.exe.config, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.ExceptionLogging.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Agent.ExceptionLogging.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\config.dat, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\cpuidsdk.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\DriverSupport.chm, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\DriverSupport.exe.config, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\DriverSupport.Updater.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\DriverSupport.Updater.exe.config, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ExceptionLogging.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ICSharpCode.SharpZipLib.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Interop.WUApiLib.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ISUninstall.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ISUninstall.exe.config, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.ApplicationBlocks.Updater.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.ApplicationBlocks.Updater.Downloaders.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.EnterpriseLibrary.Common.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Practices.ObjectBuilder.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\RuleEngine.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\RuleEngine.XmlSerializers.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\ThemePack.DriverSupport.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\Uninstall.exe, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\Program Files (x86)\Driver Support\XPBurnComponent.dll, Quarantined, [2291], [484511],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\11481334836f4f61b3c110920048cb93.exe, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\215609eb3ff24c6ba9e214f5f6fb5867.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\312478443a844c18adeef845c32639c7.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\3360a50e06744fc08ffacdcb366a7310.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\3f2b867ce27641b4bfdc9d4a2ff92f51.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\444c8f293fac4d1b8ee44c97f5324951.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\5de611b8fd3c4f3dac06d6f80d4c0dba.jpg, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\6091981ea730431d9bf04d97348424d3.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\62f9d69a3c494d8c977596c5fc8bff96.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\a49e775fcacc484ba1935d40bf35ce1d.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\a8cf4b35c6b946b1abefd0e76d9f8704.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\DownloadResourceManager.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDRM\f8dc1c2d3a8f417aacd0142f3f1797c1.png, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\DDSM\ScanManager.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine\GlobalActions.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine\GlobalEnvironmentEvents.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine\GlobalEnvironmentProperties.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine\GlobalRules.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\RuleEngine\RuleHistoryController.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\AoServiceManager.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\CPUID.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\dd.lic, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\UXState.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\ProgramData\Driver Support\Driver Support\WL.dat, Quarantined, [2291], [484512],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\AppData\Local\PC_Drivers_Headquarters\DriverSupport.exe_Url_jky4qfl0bb42zyjk05xwcsyp4qrtcets\10.1.4.82\user.config, Quarantined, [2291], [484513],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driver Support\Driver Support.lnk, Quarantined, [2291], [484514],1.0.3897 PUP.Optional.DriverSupport, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driver Support\Uninstall Driver Support.lnk, Quarantined, [2291], [484514],1.0.3897 PUP.Optional.DriverSupport, C:\USERS\{username}\APPDATA\LOCAL\TEMP\DRIVERSUPPORT.EXE, Quarantined, [2291], [486292],1.0.3897 PUP.Optional.DriverSupport, C:\USERS\{username}\DESKTOP\DRIVERSUPPORT.EXE, Quarantined, [2291], [486292],1.0.3897 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Dictionary? The Malwarebytes research team has determined that Dictionary is a search hijacker and a forced Firefox extension. How do I know if my computer is affected by Dictionary? You may see these warnings during install: and this new Firefox extension: How did Dictionary get on my computer? Forced extensions use typical methods for distributing themselves. They try to keep users trapped until they agree to install the extension. How do I remove Dictionary? Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Dictionary? No, Malwarebytes removes Dictionary completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this forced extension. We protect our customers from these extensions by blocking the sites that spread them: and the domains where they download additional code from: Technical details for experts Possible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\{f4262989-6de0-4604-918f-663b85fad605}.xpi [2018-02-07] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\browser-extension-data\{f4262989-6de0-4604-918f-663b85fad605} Adds the file storage.js"="2/7/2018 8:52 AM, 60 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default Adds the file {f4262989-6de0-4604-918f-663b85fad605}.xpi"="2/7/2018 8:52 AM, 8350 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/7/18 Scan Time: 9:04 AM Log File: 94567eaa-0bdd-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3887 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241624 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 4 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.ForcedInstalledExtensionFF, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\{F4262989-6DE0-4604-918F-663B85FAD605}.XPI, Quarantined, [4633], [486396],1.0.3887 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is MusicBox Search? The Malwarebytes research team has determined that MusicBox Search is a browser NewTab and search hijacker. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by MusicBox Search? You may see these browser extensions: and these warnings during install: How did MusicBox Search get on my computer? Browser hijackers use different methods for distributing themselves. These were promoted by a website served by an ad-rotator. Depending on the visiting browser they served a fitting extension. The Chrome extension was also available in the Chrome webstore. How do I remove MusicBox Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MusicBox Search? If you are using an older version of Malwarebytes, you may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the MusicBox Search entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the MusicBox Search hijacker. It blocks traffic to the ad-rotator, the serving website and the hijackers domain: Technical details for experts Possible signs in a FRST log: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{fa73622c-8b41-45b8-9d93-6d66e7633765}.xpi [2018-02-06] CHR DefaultSearchURL: Default -> hxxp://music.eanswers.com/go/?category=web&s=21ds&vert=music&q={searchTerms} CHR DefaultSearchKeyword: Default -> MusicBox CHR DefaultSuggestURL: Default -> hxxp://sug.eanswers.com/search/index_sg.php?q={searchTerms} CHR Extension: (MusicBox Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde [2018-02-06] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0 Adds the file manifest.json"="2/6/2018 8:50 AM, 2266 bytes, A Adds the file popup.html"="9/6/2017 1:39 PM, 4841 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/6/2018 8:50 AM, 18881 bytes, A Adds the file verified_contents.json"="12/8/2017 11:10 AM, 4967 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css Adds the file style.css"="9/6/2017 1:39 PM, 4085 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts Adds the file material-icons.css"="9/6/2017 1:39 PM, 1037 bytes, A Adds the file MaterialIcons-Regular.eot"="9/6/2017 1:39 PM, 143258 bytes, A Adds the file MaterialIcons-Regular.ijmap"="9/6/2017 1:39 PM, 28416 bytes, A Adds the file MaterialIcons-Regular.svg"="9/6/2017 1:39 PM, 284031 bytes, A Adds the file MaterialIcons-Regular.ttf"="9/6/2017 1:39 PM, 128180 bytes, A Adds the file MaterialIcons-Regular.woff"="9/6/2017 1:39 PM, 78776 bytes, A Adds the file MaterialIcons-Regular.woff2"="9/6/2017 1:39 PM, 42304 bytes, A Adds the file RobotoCondensed-Light.ttf"="9/6/2017 1:39 PM, 126168 bytes, A Adds the file RobotoCondensed-Regular.ttf"="9/6/2017 1:39 PM, 125332 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images Adds the file icon128.png"="2/6/2018 8:50 AM, 9991 bytes, A Adds the file icon16.png"="2/6/2018 8:50 AM, 576 bytes, A Adds the file icon38.png"="2/6/2018 8:50 AM, 1815 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare Adds the file close.png"="9/4/2017 2:23 PM, 1920 bytes, A Adds the file rate.jpg"="9/4/2017 2:23 PM, 102155 bytes, A Adds the file rate1.png"="9/4/2017 2:23 PM, 12334 bytes, A Adds the file share.jpg"="9/4/2017 2:23 PM, 17633 bytes, A Adds the file share1.png"="9/4/2017 2:23 PM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js Adds the file base.js"="12/8/2017 11:07 AM, 38338 bytes, A Adds the file init.js"="11/19/2017 3:32 PM, 439 bytes, A Adds the file main.js"="9/6/2017 1:39 PM, 3863 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official Adds the file bootstrap.min.js"="9/6/2017 1:39 PM, 36874 bytes, A Adds the file jquery.min.js"="9/6/2017 1:39 PM, 85660 bytes, A Adds the file material.min.js"="9/6/2017 1:39 PM, 62359 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\onesignal Adds the file onesignal.js"="9/4/2017 2:22 PM, 17241 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\vertical Adds the file 440x280.jpg"="12/8/2017 11:19 AM, 68550 bytes, A Adds the file init.js"="7/26/2017 8:38 AM, 582 bytes, A Adds the file pop.js"="7/26/2017 8:38 AM, 2497 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde Adds the file 000003.log"="2/6/2018 8:50 AM, 387 bytes, A Adds the file CURRENT"="2/6/2018 8:50 AM, 16 bytes, A Adds the file LOCK"="2/6/2018 8:50 AM, 0 bytes, A Adds the file LOG"="2/6/2018 8:50 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/6/2018 8:50 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {fa73622c-8b41-45b8-9d93-6d66e7633765}.xpi"="2/6/2018 8:48 AM, 1531925 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gmcogiomgbbnmabknldeikbknapolpde"="REG_SZ", "176B26AB18262AE2C964F7F502394D170D64916D35524860E53D679351CEA415" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/6/18 Scan Time: 1:10 PM Log File: c1eff460-0b36-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3881 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241535 Threats Detected: 52 Threats Quarantined: 52 Time Elapsed: 2 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\onesignal, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\_metadata, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\vertical, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GMCOGIOMGBBNMABKNLDEIKBKNAPOLPDE, Quarantined, [8314], [450916],1.0.3881 File: 40 PUP.Optional.SuperAppBox, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{FA73622C-8B41-45B8-9D93-6D66E7633765}.XPI, Quarantined, [7968], [487839],1.0.3881 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde\000003.log, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde\CURRENT, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde\LOCK, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde\LOG, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gmcogiomgbbnmabknldeikbknapolpde\MANIFEST-000001, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GMCOGIOMGBBNMABKNLDEIKBKNAPOLPDE\1.0.0_0\MANIFEST.JSON, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\material-icons.css, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.eot, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.ijmap, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.svg, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.ttf, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.woff, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\MaterialIcons-Regular.woff2, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\RobotoCondensed-Light.ttf, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\fonts\RobotoCondensed-Regular.ttf, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\css\style.css, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare\close.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare\rate.jpg, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare\rate1.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare\share.jpg, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\rateshare\share1.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\icon128.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\icon16.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\images\icon38.png, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\onesignal\onesignal.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\bootstrap.min.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\jquery.min.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\official\material.min.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\base.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\init.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\js\main.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\vertical\440x280.jpg, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\vertical\init.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\vertical\pop.js, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\_metadata\verified_contents.json, Quarantined, [8314], [450916],1.0.3881 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmcogiomgbbnmabknldeikbknapolpde\1.0.0_0\popup.html, Quarantined, [8314], [450916],1.0.3881 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Universal PC Mechanic? The Malwarebytes research team has determined that Universal PC Mechanic is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Universal PC Mechanic? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and these screens during "operations": You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did Universal PC Mechanic get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was promoted by a fake online scanner. How do I remove Universal PC Mechanic? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Universal PC Mechanic? No, Malwarebytes removes Universal PC Mechanic completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Universal PC Mechanic installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: () C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername} C:\Windows\System32\Tasks\Universal PC Mechanic_Logon C:\Users\Public\Desktop\Universal PC Mechanic.lnk C:\ProgramData\Universal PC Mechanic on {computername} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal PC Mechanic on {computername} C:\Program Files\Universal PC Mechanic on {computername} Universal PC Mechanic (HKLM\...\{0005F358-4516-4DC1-8E92-0210D7DDA29C}_is1) (Version: 1.0.0.1344 - ) Task: {C9BAE049-02D8-43A8-99F1-46825D4C3CDB} - System32\Tasks\Universal PC Mechanic_Logon => C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe [2018-01-31] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Universal PC Mechanic on {computername} Adds the file AppRes.dll"="1/31/2018 4:53 PM, 681328 bytes, A Adds the file HtmlRenderer.dll"="1/31/2018 4:53 PM, 228208 bytes, A Adds the file HtmlRenderer.WinForms.dll"="1/31/2018 4:53 PM, 66928 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/31/2018 4:53 PM, 55664 bytes, A Adds the file Microsoft.TeamFoundation.Common.dll"="1/31/2018 4:53 PM, 636784 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/31/2018 4:53 PM, 177520 bytes, A Adds the file oscm.exe"="1/31/2018 4:53 PM, 2985840 bytes, A Adds the file oscm.exe.config"="1/31/2018 4:53 PM, 4626 bytes, A Adds the file System.Data.SQLite.DLL"="1/31/2018 4:53 PM, 297328 bytes, A Adds the file TAFactory.IconPack.dll"="1/31/2018 4:53 PM, 43376 bytes, A Adds the file TaskScheduler.dll"="1/31/2018 4:53 PM, 47472 bytes, A Adds the file unins000.dat"="2/5/2018 9:03 AM, 87423 bytes, A Adds the file unins000.exe"="2/5/2018 9:02 AM, 1273200 bytes, A Adds the file unins000.msg"="2/5/2018 9:03 AM, 22701 bytes, A Adds the folder C:\Program Files\Universal PC Mechanic on {computername}\langs Adds the file danish_apc_da.ini"="11/10/2017 6:20 PM, 45856 bytes, A Adds the file Dutch_apc_nl.ini"="11/10/2017 6:21 PM, 46468 bytes, A Adds the file english_apc_en.ini"="12/20/2017 5:07 PM, 49468 bytes, A Adds the file finish_apc_fi.ini"="11/10/2017 6:22 PM, 46090 bytes, A Adds the file French_apc_fr.ini"="11/10/2017 6:23 PM, 50222 bytes, A Adds the file german_apc_de.ini"="11/10/2017 6:23 PM, 47854 bytes, A Adds the file italian_apc_it.ini"="11/10/2017 6:23 PM, 48368 bytes, A Adds the file japanese_apc_ja.ini"="12/20/2017 5:46 PM, 35540 bytes, A Adds the file norwegian_apc_no.ini"="11/10/2017 6:23 PM, 45262 bytes, A Adds the file portuguese_apc_ptbr.ini"="11/10/2017 6:23 PM, 47806 bytes, A Adds the file russian_apc_ru.ini"="11/10/2017 6:24 PM, 49706 bytes, A Adds the file spanish_apc_es.ini"="11/10/2017 6:24 PM, 50684 bytes, A Adds the file swedish_apc_sv.ini"="11/10/2017 6:24 PM, 44882 bytes, A Adds the folder C:\Program Files\Universal PC Mechanic on {computername}\x64 Adds the file SQLite.Interop.dll"="1/31/2018 4:53 PM, 1182064 bytes, A Adds the folder C:\Program Files\Universal PC Mechanic on {computername}\x86 Adds the file SQLite.Interop.dll"="1/31/2018 4:53 PM, 861040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal PC Mechanic on {computername} Adds the file Buy Universal PC Mechanic.lnk"="2/5/2018 9:03 AM, 1021 bytes, A Adds the file Uninstall Universal PC Mechanic.lnk"="2/5/2018 9:03 AM, 1033 bytes, A Adds the file Universal PC Mechanic.lnk"="2/5/2018 9:03 AM, 1009 bytes, A Adds the folder C:\ProgramData\Universal PC Mechanic on {computername} Adds the file mpc.db"="10/3/2017 5:30 PM, 835584 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername} Adds the file Errorlog.txt"="2/5/2018 9:04 AM, 9280 bytes, A Adds the file exlist.bin"="2/5/2018 9:03 AM, 258267 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Universal PC Mechanic.lnk"="2/5/2018 9:03 AM, 991 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Universal PC Mechanic_Logon"="2/5/2018 9:03 AM, 3088 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\aHR0cDovL3d3dy5zbWFydHN5c3Rvb2xzLmNvbS8=\VW5pdmVyc2FsIFBDIE1lY2hhbmlj\ACT] "data"="REG_BINARY, .................................................................................................................................................................................................................................................................................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0005F358-4516-4DC1-8E92-0210D7DDA29C}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe" "DisplayName"="REG_SZ", "Universal PC Mechanic" "DisplayVersion"="REG_SZ", "1.0.0.1344" "EstimatedSize"="REG_DWORD", 9799 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Universal PC Mechanic on {computername}" "Inno Setup: Icon Group"="REG_SZ", "Universal PC Mechanic on {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180205" "InstallLocation"="REG_SZ", "C:\Program Files\Universal PC Mechanic on {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Universal PC Mechanic on {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Universal PC Mechanic on {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\spct-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "pxl"="REG_SZ", "mpcmsite" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Universal PC Mechanic on {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.entireactiv.com/install/wsm/?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delay"="REG_DWORD", 0 "efosetting"="REG_DWORD", 1 "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "fpxl"="REG_DWORD", 1 "hdata"="REG_BINARY, ........................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Universal PC Mechanic on {computername}" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "islswc"="REG_DWORD", 0 "isphone"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "issrantv"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "msl"="REG_DWORD", 1 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://d8l61qux1ke73.cloudfront.net/" "phone"="REG_SZ", "" "Phone_at"="REG_SZ", "+43 (0)720 902 309" "Phone_au"="REG_SZ", "(61)280-733403" "Phone_ch"="REG_SZ", "+41 (0)44 508 70 37" "Phone_de"="REG_SZ", "0800 1822 974" "Phone_fr"="REG_SZ", "05 82 84 04 06" "Phone_gb"="REG_SZ", "0800-031-5066" "Phone_ja"="REG_SZ", "0120-993-506" "Phone_jp"="REG_SZ", "0120-993-506" "Phone_lu"="REG_SZ", "0800 1822 974" "Phone_uk"="REG_SZ", "0800-031-5066" "Phone_us"="REG_SZ", "(855)-332-0124" "playsound"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.smartsystools.com/wsm/price?" "pxl"="REG_SZ", "mpcmsite" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.smartsystools.com/wsm/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "sentantv"="REG_DWORD", 1 "showefo"="REG_DWORD", 0 "showtn"="REG_DWORD", 0 "showudurec"="REG_DWORD", 1 "showunins"="REG_DWORD", 0 "supporturl"="REG_SZ", "http://www.smartsystools.com/help/" "WebURL"="REG_SZ", "http://www.smartsystools.com/" "x-at"="REG_SZ", "" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "163_158_232_234" [HKEY_CURRENT_USER\Software\Universal PC Mechanic on {computername}] "Installstring"="REG_SZ", "C:\Program Files\Universal PC Mechanic on {computername}" "LangCode"="REG_SZ", "en" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Universal PC Mechanic on {computername}\1.0.0.1344] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/18 Scan Time: 9:15 AM Log File: b58b0a42-0a4c-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3870 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241428 Threats Detected: 64 Threats Quarantined: 64 Time Elapsed: 2 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe, Quarantined, [7622], [486080],1.0.3870 Module: 7 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\x64\SQLite.Interop.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Microsoft.TeamFoundation.Common.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\System.Data.SQLite.DLL, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\TAFactory.IconPack.dll, Quarantined, [7622], [486080],1.0.3870 Registry Key: 7 PUP.Optional.UniversalPCMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Universal PC Mechanic_Logon, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C9BAE049-02D8-43A8-99F1-46825D4C3CDB}, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C9BAE049-02D8-43A8-99F1-46825D4C3CDB}, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0005F358-4516-4DC1-8E92-0210D7DDA29C}_is1, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SPCT-PR, Quarantined, [6571], [484509],1.0.3870 PUP.Optional.UniversalPCMechanic, HKCU\SOFTWARE\Universal PC Mechanic on {computername}, Quarantined, [7622], [486085],1.0.3870 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\aHR0cDovL3d3dy5zbWFydHN5c3Rvb2xzLmNvbS8=, Quarantined, [6571], [440348],1.0.3870 Registry Value: 2 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SPCT-PR|PXL, Quarantined, [6571], [484509],1.0.3870 PUP.Optional.UniversalPCMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0005F358-4516-4DC1-8E92-0210D7DDA29C}_is1|DISPLAYNAME, Quarantined, [7622], [486086],1.0.3870 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\x64, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\x86, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\PROGRAM FILES\Universal PC Mechanic on {computername}, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Universal PC Mechanic on {computername}, Quarantined, [7622], [486081],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\PROGRAMDATA\Universal PC Mechanic on {computername}, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername}\smico, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\USERS\{username}\APPDATA\ROAMING\Universal PC Mechanic on {computername}, Quarantined, [7622], [486082],1.0.3870 File: 39 PUP.Optional.UniversalPCMechanic, C:\USERS\PUBLIC\DESKTOP\Universal PC Mechanic.lnk, Quarantined, [7622], [486083],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\PROGRAM FILES\Universal PC Mechanic on {computername}\unins000.dat, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\danish_apc_da.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\Dutch_apc_nl.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\english_apc_en.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\finish_apc_fi.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\French_apc_fr.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\german_apc_de.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\italian_apc_it.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\japanese_apc_ja.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\norwegian_apc_no.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\portuguese_apc_ptbr.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\russian_apc_ru.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\spanish_apc_es.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\langs\swedish_apc_sv.ini, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\x64\SQLite.Interop.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\x86\SQLite.Interop.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\AppRes.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\HtmlRenderer.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\HtmlRenderer.WinForms.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Microsoft.TeamFoundation.Common.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\oscm.exe.config, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\System.Data.SQLite.DLL, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\TAFactory.IconPack.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\TaskScheduler.dll, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\unins000.exe, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Program Files\Universal PC Mechanic on {computername}\unins000.msg, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\WINDOWS\SYSTEM32\TASKS\Universal PC Mechanic_Logon, Quarantined, [7622], [486080],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal PC Mechanic on {computername}\Buy Universal PC Mechanic.lnk, Quarantined, [7622], [486081],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal PC Mechanic on {computername}\Uninstall Universal PC Mechanic.lnk, Quarantined, [7622], [486081],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal PC Mechanic on {computername}\Universal PC Mechanic.lnk, Quarantined, [7622], [486081],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\ProgramData\Universal PC Mechanic on {computername}\mpc.db, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername}\Errorlog.txt, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername}\exlist.bin, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\Users\{username}\AppData\Roaming\Universal PC Mechanic on {computername}\res.xml, Quarantined, [7622], [486082],1.0.3870 PUP.Optional.UniversalPCMechanic, C:\USERS\{username}\DESKTOP\USMSETUP.EXE, Quarantined, [7622], [486087],1.0.3870 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is JetClean? The Malwarebytes research team has determined that JetClean is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with JetClean? This is how the main screen of the sytem optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these warnings during install: and this screen at fiurst use: You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did JetClean get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded through their website: How do I remove JetClean? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of JetClean? No, Malwarebytes removes JetClean completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the JetClean installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (BlueSprig) C:\Program Files (x86)\BlueSprig\JetClean\JetClean.exe C:\Windows\System32\Tasks\JetCleanLoginCheckUpdate C:\Users\Public\Desktop\JetClean.lnk C:\Users\{username}\AppData\Roaming\BlueSprig C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JetClean C:\Program Files (x86)\BlueSprig JetClean (HKLM-x32\...\BlueSprig_JetClean_is1) (Version: 1.5.0 - BlueSprig) Task: {A252E232-DE6E-4244-9A35-BB69D1A85C49} - System32\Tasks\JetCleanLoginCheckUpdate => C:\Program Files (x86)\BlueSprig\JetClean\AutoUpdate.exe [2013-05-14] (BlueSprig) () C:\Program Files (x86)\BlueSprig\JetClean\madExcept_.bpl () C:\Program Files (x86)\BlueSprig\JetClean\madBasic_.bpl () C:\Program Files (x86)\BlueSprig\JetClean\madDisAsm_.bpl () C:\Program Files (x86)\BlueSprig\JetClean\sqlite3.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\BlueSprig\JetClean Adds the file AutoUpdate.exe"="5/14/2013 4:05 PM, 1050928 bytes, A Adds the file EULA.rtf"="5/14/2013 6:18 PM, 43411 bytes, A Adds the file ImPrivacy.dll"="1/21/2013 2:37 PM, 68912 bytes, A Adds the file Install.exe"="1/21/2013 2:37 PM, 74032 bytes, A Adds the file JetClean.exe"="2/24/2016 5:20 PM, 3420672 bytes, A Adds the file JetCleanComputerExtMenu.dll"="5/14/2013 4:06 PM, 97584 bytes, A Adds the file JetCleanComputerExtMenu_64.dll"="5/14/2013 4:06 PM, 105264 bytes, A Adds the file JetCleanExtMenu.dll"="5/14/2013 4:06 PM, 106288 bytes, A Adds the file JetCleanExtMenu_64.dll"="5/14/2013 4:06 PM, 116016 bytes, A Adds the file JetCleanInit.exe"="5/14/2013 4:06 PM, 41264 bytes, A Adds the file JetCleanInstallBackWork.ini"="2/2/2018 9:20 AM, 22 bytes, A Adds the file madbasic_.bpl"="1/21/2013 2:37 PM, 187696 bytes, A Adds the file maddisAsm_.bpl"="1/21/2013 2:37 PM, 51504 bytes, A Adds the file madexcept_.bpl"="1/21/2013 2:37 PM, 362800 bytes, A Adds the file News.dat"="2/2/2018 9:20 AM, 142 bytes, A Adds the file rtl120.bpl"="1/21/2013 2:37 PM, 1099056 bytes, A Adds the file sqlite3.dll"="1/21/2013 2:37 PM, 577400 bytes, A Adds the file TaskSchedule.dll"="1/21/2013 2:37 PM, 327984 bytes, A Adds the file unins000.dat"="2/2/2018 9:20 AM, 41821 bytes, A Adds the file unins000.exe"="2/2/2018 9:18 AM, 1210569 bytes, A Adds the file Upgrade.exe"="5/14/2013 4:06 PM, 532784 bytes, A Adds the file vcl120.bpl"="1/21/2013 2:37 PM, 2002224 bytes, A Adds the file vclx120.bpl"="1/21/2013 2:37 PM, 215856 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_amd64 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 25456 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_x86 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 22896 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_amd64 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 25456 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_x86 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 22896 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_amd64 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 24944 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_x86 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 22896 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_amd64 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 24944 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_x86 Adds the file JetCleanRegDefrag.exe"="7/20/2012 11:53 AM, 22896 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\language Adds the file English.lng"="5/14/2013 3:13 PM, 69442 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\Log Adds the file RAMClean-JetClean.log"="2/2/2018 9:22 AM, 11687 bytes, A Adds the folder C:\Program Files (x86)\BlueSprig\JetClean\Update Adds the file Update.Ini"="2/2/2018 9:21 AM, 604 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JetClean Adds the file JetClean.lnk"="2/2/2018 9:20 AM, 1267 bytes, A Adds the file Uninstall JetClean.lnk"="2/2/2018 9:20 AM, 1163 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean Adds the file Config.ini"="2/2/2018 9:22 AM, 108 bytes, A Adds the file Ignore.ini"="2/2/2018 9:20 AM, 6352 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Startup In the existing folder C:\Users\Public\Desktop Adds the file JetClean.lnk"="2/2/2018 9:20 AM, 1145 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file JetCleanLoginCheckUpdate"="2/2/2018 9:20 AM, 3168 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}] "(Default)"="REG_SZ", "ICleanExtMenu Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean\JetCleanExtMenu_64.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\ProgID] "(Default)"="REG_SZ", "JetCleanExtMenu.ICleanExtMenu.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\TypeLib] "(Default)"="REG_SZ", "{BCA80402-76E0-49DD-A823-15DF6AB33FAC}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\VersionIndependentProgID] "(Default)"="REG_SZ", "JetCleanExtMenu.ICleanExtMenu" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\JetClean Ext Menu] "(Default)"="REG_SZ", "{4240801E-7B16-4A3F-A89A-E719BE3F9050}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImCleanExtMenu.ICleanExtMenu] "(Default)"="REG_SZ", "ICleanExtMenu Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImCleanExtMenu.ICleanExtMenu\CLSID] "(Default)"="REG_SZ", "{4240801E-7B16-4A3F-A89A-E719BE3F9050}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImCleanExtMenu.ICleanExtMenu\CurVer] "(Default)"="REG_SZ", "JetCleanExtMenu.ICleanExtMenu.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImCleanExtMenu.ICleanExtMenu.1] "(Default)"="REG_SZ", "ICleanExtMenu Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImCleanExtMenu.ICleanExtMenu.1\CLSID] "(Default)"="REG_SZ", "{4240801E-7B16-4A3F-A89A-E719BE3F9050}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}] "(Default)"="REG_SZ", "IICleanExtMenu" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}\TypeLib] "(Default)"="REG_SZ", "{BCA80402-76E0-49DD-A823-15DF6AB33FAC}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\JetClean Ext Menu] "(Default)"="REG_SZ", "{4240801E-7B16-4A3F-A89A-E719BE3F9050}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}\1.0] "(Default)"="REG_SZ", "ImCleanExtMenu 1.0 Type Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean\JetCleanExtMenu_64.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}] "(Default)"="REG_SZ", "IICleanExtMenu" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}\TypeLib] "(Default)"="REG_SZ", "{BCA80402-76E0-49DD-A823-15DF6AB33FAC}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BlueSprig_JetClean_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean\JetClean.exe" "DisplayName"="REG_SZ", "JetClean" "DisplayVersion"="REG_SZ", "1.5.0" "EstimatedSize"="REG_DWORD", 16938 "HelpLink"="REG_SZ", "http://www.bluesprig.com/support/online.html" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "JetClean" "Inno Setup: Language"="REG_SZ", "English" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180202" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\BlueSprig\JetClean\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 5 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "BlueSprig" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\BlueSprig\JetClean\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\BlueSprig\JetClean\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.BlueSprig.com/jetclean.html" "URLUpdateInfo"="REG_SZ", "http://www.BlueSprig.com/jetclean.html" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/2/18 Scan Time: 9:30 AM Log File: 5959c962-07f3-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3848 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243710 Threats Detected: 129 Threats Quarantined: 129 Time Elapsed: 3 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetClean.exe, Quarantined, [8011], [480373],1.0.3848 Module: 10 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetClean.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanExtMenu_64.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\madbasic_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\maddisAsm_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\madexcept_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\rtl120.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\sqlite3.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\TaskSchedule.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\vcl120.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\vclx120.bpl, Quarantined, [8011], [480373],1.0.3848 Registry Key: 29 PUP.Optional.JetClean.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\JetCleanLoginCheckUpdate, Quarantined, [8079], [480402],1.0.3848 PUP.Optional.JetClean.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A252E232-DE6E-4244-9A35-BB69D1A85C49}, Quarantined, [8079], [480402],1.0.3848 PUP.Optional.JetClean.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{A252E232-DE6E-4244-9A35-BB69D1A85C49}, Quarantined, [8079], [480402],1.0.3848 PUP.Optional.JetClean.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\JetCleanLoginCheckUpdate, Quarantined, [8079], [-1],0.0.0 PUP.Optional.JetClean.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A252E232-DE6E-4244-9A35-BB69D1A85C49}, Quarantined, [8079], [-1],0.0.0 PUP.Optional.JetClean.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A252E232-DE6E-4244-9A35-BB69D1A85C49}, Quarantined, [8079], [-1],0.0.0 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{645FF040-5081-101B-9F08-00AA002F954E}, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELLEX\CONTEXTMENUHANDLERS\JetClean Ext Menu, Quarantined, [8011], [480404],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BlueSprig_JetClean_is1, Quarantined, [8011], [480409],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu\CLSID, Quarantined, [8011], [480406],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu.1\CLSID, Quarantined, [8011], [480406],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\IMCLEANEXTMENU.ICLEANEXTMENU\CURVER, Quarantined, [8011], [480405],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\JetClean Ext Menu, Quarantined, [8011], [480407],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu.1, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\TYPELIB\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\INTERFACE\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{437FBE9E-358C-4D20-B6ED-17AA75E10E38}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{BCA80402-76E0-49DD-A823-15DF6AB33FAC}, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\CLSID\{4240801E-7B16-4A3F-A89A-E719BE3F9050}\InprocServer32, Quarantined, [8011], [480373],1.0.3848 Registry Value: 3 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu\CLSID|, Quarantined, [8011], [480406],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\ImCleanExtMenu.ICleanExtMenu.1\CLSID|, Quarantined, [8011], [480406],1.0.3848 PUP.Optional.JetClean, HKLM\SOFTWARE\CLASSES\IMCLEANEXTMENU.ICLEANEXTMENU\CURVER|, Quarantined, [8011], [480405],1.0.3848 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 17 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_amd64, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_amd64, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_amd64, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_amd64, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_x86, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_x86, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_x86, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_x86, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Update, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Log, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\PROGRAM FILES (X86)\BLUESPRIG\JETCLEAN, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Startup, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Backup, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Log, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\USERS\{username}\APPDATA\ROAMING\BLUESPRIG\JETCLEAN, Quarantined, [8011], [480401],1.0.3848 File: 69 PUP.Optional.JetClean, C:\USERS\PUBLIC\DESKTOP\JETCLEAN.LNK, Quarantined, [8011], [480852],1.0.3848 PUP.Optional.JetClean.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\JetCleanLoginCheckUpdate, Quarantined, [8079], [480402],1.0.3848 PUP.Optional.JetClean.TskLnk, C:\PROGRAM FILES (X86)\BLUESPRIG\JETCLEAN\AUTOUPDATE.EXE, Quarantined, [8079], [480402],1.0.3848 PUP.Optional.JetClean.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\JetCleanLoginCheckUpdate, Quarantined, [8079], [-1],0.0.0 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_amd64\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\win7_x86\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_amd64\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wlh_x86\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_amd64\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wnet_x86\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_amd64\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\drivers\wxp_x86\JetCleanRegDefrag.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Italian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Arabic.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Bulgarian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Catalan.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\ChineseSimp.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\ChineseTrad.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Croatian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Czech.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Dutch.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\English.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Estonian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Finnish.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\French.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\German.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Greek.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Hungarian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Japanese.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Latin American Spanish.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Polish.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Portuguese (Brazil).lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Russian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Serbian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Slovenian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Spanish.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Thai.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Turkish.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\ukrainian.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\language\Vietnamese.lng, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Log\RAMClean-JetClean.log, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Update\Update.Ini, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\EULA.rtf, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\ImPrivacy.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Install.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetClean.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanComputerExtMenu.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanComputerExtMenu_64.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanExtMenu.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanExtMenu_64.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanInit.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\JetCleanInstallBackWork.ini, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\madbasic_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\maddisAsm_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\madexcept_.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\News.dat, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\rtl120.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\sqlite3.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\TaskSchedule.dll, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\unins000.dat, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\unins000.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\Upgrade.exe, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\vcl120.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Program Files (x86)\BlueSprig\JetClean\vclx120.bpl, Quarantined, [8011], [480373],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Backup\JetCleanBackup-2018-02-02(09-29-23).reg, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Log\JetCleanLog-2018-02-02(09-29-44).txt, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Config.ini, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\Users\{username}\AppData\Roaming\BlueSprig\JetClean\Ignore.ini, Quarantined, [8011], [480401],1.0.3848 PUP.Optional.JetClean, C:\USERS\{username}\DESKTOP\JETCLEAN-SETUP.EXE, Quarantined, [8011], [480410],1.0.3848 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.