Metallica

What is Toothy? The Malwarebytes research team has determined that Toothy is a forced extension. How do I know if my computer is affected by Toothy? You may see this entry in your list of installed Chrome extensions: with these properties: and these warnings during install: How did Toothy get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was a forced Chrome extension. But it was also available in the webstore at the time of writing. How do I remove Toothy? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Toothy? No, Malwarebytes removes Toothy completely. You may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Toothy entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. We protect our customers from forced extensions by blocking the sites that spread them: Technical details for experts Possible signs in FRST logs: CHR Extension: (Toothy) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp [2017-09-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0 Adds the file 1506323501957.html"="9/25/2017 10:21 AM, 526 bytes, A Adds the file 1506323501957.js"="9/25/2017 7:12 AM, 293399 bytes, A Adds the file 1506323501957_128.png"="9/26/2017 9:27 AM, 4306 bytes, A Adds the file 1506323501957_16.png"="9/26/2017 9:27 AM, 520 bytes, A Adds the file 1506323501957_48.png"="9/26/2017 9:27 AM, 2736 bytes, A Adds the file 1506323501957_512.png"="9/25/2017 7:12 AM, 59428 bytes, A Adds the file manifest.json"="9/26/2017 9:27 AM, 1350 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_locales\en Adds the file messages.json"="9/26/2017 9:27 AM, 153 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_metadata Adds the file computed_hashes.json"="9/26/2017 9:27 AM, 4361 bytes, A Adds the file verified_contents.json"="9/25/2017 10:19 AM, 2151 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpohflomnaifbkibmjdappdifjmojgcp Adds the file 000003.log"="9/26/2017 9:27 AM, 0 bytes, A Adds the file CURRENT"="9/26/2017 9:27 AM, 16 bytes, A Adds the file LOCK"="9/26/2017 9:27 AM, 0 bytes, A Adds the file LOG"="9/26/2017 9:27 AM, 0 bytes, A Adds the file MANIFEST-000001"="9/26/2017 9:27 AM, 41 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/26/17 Scan Time: 9:38 AM Log File: a3be5516-a28d-11e7-b751-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2887 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321298 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 2 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_locales\en, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_metadata, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_locales, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KPOHFLOMNAIFBKIBMJDAPPDIFJMOJGCP, Quarantined, [625], [439099],1.0.2887 File: 10 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_locales\en\messages.json, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_metadata\computed_hashes.json, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\_metadata\verified_contents.json, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957.html, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957.js, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957_128.png, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957_16.png, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957_48.png, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\1506323501957_512.png, Quarantined, [625], [439099],1.0.2887 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpohflomnaifbkibmjdappdifjmojgcp\4.9.354_0\manifest.json, Quarantined, [625], [439099],1.0.2887 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is PPass? The Malwarebytes research team has determined that PPass is adware. These adware applications display advertisements not originating from the sites you are browsing. The installer also bundles several other PUPs and adware programs. How do I know if my computer is affected by PPass? You may see these warnings and additional offers during install: and this icon in your taskbar and startmenu: You may see this new entry in your list of installed programs and features: How did PPass get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a bundler. How do I remove PPass? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PPass? No, Malwarebytes removes PPass completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the PPass adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks their domain: Technical details for experts Possible signs in FRST logs: () C:\Users\{username}\AppData\Local\PPass\PPass.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPass.exe.lnk [2017-09-25] ShortcutTarget: PPass.exe.lnk -> C:\Users\{username}\AppData\Local\PPass\PPass.exe () C:\Users\{username}\AppData\Local\PPass PPass (HKLM-x32\...\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}) (Version: 1.0.0.0 - PPass Co.) Significant chganges made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\PPass Adds the file app"="9/25/2017 10:35 AM, 14 bytes, A Adds the file EngineIoClientDotNet.DLL"="1/4/2016 5:14 AM, 83968 bytes, A Adds the file Newtonsoft.Json.DLL"="12/29/2015 1:46 PM, 519168 bytes, A Adds the file PPass.exe"="4/7/2017 8:58 AM, 86528 bytes, A Adds the file SocketIoClientDotNet.DLL"="1/4/2016 6:46 AM, 26624 bytes, A Adds the file v"="4/7/2017 9:07 AM, 2 bytes, A Adds the file WebSocket4Net.DLL"="10/9/2015 11:40 PM, 90624 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4} Adds the file AppIcon"="9/25/2017 10:33 AM, 86528 bytes, RA In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file PPass.exe.lnk"="9/25/2017 10:33 AM, 2048 bytes, A In the existing folder C:\Windows\Installer Adds the file 8b948e.msi"="9/25/2017 9:01 AM, 856064 bytes, A Adds the file SourceHash{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}"="9/25/2017 10:33 AM, 20480 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders] "C:\Users\{username}\AppData\Local\PPass\"="REG_SZ", "" "C:\Users\{username}\AppData\Roaming\Microsoft\Installer\"="REG_SZ", "" "C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}\"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\093581EC0E0BAF949BA84EFA2827D3C7] "00000000000000000000000000000000"="REG_SZ", "01:\Software\PPass Co.\PPass\InstallFolder" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\093581EC0E0BAF949BA84EFA2827D3C7] "ECD510D571E268048BCBF4EAA23CB54D"="REG_SZ", "01:\Software\PPass Co.\PPass\InstallFolder" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\5A67D1A420A29F1499CCB1FD5C160EE9] "ECD510D571E268048BCBF4EAA23CB54D"="REG_SZ", "01:\Software\PPass Co.\PPass\Installed" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Products\ECD510D571E268048BCBF4EAA23CB54D\Features] "ProductBaseFeature"="REG_SZ", "HR@8kSc%k?VZ4Ua'T+xOV+hn?6~B590m)epz'D([" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Products\ECD510D571E268048BCBF4EAA23CB54D\InstallProperties] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "" "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PPass" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 790 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20170925" "InstallLocation"="REG_SZ", "" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "LocalPackage"="REG_SZ", "C:\Windows\Installer\8b948e.msi" "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}" "NoModify"="REG_DWORD", 1 "Publisher"="REG_SZ", "PPass Co." "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}" "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "" "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PPass" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 790 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20170925" "InstallLocation"="REG_SZ", "" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}" "NoModify"="REG_DWORD", 1 "Publisher"="REG_SZ", "PPass Co." "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}" "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\ECD510D571E268048BCBF4EAA23CB54D] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 0 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 2 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "E220321BDFF249D4F9B4704A36EB140E" "ProductIcon"="REG_EXPAND_SZ, "%APPDATA%\Microsoft\Installer\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}\AppIcon" "ProductName"="REG_SZ", "PPass" "Version"="REG_DWORD", 16777216 [HKEY_CURRENT_USER\Software\PPass Co.\PPass] "Installed"="REG_SZ", "yes" "InstallFolder"="REG_SZ", "C:\Users\{username}\AppData\Local\PPass\" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/25/17 Scan Time: 1:07 PM Log File: b75007e8-a1e1-11e7-b751-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2880 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321142 Threats Detected: 16 Threats Quarantined: 16 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.PPass, HKCU\SOFTWARE\PPass Co., Delete-on-Reboot, [972], [438892],1.0.2880 PUP.Optional.PPass, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}, Delete-on-Reboot, [972], [438894],1.0.2880 Registry Value: 1 PUP.Optional.PPass, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}|DISPLAYNAME, Delete-on-Reboot, [972], [438894],1.0.2880 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.PPass, C:\USERS\{username}\APPDATA\LOCAL\PPASS, Delete-on-Reboot, [972], [438887],1.0.2880 File: 10 PUP.Optional.PPass, C:\USERS\{username}\APPDATA\LOCAL\PPASS\WEBSOCKET4NET.DLL, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\Users\{username}\AppData\Local\PPass\EngineIoClientDotNet.DLL, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\Users\{username}\AppData\Local\PPass\Newtonsoft.Json.DLL, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\Users\{username}\AppData\Local\PPass\PPass.exe, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\Users\{username}\AppData\Local\PPass\SocketIoClientDotNet.DLL, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\Users\{username}\AppData\Local\PPass\v, Delete-on-Reboot, [972], [438887],1.0.2880 PUP.Optional.PPass, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\PPASS.EXE.LNK, Delete-on-Reboot, [972], [438888],1.0.2880 PUP.Optional.PPass, C:\USERS\{username}\DESKTOP\INSTALL.MSI, Delete-on-Reboot, [972], [438896],1.0.2880 PUP.Optional.PPass, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INSTALLER\{5D015DCE-2E17-4086-B8BC-4FAE2AC35BD4}\APPICON, Delete-on-Reboot, [972], [438896],1.0.2880 PUP.Optional.PPass, C:\WINDOWS\INSTALLER\9775C1.MSI, Delete-on-Reboot, [972], [438896],1.0.2880 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Driver Updater? The Malwarebytes research team has determined that Driver Updater is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Driver Updater? This is how the main screen of the sytem optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and these screens during "operations": and this site when you try to fix the "problems": You may see this entry in your list of installed programs: How did Driver Updater get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was promoted by a fake online scan: How do I remove Driver Updater? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Driver Updater? No, Malwarebytes removes Driver Updater completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Driver Updater installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: (efixdrivers.com) C:\Program Files\Driver Updater\aptdu.exe C:\Windows\System32\Tasks\Driver Updater_Logon C:\Users\Public\Desktop\Driver Updater.lnk C:\Users\{username}\AppData\Roaming\efixdrivers.com C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Updater C:\Program Files\Driver Updater Driver Updater (HKLM\...\{ACE83A3B-6AE9-485B-B11A-293BA26BC725}_is1) (Version: 1.0.1000.36735 - efixdrivers.com) Task: {CF70F24D-AE4A-40B7-A8E9-4CD1D519F728} - System32\Tasks\Driver Updater_Logon => C:\Program Files\Driver Updater\aptdu.exe [2017-09-20] (efixdrivers.com) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Driver Updater Adds the file aptdu.exe"="9/20/2017 6:07 PM, 2423616 bytes, A Adds the file aptdu.exe.config"="9/20/2017 6:06 PM, 3441 bytes, A Adds the file danish_iss.ini"="9/20/2017 4:43 PM, 2402 bytes, A Adds the file Delimon.Win32.IO.dll"="9/20/2017 4:43 PM, 950272 bytes, A Adds the file DUContent.dll"="9/20/2017 5:33 PM, 1875968 bytes, A Adds the file Dutch_iss.ini"="9/20/2017 4:43 PM, 2592 bytes, A Adds the file english_iss.ini"="9/20/2017 4:43 PM, 2256 bytes, A Adds the file finish_iss.ini"="9/20/2017 4:43 PM, 2368 bytes, A Adds the file French_iss.ini"="9/20/2017 4:43 PM, 2792 bytes, A Adds the file german_iss.ini"="9/20/2017 4:43 PM, 2658 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="9/20/2017 4:44 PM, 49152 bytes, A Adds the file italian_iss.ini"="9/20/2017 4:43 PM, 2532 bytes, A Adds the file japanese_iss.ini"="9/20/2017 4:43 PM, 1844 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="9/20/2017 4:44 PM, 171008 bytes, A Adds the file NAudio.dll"="9/20/2017 4:43 PM, 471040 bytes, A Adds the file norwegian_iss.ini"="9/20/2017 4:43 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="9/20/2017 4:43 PM, 2424 bytes, A Adds the file russian_iss.ini"="9/20/2017 4:43 PM, 2494 bytes, A Adds the file spanish_iss.ini"="9/20/2017 4:43 PM, 2548 bytes, A Adds the file swedish_iss.ini"="9/20/2017 4:43 PM, 2270 bytes, A Adds the file System.ServiceModel.dll"="7/3/2017 8:17 AM, 5992448 bytes, A Adds the file TAFactory.IconPack.dll"="9/20/2017 4:44 PM, 36864 bytes, A Adds the file TaskScheduler.dll"="9/20/2017 6:07 PM, 48448 bytes, A Adds the file unins000.dat"="9/22/2017 8:56 AM, 84335 bytes, A Adds the file unins000.exe"="9/22/2017 8:56 AM, 1216832 bytes, A Adds the file unins000.msg"="9/22/2017 8:56 AM, 22701 bytes, A Adds the folder C:\Program Files\Driver Updater\dp Adds the file 7z.dll"="9/20/2017 4:43 PM, 1073664 bytes, A Adds the file 7z.exe"="9/20/2017 4:43 PM, 265216 bytes, A Adds the file difxapi.dll"="9/20/2017 4:43 PM, 323464 bytes, A Adds the file difxapi64.dll"="9/20/2017 4:43 PM, 519048 bytes, A Adds the file DPInst32.exe"="9/20/2017 6:07 PM, 552768 bytes, A Adds the file DPInst64.exe"="9/20/2017 6:07 PM, 678208 bytes, A Adds the file DriversPath.exe"="9/20/2017 6:07 PM, 289088 bytes, A Adds the file FileValidator.exe"="9/20/2017 6:07 PM, 296768 bytes, A Adds the folder C:\Program Files\Driver Updater\Langs Adds the file danish_du_da.ini"="9/20/2017 4:50 PM, 57318 bytes, A Adds the file Dutch_du_nl.ini"="9/20/2017 4:50 PM, 59086 bytes, A Adds the file english_du_en.ini"="9/20/2017 4:50 PM, 53918 bytes, A Adds the file finish_du_fi.ini"="9/20/2017 4:50 PM, 57306 bytes, A Adds the file French_du_fr.ini"="9/20/2017 4:50 PM, 60520 bytes, A Adds the file german_du_de.ini"="9/20/2017 4:50 PM, 61118 bytes, A Adds the file italian_du_it.ini"="9/20/2017 4:50 PM, 58924 bytes, A Adds the file japanese_du_ja.ini"="9/20/2017 4:50 PM, 41836 bytes, A Adds the file norwegian_du_no.ini"="9/20/2017 4:50 PM, 55810 bytes, A Adds the file portuguese_du_ptbr.ini"="9/20/2017 4:50 PM, 58642 bytes, A Adds the file russian_du_ru.ini"="9/20/2017 4:50 PM, 60366 bytes, A Adds the file spanish_du_es.ini"="9/20/2017 4:50 PM, 65814 bytes, A Adds the file swedish_du_sv.ini"="9/20/2017 4:50 PM, 58228 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Updater Adds the file Buy Driver Updater.lnk"="9/22/2017 8:56 AM, 873 bytes, A Adds the file Driver Updater.lnk"="9/22/2017 8:56 AM, 853 bytes, A Adds the file Uninstall Driver Updater.lnk"="9/22/2017 8:56 AM, 888 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater Adds the file Errorlog.txt"="9/22/2017 8:57 AM, 273490 bytes, A Adds the file param.ini"="9/22/2017 8:56 AM, 376 bytes, A Adds the file res.bin"="9/22/2017 8:57 AM, 33232 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\Backups Adds the folder C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\Download Adds the folder C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\smico Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Speech\Files\UserLexicons Adds the file SP_FFF47D0DFB844CAAA991411DC41F130D.dat"="9/22/2017 8:57 AM, 940 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Driver Updater.lnk"="9/22/2017 8:56 AM, 835 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Driver Updater_Logon"="9/22/2017 8:57 AM, 3040 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\duefx-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "x-at"="REG_SZ", "64787" "x-base"="REG_SZ", "" "x-context"="REG_SZ", "d0U39F4CTOANABD81SDMM65U" [HKEY_LOCAL_MACHINE\SOFTWARE\efixdrivers.com\Driver Updater] "affiliateid"="REG_SZ", "" "affired"="REG_DWORD", 0 "afterInstallUrl"="REG_SZ", "http://www.ppacti.com/install/du/?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "delay"="REG_DWORD", 0 "devicesscanned"="REG_DWORD", 55 "EmailURL"="REG_SZ", "driverupdater" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................................................................................... "ignoreddrivercount"="REG_DWORD", 0 "Installstring"="REG_SZ", "C:\Program Files\Driver Updater" "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lastscandate"="REG_SZ", "9/22/2017 6:57:52 AM" "lastscanstatus"="REG_DWORD", 2 "lastupdatedate"="REG_SZ", "1/1/0001 12:00:00 AM" "oldmissingdrivercount"="REG_DWORD", 6 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://driverupdater.esecureshoppe.com/du/price?" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://driverupdater.esecureshoppe.com/du/renewal?" "rescan"="REG_DWORD", 0 "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 1 "showwfo"="REG_DWORD", 1 "supporturl"="REG_SZ", "http://www.efixdrivers.com/help/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "0120-993-506" "TELNO_jp"="REG_SZ", "0120-993-506" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "801-447-5902" "uptodatedrivercount"="REG_DWORD", 49 "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "vendorLogo"="REG_SZ", "common_logo.jpg" "vendorMachineAvi"="REG_SZ", "res://DUContent.dll/GIF/common_desktop.gif" "WebURL"="REG_SZ", "http://www.efixdrivers.com/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "64787" "x-base"="REG_SZ", "" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "d0U39F4CTOANABD81SDMM65U" "x-datetime"="REG_SZ", "09-22-2017 06:56:45 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ACE83A3B-6AE9-485B-B11A-293BA26BC725}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Driver Updater\aptdu.exe" "DisplayName"="REG_SZ", "Driver Updater" "DisplayVersion"="REG_SZ", "1.0.1000.36735" "EstimatedSize"="REG_DWORD", 17595 "HelpLink"="REG_SZ", "http://www.efixdrivers.com/help/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Driver Updater" "Inno Setup: Icon Group"="REG_SZ", "Driver Updater" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20170922" "InstallLocation"="REG_SZ", "C:\Program Files\Driver Updater\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "efixdrivers.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Driver Updater\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Driver Updater\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "http://www.efixdrivers.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\ZWZpeGRyaXZlcnMuY29t\RHJpdmVyIFVwZGF0ZXI=\ACT] "data"="REG_BINARY, ..........................................................................................................................................................................................................................................................................................................._....................... [HKEY_CURRENT_USER\Software\efixdrivers.com\Driver Updater] "affiliateid"="REG_SZ", "" "Installstring"="REG_SZ", "C:\Program Files\Driver Updater" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "WAD2233_WAD2187_RUNT" "utm_campaign"="REG_SZ", "wadsphere" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1d92a736-cecd-4fbd-9f74-ef26d8616e82" "utm_source"="REG_SZ", "wadsphere" "x-at"="REG_SZ", "64787" "x-base"="REG_SZ", "" "x-context"="REG_SZ", "d0U39F4CTOANABD81SDMM65U" "x-datetime"="REG_SZ", "09-22-2017 06:56:45 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" [HKEY_CURRENT_USER\Software\efixdrivers.com\Driver Updater\1.0.1000.36735] [HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files] "Datafile"="REG_SZ", "%1a%\Microsoft\Speech\Files\UserLexicons\SP_FFF47D0DFB844CAAA991411DC41F130D.dat" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/22/17 Scan Time: 9:08 AM Log File: e2460ab3-9f64-11e7-9d99-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2861 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320776 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 1 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\aptdu.exe, Quarantined, [8849], [437562],1.0.2861 Module: 2 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\aptdu.exe, Quarantined, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Microsoft.Win32.TaskScheduler.dll, Quarantined, [8849], [437562],1.0.2861 Registry Key: 7 PUP.Optional.DriverUpdater, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{ACE83A3B-6AE9-485B-B11A-293BA26BC725}_is1, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.AdvancedPCCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CF70F24D-AE4A-40B7-A8E9-4CD1D519F728}, Delete-on-Reboot, [58], [412119],1.0.2861 PUP.Optional.AdvancedPCCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Driver Updater_Logon, Delete-on-Reboot, [58], [412118],1.0.2861 PUP.Optional.DriverUpdater, HKLM\SOFTWARE\duefx-pr, Delete-on-Reboot, [8849], [437563],1.0.2861 PUP.Optional.DriverUpdater, HKLM\SOFTWARE\efixdrivers.com, Delete-on-Reboot, [8849], [437564],1.0.2861 PUP.Optional.DriverUpdater, HKLM\SOFTWARE\ZWZpeGRyaXZlcnMuY29t, Delete-on-Reboot, [8849], [437570],1.0.2861 PUP.Optional.DriverUpdater, HKCU\SOFTWARE\efixdrivers.com, Delete-on-Reboot, [8849], [437565],1.0.2861 Registry Value: 1 PUP.Optional.AdvancedPCCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CF70F24D-AE4A-40B7-A8E9-4CD1D519F728}|PATH, Delete-on-Reboot, [58], [412119],1.0.2861 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.AdvancedPCCare, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVER UPDATER, Delete-on-Reboot, [58], [412123],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\Download, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\Backups, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\smico, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\USERS\{username}\APPDATA\ROAMING\EFIXDRIVERS.COM, Delete-on-Reboot, [8849], [437561],1.0.2861 File: 54 PUP.Optional.Carambis, C:\USERS\PUBLIC\DESKTOP\DRIVER UPDATER.LNK, Delete-on-Reboot, [1907], [351666],1.0.2861 PUP.Optional.AdvancedPCCare, C:\WINDOWS\SYSTEM32\TASKS\DRIVER UPDATER_LOGON, Delete-on-Reboot, [58], [412117],1.0.2861 PUP.Optional.DriverUpdater, C:\PROGRAM FILES\DRIVER UPDATER\APTDU.EXE.CONFIG, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\7z.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\7z.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\DPInst32.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\DPInst64.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\DriversPath.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\dp\FileValidator.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\danish_du_da.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\Dutch_du_nl.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\english_du_en.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\finish_du_fi.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\French_du_fr.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\german_du_de.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\italian_du_it.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\japanese_du_ja.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\norwegian_du_no.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\portuguese_du_ptbr.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\russian_du_ru.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\spanish_du_es.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Langs\swedish_du_sv.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\aptdu.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\danish_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Delimon.Win32.IO.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\DUContent.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Dutch_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\english_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\finish_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\French_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\german_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Interop.IWshRuntimeLibrary.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\italian_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\japanese_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\NAudio.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\norwegian_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\portuguese_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\russian_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\spanish_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\swedish_iss.ini, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\System.ServiceModel.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\TAFactory.IconPack.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\TaskScheduler.dll, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\unins000.dat, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\unins000.exe, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.DriverUpdater, C:\Program Files\Driver Updater\unins000.msg, Delete-on-Reboot, [8849], [437562],1.0.2861 PUP.Optional.AdvancedPCCare, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVER UPDATER\BUY DRIVER UPDATER.LNK, Delete-on-Reboot, [58], [412123],1.0.2861 PUP.Optional.AdvancedPCCare, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Updater\Driver Updater.lnk, Delete-on-Reboot, [58], [412123],1.0.2861 PUP.Optional.AdvancedPCCare, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Updater\Uninstall Driver Updater.lnk, Delete-on-Reboot, [58], [412123],1.0.2861 PUP.Optional.DriverUpdater, C:\USERS\{username}\APPDATA\ROAMING\EFIXDRIVERS.COM\DRIVER UPDATER\ERRORLOG.TXT, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\param.ini, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\Users\{username}\AppData\Roaming\efixdrivers.com\Driver Updater\res.bin, Delete-on-Reboot, [8849], [437561],1.0.2861 PUP.Optional.DriverUpdater, C:\USERS\{username}\DESKTOP\DUEFIXSETUP.EXE, Delete-on-Reboot, [8849], [437560],1.0.2861 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Office 1.00? The Malwarebytes research team has determined that Office 1.00 is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Office 1.00? You will see this screen as soon as the file is executed: You may see a short glimpse of this one before the screenlock and after you have stopped it: How did Office 1.00 get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for a cracked Office version. How do I remove Office 1.00? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. You may have to use the systems power button to shut the system down, or if you have that option, switch user and then shut down to get the system to reboot as this program actively stops a normal shutdown. Then boot into Safe Mode with Networking. As an alternative: we have found that in most cases the screenlock stops when you push the F7 key. After returning to your desktop, continue with the instructions below. You can use the Taskmanager to End the MicrosoftOffice process: Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Office 1.00? No, Malwarebytes removes Office 1.00 completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: (Microsoft ) C:\Users\{username}\Desktop\microsoftoffice- blue Screen.exe () C:\Program Files (x86)\Microsoft Office\MicrosoftOffice.exe HKCU\...\Run: [SC.exe] => C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe [253952 2017-07-18] () C:\Program Files (x86)\Microsoft Office Microsoft Office 1.00 (HKLM-x32\...\Microsoft Office 1.00) (Version: 1.00 - Microsoft) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Microsoft Office Adds the file MicrosoftOffice.exe"="7/18/2017 3:51 PM, 253952 bytes, A Adds the file Uninstall.exe"="9/19/2017 8:48 AM, 99895 bytes, A Adds the file Uninstall.ini"="9/19/2017 8:48 AM, 2781 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 1.00] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "DisplayName"="REG_SZ", "Microsoft Office 1.00" "DisplayVersion"="REG_SZ", "1.00" "EstimatedSize"="REG_DWORD", 346 "HelpLink"="REG_SZ", "mailto:support@microsoft.com" "InstallDate"="REG_SZ", "20170919" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.Microsoft.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SC.exe"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/17 Scan Time: 3:04 PM Log File: 3e2aa053-9e04-11e7-8352-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2850 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320367 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 2 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Module: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SC.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Delete-on-Reboot, [648], [437068],1.0.2850 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

Do the detections match the ones mentioned here: https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/ and here: If not, let us know and we'll investigate further.

What is GetFreeGifs? The Malwarebytes research team has determined that GetFreeGifs is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetFreeGifs is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by GetFreeGifs? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did GetFreeGifs get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetFreeGifs? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetFreeGifs? If you are using Chrome, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the GetFreeGifs entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetFreeGifs hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/getfreegifs/S22699/index.html?n={n1}&p2={p21}&ptb={ptb1}&coid={coid1} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_oyMembers_@free.getfreegifs.com.xpi [2017-09-20] CHR Extension: (GetFreeGifs) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep [2017-09-20] C:\Users\{username}\AppData\Local\GetFreeGifsTooltab GetFreeGifs Internet Explorer Homepage and New Tab (HKCU\...\GetFreeGifsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\GetFreeGifsTooltab Adds the file TooltabExtension.dll"="8/7/2017 6:31 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0 Adds the file bg.html"="7/10/2017 2:53 PM, 6119 bytes, A Adds the file buildVars"="7/10/2017 2:53 PM, 8 bytes, A Adds the file buildVars.js"="7/10/2017 2:53 PM, 2582 bytes, A Adds the file companionSW.js"="7/10/2017 2:53 PM, 15026 bytes, A Adds the file config.js"="7/10/2017 2:53 PM, 6203 bytes, A Adds the file contentScript.css"="7/10/2017 2:53 PM, 1362 bytes, A Adds the file contentScript.js"="7/10/2017 2:53 PM, 32297 bytes, A Adds the file debug.html"="7/10/2017 2:53 PM, 299 bytes, A Adds the file debug.jade"="7/10/2017 2:53 PM, 291 bytes, A Adds the file extension_toolbar_api.js"="7/10/2017 2:53 PM, 3146 bytes, A Adds the file initWidgetWindow.js"="7/10/2017 2:53 PM, 768 bytes, A Adds the file manifest.json"="9/20/2017 9:09 AM, 4065 bytes, A Adds the file newTabContentScript.js"="7/10/2017 2:53 PM, 1289 bytes, A Adds the file options.html"="7/10/2017 2:53 PM, 1910 bytes, A Adds the file spent.css"="7/10/2017 2:53 PM, 29420 bytes, A Adds the file spent.html"="7/10/2017 2:53 PM, 4990 bytes, A Adds the file spent.js"="7/10/2017 2:53 PM, 3767 bytes, A Adds the file spent2.css"="7/10/2017 2:53 PM, 29440 bytes, A Adds the file spent2.html"="7/10/2017 2:53 PM, 4988 bytes, A Adds the file spentJ.js"="7/10/2017 2:53 PM, 2892 bytes, A Adds the file spentK.html"="7/10/2017 2:53 PM, 3054 bytes, A Adds the file spentK.js"="7/10/2017 2:53 PM, 875 bytes, A Adds the file startup.js"="7/10/2017 2:53 PM, 4380 bytes, A Adds the file stub.html"="7/10/2017 2:53 PM, 371 bytes, A Adds the file stubby.html"="7/10/2017 2:53 PM, 2665 bytes, A Adds the file superFrame.js"="7/10/2017 2:53 PM, 724 bytes, A Adds the file toolbar.html"="7/10/2017 2:53 PM, 5293 bytes, A Adds the file toolbar.js"="7/10/2017 2:53 PM, 43162 bytes, A Adds the file toolbarUI.css"="7/10/2017 2:53 PM, 4331 bytes, A Adds the file toolbarUI.html"="7/10/2017 2:53 PM, 922 bytes, A Adds the file toolbarUI.js"="7/10/2017 2:53 PM, 28138 bytes, A Adds the file url.js"="7/10/2017 2:53 PM, 13245 bytes, A Adds the file urlFragmentActions.js"="7/10/2017 2:53 PM, 1944 bytes, A Adds the file webtooltab.cs.js"="7/10/2017 2:53 PM, 1694 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\_metadata Adds the file computed_hashes.json"="9/20/2017 9:09 AM, 48579 bytes, A Adds the file verified_contents.json"="7/10/2017 2:53 PM, 33279 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\adapter Adds the file adapterUtil.js"="7/10/2017 2:53 PM, 4533 bytes, A Adds the file widget-adapter.js"="7/10/2017 2:53 PM, 7647 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js Adds the file bs.30.js"="7/10/2017 2:53 PM, 1888 bytes, A Adds the file common.js"="7/10/2017 2:53 PM, 23233 bytes, A Adds the file dynamic.js"="7/10/2017 2:53 PM, 2169 bytes, A Adds the file enableDetect.js"="7/10/2017 2:53 PM, 1443 bytes, A Adds the file eventListening.js"="7/10/2017 2:53 PM, 567 bytes, A Adds the file global.js"="7/10/2017 2:53 PM, 4687 bytes, A Adds the file jquery-1.7.1.min.js"="7/10/2017 2:53 PM, 93868 bytes, A Adds the file list-interaction.js"="7/10/2017 2:53 PM, 5032 bytes, A Adds the file messageEventListener.js"="7/10/2017 2:53 PM, 983 bytes, A Adds the file navRedirector.js"="7/10/2017 2:53 PM, 1350 bytes, A Adds the file paramReplacer.js"="7/10/2017 2:53 PM, 5169 bytes, A Adds the file PartnerId.js"="7/10/2017 2:53 PM, 21973 bytes, A Adds the file set.js"="7/10/2017 2:53 PM, 531 bytes, A Adds the file underscore-1.3.1.min.js"="7/10/2017 2:53 PM, 12248 bytes, A Adds the file underscore-1.5.2.min.js"="7/10/2017 2:53 PM, 14431 bytes, A Adds the file unifiedLogging.js"="7/10/2017 2:53 PM, 1224 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\background Adds the file ApiBasedWidget.js"="7/10/2017 2:53 PM, 15051 bytes, A Adds the file widget-api-impl.js"="7/10/2017 2:53 PM, 25378 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window Adds the file hiddenWidgetWindow.html"="7/10/2017 2:53 PM, 542 bytes, A Adds the file hiddenWidgetWindow.js"="7/10/2017 2:53 PM, 1253 bytes, A Adds the file hiddenWidgetWindowInit.js"="7/10/2017 2:53 PM, 343 bytes, A Adds the file widgetWindow.html"="7/10/2017 2:53 PM, 780 bytes, A Adds the file widgetWindow.js"="7/10/2017 2:53 PM, 1431 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\background Adds the file updateSearch.js"="7/10/2017 2:53 PM, 11273 bytes, A Adds the file updateSearchPromptBg.js"="7/10/2017 2:53 PM, 27728 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground Adds the file 07_buttons2.png"="7/10/2017 2:53 PM, 4928 bytes, A Adds the file 08_buttons2.png"="7/10/2017 2:53 PM, 6597 bytes, A Adds the file defaultSearchModal.html"="7/10/2017 2:53 PM, 6483 bytes, A Adds the file defaultSearchModalInjector.css"="7/10/2017 2:53 PM, 505 bytes, A Adds the file defaultSearchModalInjector.js"="7/10/2017 2:53 PM, 3031 bytes, A Adds the file tvf_btn_ok.png"="7/10/2017 2:53 PM, 2373 bytes, A Adds the file tvf_btn_ok2.png"="7/10/2017 2:53 PM, 3057 bytes, A Adds the file tvf_restart_alert_icon.png"="7/10/2017 2:53 PM, 1281 bytes, A Adds the file tvf_restart_icon.png"="7/10/2017 2:53 PM, 1670 bytes, A Adds the file updateSearchPromptFg.js"="7/10/2017 2:53 PM, 12292 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kcdnokmjmlnenmcehbaofkjmebadocep Adds the file 000003.log"="9/20/2017 9:09 AM, 1213 bytes, A Adds the file CURRENT"="9/20/2017 9:09 AM, 16 bytes, A Adds the file LOCK"="9/20/2017 9:09 AM, 0 bytes, A Adds the file LOG"="9/20/2017 9:09 AM, 185 bytes, A Adds the file MANIFEST-000001"="9/20/2017 9:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcdnokmjmlnenmcehbaofkjmebadocep Adds the file 000003.log"="9/20/2017 9:09 AM, 398 bytes, A Adds the file CURRENT"="9/20/2017 9:09 AM, 16 bytes, A Adds the file LOCK"="9/20/2017 9:09 AM, 0 bytes, A Adds the file LOG"="9/20/2017 9:09 AM, 184 bytes, A Adds the file MANIFEST-000001"="9/20/2017 9:09 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_oyMembers_@free.getfreegifs.com Adds the file storage.js"="9/20/2017 9:07 AM, 2108 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _oyMembers_@free.getfreegifs.com.xpi"="9/20/2017 9:07 AM, 28451 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\GetFreeGifs] "Start Page"="REG_SZ", "http://hp.myway.com/getfreegifs/S22699/index.html?n={n1}&p2=^CSU^glgyyy^S22699^nl&ptb={ptb1}&coid={coid1}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2FHYSCVNM%3Fc%3D{ptb1}%26ptb%3D^CSU^glgyyy^S22699^nl" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/getfreegifs/S22699/index.html?n={n1}&p2={p21}&ptb={ptb1}&coid={coid1}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\GetFreeGifsTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "GetFreeGifs Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\GetFreeGifsTooltab\TooltabExtension.dll" U uninstall:GetFreeGifs" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/17 Scan Time: 9:23 AM Log File: 9d591779-9dd4-11e7-a853-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2847 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320319 Threats Detected: 328 Threats Quarantined: 328 Time Elapsed: 1 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetFreeGifsTooltab\TooltabExtension.dll, Quarantined, [836], [356944],1.0.2847 Registry Key: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GetFreeGifsTooltab Uninstall Internet Explorer, Delete-on-Reboot, [259], [352442],1.0.2847 Registry Value: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GetFreeGifsTooltab Uninstall Internet Explorer|PUBLISHER, Delete-on-Reboot, [259], [352442],1.0.2847 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [259], [293497],1.0.2847 Data Stream: 0 (No malicious items detected) Folder: 86 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetFreeGifsTooltab, Delete-on-Reboot, [836], [356944],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\abstractbutton\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\thirdparty\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\uninstall\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\weather\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\generic\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\alert\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\link\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\abstractbutton, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\rss\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\icons, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\images, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\radioWrapper, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\thirdparty, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\foreground, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\uninstall, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\generic, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\weather, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\background, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\alert, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\link, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\rss, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\adapter, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\libs, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\_metadata, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCDNOKMJMLNENMCEHBAOFKJMEBADOCEP, Delete-on-Reboot, [259], [301932],1.0.2847 File: 238 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetFreeGifsTooltab\TooltabExtension.dll, Delete-on-Reboot, [836], [356944],1.0.2847 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCDNOKMJMLNENMCEHBAOFKJMEBADOCEP\12.702.11.45161_0\MANIFEST.JSON, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\adapter\adapterUtil.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\adapter\widget-adapter.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\abstractbutton\background\abstractButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\alert\background\alertButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\background\embedHtmlWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\html\embedHtmlTemplate.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\html\innerEmbedHtmlTemplate.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedhtml\js\embedHtmlUI.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\background\embedScriptWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\html\embedScriptTemplate.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\html\innerEmbedScriptTemplate.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\embedscript\js\embedScriptUI.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\background\FlareWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\icons\Icon_Flare_blue.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\icons\Icon_Flare_pink.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\flare\icons\Thumbs.db, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\generic\background\GenericWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\link\background\linkButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\background\menuButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\css\menuframe.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\html\menuframe.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\images\right_arrow.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\images\right_arrow_white.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\js\jquery-1.7.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\js\menuframe.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\js\query-string.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\js\underscore-1.3.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\menu\README.txt, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\rss\background\RssWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\thirdparty\background\thirdPartyWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\uninstall\background\uninstallButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\components\weather\background\weatherButton.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\bs.30.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\common.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\dynamic.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\enableDetect.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\eventListening.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\global.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\jquery-1.7.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\list-interaction.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\messageEventListener.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\navRedirector.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\paramReplacer.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\PartnerId.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\set.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\underscore-1.3.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\underscore-1.5.2.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\js\unifiedLogging.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\common.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\eventListening.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\jquery-1.7.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\list-interaction.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\set.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\common\underscore-1.3.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\css\radio-widget.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\js\radio-custom.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\js\radio-parser.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\js\radio-widget-ui.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\js\radio-widget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\radio\radio-widget.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss\js\rss-widget-custom.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss\js\rss-widget-parse.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss\js\rss-widget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\rss\rssWidget.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\invalid.json, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\jquery.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\qunit.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\qunit.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\resource.json, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\resource.xml, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\testWidget.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\test\testWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\css\widget.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\js\nanigans-topapps-feed.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\js\topapps-config.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\js\widget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\topapps\widget.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather\css\weatherButton.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather\js\weather.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widgets\weather\weatherButton.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\common\widget-api\widget-context-1.0.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\background\ApiBasedWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\background\widget-api-impl.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window\hiddenWidgetWindow.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window\hiddenWidgetWindow.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window\hiddenWidgetWindowInit.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window\widgetWindow.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\api\window\widgetWindow.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\background\updateSearch.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\background\updateSearchPromptBg.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\07_buttons2.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\08_buttons2.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\defaultSearchModal.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\defaultSearchModalInjector.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\defaultSearchModalInjector.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\tvf_btn_ok.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\tvf_btn_ok2.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\tvf_restart_alert_icon.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\tvf_restart_icon.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\defaultSearch\foreground\updateSearchPromptFg.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\background\MovieReviewsWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\css\movieReviews.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\html\movieReviews.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\moviereviews\js\movieReviews.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\background\RadioWidget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\css\toolbar-item.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\foreground\button.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\radioWrapper\radioWrapper.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\radio\radioWrapper\radioWrapper.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\background\searchBox.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\html\searchSuggestions.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\html\searchSuggestions.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\html\searchSuggestions.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\search\html\searchSuggestionsInit.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\css\supertab.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\html\supertab.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\newtabfork.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\reporting.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\srchsugg.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\supertab.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\unifiedLogging.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\components\supertab\js\__utm.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\_metadata\computed_hashes.json, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\_metadata\verified_contents.json, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\arrowSprite.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\icon128.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\icon16.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\icon19disabled.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\icon19on.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\icon48.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\icons\tb_icon_search_disappearing_ask.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\235953198.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\235953210.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\235953211.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\235953262.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\235953279.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\down_arrow.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\IDR_PRODUCT_LOGO_16.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\IDR_WEBSTORE_ICON.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\magnifying_glass.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\RadioPlayerSprite.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\search_button.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\tvf_icon_guide.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\tvf_logo.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\images\wrench.png, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\newTabInitialize.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\chromeStorage.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\chromeUtils.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\companionSWUtils.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\exeManager.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\exeManagerNMD.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\exePackageManager.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\focusManager.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\globalBlacklistManager.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\messaging.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\mutation_summary-min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\mutation_summary.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\nativeMessagingDispatcher.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\newTabInfo.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\options.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\readLocalStorage.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\recentlyClosedTabs.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\reservespacefortoolbar.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\reservespaceifenabled.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\scriptInjector.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\searchContext.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\settingsOverrides.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\toolbarCookieParser.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\toolbarPreinit.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\underscore-1.3.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\URILoaderContentScript.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\webTooltabAPI.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\Widget.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\widgetContentScriptInjectee.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\widgetFactory.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\js\widgetWindowManager.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\libs\jquery-1.7.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\libs\jquery-1.9.1.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\libs\underscore-1.5.2.min.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\cache.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\ce.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\debug.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\native\ss.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\activePing.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\buttonLogger.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\competitorDnsList.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\console.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\FFPreferencesPersister.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\httpTransport.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\HttpURL.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\internationalSearch.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\LocalStoragePersister.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\MindsparkGlobal.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\MindsparkGlobal.unitTest.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\MindsparkGlobalNotes.txt, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\rsvp-latest.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\searchSuggestLocale.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\testHttpTransport.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\unifiedLogger.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\unifiedLogging.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\universalConsole.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\shared\utils.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spent2.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\bg.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\buildVars, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\buildVars.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\companionSW.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\config.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\contentScript.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\contentScript.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\debug.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\debug.jade, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spentJ.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spentK.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spentK.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\startup.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\stub.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\stubby.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\superFrame.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\toolbar.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\toolbar.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\toolbarUI.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\toolbarUI.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\toolbarUI.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\url.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\urlFragmentActions.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\webtooltab.cs.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\extension_toolbar_api.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\initWidgetWindow.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\newTabContentScript.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\options.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spent.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spent.html, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spent.js, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdnokmjmlnenmcehbaofkjmebadocep\12.702.11.45161_0\spent2.css, Delete-on-Reboot, [259], [301932],1.0.2847 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\GETFREEGIFS.{coid1}.EXE, Delete-on-Reboot, [259], [365288],1.0.2847 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Floxif? The Malwarebytes research team has determined that Floxif is a Trojan. This trojan was designed to download other malware and send information about the infected system to a C2 server. How do I know if my computer is affected by Floxif? This is the main screen of the program. The version number of the infected version was 5.33 You may also see some alarms or reports regarding connections to the IP 216.126.225.148. How did Floxif get on my computer? Trojans use different methods for distributing themselves. This particular one was offered as a download on the official server from August 15 until September 12 of 2017. How do I remove Floxif? Our program Malwarebytes can detect and remove this trojan. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Floxif? If you want to continue using CCleaner, make sure to donwload the latest version. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this trojan. As you can see below the full version of Malwarebytes would have protected you against the Floxif trojan. It would have warned you before the trojan could install itself, giving you a chance to stop it before it became too late. and we block the traffic to the associated IP and domains: Technical details for experts Possible signs in FRST logs: (Piriform Ltd) C:\Users\{username}\Desktop\CCleaner.exe Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/19/17 Scan Time: 6:48 PM Log File: 5493b75d-9d5a-11e7-804f-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2842 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320170 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842 Module: 1 Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842 Registry Key: 1 Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO, Quarantined, [8825], [436394],1.0.2842 Registry Value: 1 Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID, Quarantined, [8825], [436394],1.0.2842 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Floxif, C:\USERS\{username}\DESKTOP\CCLEANER.EXE, Quarantined, [8821], [436380],1.0.2842 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

Hi coops1, That is not a false positive. You can find more information here: https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/

If you ever run into such a situation again, can you disable Ransomware protection (Settings > Protection) and try again? Let us know please. It's the only module that could be responsible in our opinion. And if this is the case we would like to figure out why it does this in some rare occasions. Your help would be very much appreciated.

That is weird. CCleaner were whitelisted before this incident and you are using the latest version. So I have no idea how this could happen. Will ask though and let you know.

That's a relief. I have not heard of other circumstances that this might happen. Can you give me your version info for Malwarebytes, please? (From Settings > About) And I will ask around if anyone else might be able to help.

Hi, Not sure if it is related, but it might be: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html " For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner."

What is Derey? The Malwarebytes research team has determined that Derey is a forced extension. How do I know if my computer is affected by Derey? You may see this entry in your list of installed Chrome extensions: and these warnings during install: How did Derey get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was a forced Chrome extension. But it was also available in the webstore at the time of writing. How do I remove Derey? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Derey? No, Malwarebytes removes Derey completely. You may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Derey entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. We protect our customers from forced extensions by blocking the sites that spread them: Technical details for experts Possible signs in FRST logs: CHR Extension: (Derey) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda [2017-09-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0 Adds the file background.js"="9/6/2017 3:23 PM, 70332 bytes, A Adds the file derey.png"="9/14/2017 12:21 PM, 535 bytes, A Adds the file manifest.json"="9/14/2017 12:21 PM, 953 bytes, A Adds the file popup.html"="9/6/2017 3:23 PM, 184 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\_metadata Adds the file computed_hashes.json"="9/14/2017 12:21 PM, 1142 bytes, A Adds the file verified_contents.json"="9/6/2017 3:23 PM, 1631 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eghdmifgjdoojlnpfflnpoeiebapknda Adds the file 000003.log"="9/14/2017 12:21 PM, 0 bytes, A Adds the file CURRENT"="9/14/2017 12:21 PM, 16 bytes, A Adds the file LOCK"="9/14/2017 12:21 PM, 0 bytes, A Adds the file LOG"="9/14/2017 12:21 PM, 0 bytes, A Adds the file MANIFEST-000001"="9/14/2017 12:21 PM, 41 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/14/17 Scan Time: 4:59 PM Log File: 49eaec5e-995d-11e7-92a6-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2804 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 319223 Threats Detected: 9 Threats Quarantined: 9 Time Elapsed: 1 min, 59 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\_metadata, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EGHDMIFGJDOOJLNPFFLNPOEIEBAPKNDA, Quarantined, [622], [434837],1.0.2804 File: 6 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\_metadata\computed_hashes.json, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\_metadata\verified_contents.json, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\background.js, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\derey.png, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\manifest.json, Quarantined, [622], [434837],1.0.2804 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghdmifgjdoojlnpfflnpoeiebapknda\1.21.2_0\popup.html, Quarantined, [622], [434837],1.0.2804 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is System Healer? The Malwarebytes research team has determined that System Healer is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with System Healer? This is how the main screen of the sytem optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and these screens during "operations": You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did System Healer get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was installed by a trojan. How do I remove System Healer? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of System Healer? No, Malwarebytes removes System Healer completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the System Healer installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\SystemHealer\SystemHealer.exe () C:\Program Files (x86)\SystemHealer\RescueMonitor.exe C:\ProgramData\65502caa-4b67-0 C:\ProgramData\65502caa-2ca3-1 C:\Windows\System32\Tasks\System HealerPeriod C:\Windows\System32\Tasks\System HealerStartUp C:\Windows\Tasks\System HealerStartUp.job C:\Windows\Tasks\System HealerPeriod.job C:\Users\{username}\AppData\Roaming\System Healer C:\Program Files (x86)\SystemHealer C:\Windows\System32\Tasks\{797E7947-080C-7D79-7E11-790C0C791179} C:\Windows\System32\Tasks\SystemHealer Task C:\Windows\System32\Tasks\SystemHealer Monitor C:\Windows\System32\Tasks\SystemHealer Run Delay C:\Users\{username}\Desktop\Launch System Healer.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer C:\ProgramData\65502caa-60f3-1 C:\ProgramData\65502caa-1aa1-0 System Healer (HKLM-x32\...\SystemHealer_is1) (Version: 4.4.0.3 - SystemHealer) Task: {380B6879-EC7D-43F3-ABAF-3E445AE73FE1} - System32\Tasks\{797E7947-080C-7D79-7E11-790C0C791179} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAOwA7ACAAOwA7ACAAOwA7ADsAIAA7ACAAOwAgACAAIAAgADsAOwAgADsAIAA7ACAAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA (the data entry has 10112 more characters). Task: {64630517-7171-4191-851F-CB0FD50AEDD4} - System32\Tasks\SystemHealer Task => C:\Program Files (x86)\SystemHealer\RescueMonitor.exe [2017-09-12] () Task: {92F7FABC-FAAB-434B-9BF3-302E5C4C7195} - System32\Tasks\SystemHealer Run Delay => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] () Task: {99A76278-74FF-462F-9D05-232DD1F1C3C6} - System32\Tasks\SystemHealer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe [2017-09-12] () Task: {B544A224-833D-4E79-A01E-55F82594FF32} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] () Task: {E941C75D-D6B7-4742-8FFE-8630DF08C36E} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] () Task: C:\Windows\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe Task: C:\Windows\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SystemHealer Adds the file HealerConsole.exe"="9/12/2017 4:23 PM, 1155744 bytes, A Adds the file RescueMonitor.exe"="9/12/2017 4:23 PM, 1171104 bytes, A Adds the file SystemHealer.exe"="9/12/2017 4:23 PM, 3538080 bytes, A Adds the file SystemHealer.ini"="9/15/2017 10:53 AM, 843 bytes, A Adds the file unins000.dat"="9/15/2017 10:51 AM, 85807 bytes, A Adds the file unins000.exe"="9/15/2017 10:50 AM, 1321120 bytes, A Adds the file unins000.msg"="9/15/2017 10:51 AM, 22715 bytes, A Adds the folder C:\ProgramData\65502caa-1aa1-0 Adds the file 65502caa-1aa1-0.d"="6/15/2017 8:02 AM, 7915 bytes, A Adds the folder C:\ProgramData\65502caa-60f3-1 Adds the file 65502caa-60f3-1.d"="6/15/2017 8:02 AM, 7915 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer Adds the file Launch System Healer.lnk"="9/15/2017 10:51 AM, 1073 bytes, A Adds the file System Healer on the Web.url"="9/15/2017 10:51 AM, 53 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System Healer Adds the file CallBanner.png"="9/15/2017 10:53 AM, 0 bytes, A Adds the file FinishedScan.png"="9/15/2017 10:53 AM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System Healer\Languages Adds the file Danish.json"="9/12/2017 4:23 PM, 44596 bytes, A Adds the file Dutch.json"="9/12/2017 4:23 PM, 45466 bytes, A Adds the file English.json"="9/12/2017 4:23 PM, 41228 bytes, A Adds the file EnglishPC.json"="9/12/2017 4:23 PM, 40176 bytes, A Adds the file French.json"="9/12/2017 4:23 PM, 48856 bytes, A Adds the file German.json"="9/12/2017 4:23 PM, 48502 bytes, A Adds the file Italian.json"="9/12/2017 4:23 PM, 47200 bytes, A Adds the file Norwegian.json"="9/12/2017 4:23 PM, 46038 bytes, A Adds the file Parameters.json"="9/12/2017 4:23 PM, 906 bytes, A Adds the file Portuguese.json"="9/12/2017 4:23 PM, 46160 bytes, A Adds the file Spanish.json"="9/12/2017 4:23 PM, 49128 bytes, A Adds the file Swedish.json"="9/12/2017 4:23 PM, 46142 bytes, A Adds the file tmpLang.json"="9/15/2017 10:53 AM, 27559 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System Healer\WL In the existing folder C:\Users\{username}\Desktop Adds the file Launch System Healer.lnk"="9/15/2017 10:51 AM, 1055 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file {797E7947-080C-7D79-7E11-790C0C791179}"="9/15/2017 10:51 AM, 24552 bytes, A Adds the file System HealerPeriod"="9/15/2017 10:53 AM, 2864 bytes, A Adds the file System HealerStartUp"="9/15/2017 10:53 AM, 2562 bytes, A Adds the file SystemHealer Monitor"="9/15/2017 10:51 AM, 3340 bytes, A Adds the file SystemHealer Run Delay"="9/15/2017 10:51 AM, 3330 bytes, A Adds the file SystemHealer Task"="9/15/2017 10:51 AM, 3576 bytes, A In the existing folder C:\Windows\Tasks Adds the file System HealerPeriod.job"="9/15/2017 10:53 AM, 280 bytes, A Adds the file System HealerStartUp.job"="9/15/2017 10:53 AM, 280 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "System HealerPeriod.job"="REG_BINARY, ................................ "System HealerPeriod.job.fp"="REG_DWORD", -1594678914 "System HealerStartUp.job"="REG_BINARY, ................................ "System HealerStartUp.job.fp"="REG_DWORD", -115040210 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564] "0"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\79e86af865502caa] "0"="REG_SZ", "9xIgKWFo5UocaV4yUEz39hMm3QmEYdUNwD6fgUaPDlv2KOCZvPDVYDKppb0WuEn1dPO-UIU1Nzx64r0X7QvLXDAQV-7PV_z068cg41xKHpyKCDQ0BDgFX7xkukoHqSRMLvhBgcey9-PcVYMD0NfFHRiCY-L_ZjnREPLyLRktG8H-xz7uBcQ1f-fMN8wtJjpYn1Q7RQZ4m22j2ejXEfMDT4shqGiEyv5vBd0r6tHaw-ctYQfscFfhGLLsYlm8PbLT-JWQ8BzQYMlZTmiYd2bC_AyVMlgc8UwHz1WtnIqHUeFemh60tDG7eN_bM2grr_J1elnZQNDd8lha4fnRvu-0p0vzKtd2_MDUu5PXPNnJYlA_uxjHR_sr3XdXLzA42uVlq_IKzj2hXJNVIKiYgmluFo5Z7weyCv351yrncSRiiLeNK4Mon7U-yfrjghz8kAYHZ1xJj6aw6eCBNdkhUcaTcOX7VyalBNDTmy8PGkSiHRonrkKFrzcrargvh3ZyK_p1-3kQA1ZJHi1gpl7s90nMdi0mohwDt6u2Tj5qpK2xlSR9VWJoyOLocukr-DaBIks4O9gvkYaSrWHnNZjgAgK7GSytLDrQgKN-xfCaeu373RC1q_U_t4Fg6vaiAgLE23YuVtOJDKiFYrMVvR6Ukloi__Sr70HAIDp-DvsGXqU00r_pQ5jr_kY3R0B-wuYBVJSFywZ_Qu53geL7ukUs62WFKd-iR3DNjaNWbTUZrbgX_rOzdSKIQMt7ovmoV_NO2Cb7bIuUahxftYn21kInaRtVqN3APnr307xaeUKKIl-tMS617-3UycfNFHxHlEWzlGO-Gmq9sPDpFIJzQvmrhjPZocDMZJN77yd3ku0_OnHbVs4vT7RrroDf1vhqpe76W-70KzAtydRvJYZeTUq4D7UJ4tZmo1n4W5QgXR8qVHZs4iUO-VdGmMcRa7K58yIO1o6h4FSLmyO55xndiULPAiYiSI02r5I-Hr2-9EXDxroXav_4zq-BMNBPWVGOZBOBZN8k01SWjOdJ-J1lufnoRTHf7lMlewU_oOjgJPZfsr67QNvj7sYGs_CAxBO7nnvhm1ywsZaixqtTPcl2D_eT5A1A_2gTWkRHefigBdCnc3NuFVnGI8j-PTQ67bOAW7VB13naF8KsCSESV-NQS4rfw6d3nXL6aLIQrluRpcgkVEdj2vgOSLqxafezWqcOfL8o8il7_pUKFubwfHQDzrAyR23A_kY3OREXsjTRavMmFK8_329w_6ONpqvwhOvGYla6HyalBxpnP0tLRkUySznnnW15gIfTZb16DM1Rx5kihtyPDN0G_VoPVpawk3_fwmuJ2Qt2OyYGFDH0BKLGBgNpOuNXfZzqI6b8-HGui5TnJMV_QHGmGo3ytkSQQFnvY_qVMgzbXP8cJNznvrT8kvJkhxX4SDtAOv57kVTZB-_-6fT0i0Lb0ECc2j0-pDK_7NxyBv0Nv6_PgimcQSY_Zgp7EG6-mhPi8W59mv4uMQ-012yR0SI1Lu2e9FLi37eCpYmnitUhfzbm6fhg6wNo8Kbh__w9AHJORB-SD3R6aPRgoM6v_ibbVKCEeuIVdEQ60BMdoiu15qAhfZmASafGizoEcWvEwh3S5gLAd6-wjumg94PmlUyqZSB_v7JpLh6ghZWS5qQHAyPo7wnEEd4_tR7cOt_qk5pePejDhEKmLWLsvnmcKeUDCANtay_BMip4H7XQFI2KUNejVgp4R9sbPTW5A0vy32h4wT5lpjKLM8zHo_tKAb2vCiKmlKSZvhKrZ5B5owuwMOVG29OREnYCqMPQObBdB9CNfI7gPdekbyL3QolvbD8cZiLmqe7ZAqx7peNN8EFG_v2VPxCA3zX83f-nBBrWN73kybd7lXP0EAIC7oSbKpod7m12V-eN99hlK94ddWWKZ9d17DzdtrPMst5du5JUDk2UfzEG59t69pTtQhi3JYMaVeo-jsu6DmzE_4VLKHG7vX8PIMGa0EKQTa-7mKvM1fCpJYPgq1oKbkB9nqt1NrsVU0zamrDMFHmFb036JJC07bCJYpzKYKzBwSkX_GmCSc8wshGkhqpcmp9FtMiGIxm0_lkuT_v1seLKsIQKdiOhMaLisCeFxfnlvSoo_zRdX1i48X6HgqZQVT6qFaJJXIWigdowi9abQ5UAcwZff9qBctMAMCa-4hWtcRzIEedA-F27CW-0FStUGYfUl-uguYCQ4POqIYOQU75BsiO-UHeo5r-jRWTTTmNs4ye8F6lGePtsZqVsEl4d_UEOzd2efu7aiAqLKuuFYm-o4qelcvx9KXNsU5Loehb8r4sVe_OHn7ew2lcufQT98OwzEpXg9eWme3EJiQ2UE2Ur9Ne3hnnhR9I0XO4ooBpyTQkM9Fwg4AkrzpEguvZyk7PxETW9UVv9PeA8mqW9A--O1PwZSm2IdibdQR_EZlS9QfV8CBcmsH9s2vrX3FnS80Ba8LrlhBRpZ5fJDLv2-nRsi5XfoNWx8nZcky1d9k558RtL1gO2QPtvaUjGjXEjCsmSOpjC74tlUTwannWf61Rn7hsz3ri9AO-WG3Q2-6_vJ68ENzhjRJJqnbW8Wrvy7NUrG4uag1ZHLuLoblwO3GGes4xvxPpGjHsnb6ofQHfvQS7EyftlBxMAEyp94FKaHHj6Qhjnp4BA7fbirwW7HRjG4RagjaVtvVdDErdPwF-LGC1X0CVqeftH6H2NEhUeSZ7JjUlYeXZmzXtysdEGz1QIdmqDE2tIvmrlFCF9KoOnMhDEw9d1ghJo_cwhSK7yul9Q1wD1HCwctRkJ_S_a6os5nQOBZtxLZY0IuPkhnlSl61E9_gaIh1iob5KZUcOSILzYflolcnIloLQo2KmCTT-hDgPu3qfE-Y_uOsfdPmOCjewWqvCNWx3yuTu62lL5W_CCPTFkAulm2ySkP-a9i_07WxY1Nq0JvhNy5k34Y-HORVZSGscT5u3Qm7ekE8oUBfkOzumscamuj43rShJK82NXH-R" "1"="REG_SZ", "2favqz1zh5vAfKdHRV8gPGwZf0xl" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SystemHealer_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SystemHealer\SystemHealer.exe" "DisplayName"="REG_SZ", "System Healer" "DisplayVersion"="REG_SZ", "4.4.0.3" "EstimatedSize"="REG_DWORD", 7510 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\SystemHealer" "Inno Setup: Icon Group"="REG_SZ", "System Healer" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20170915" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SystemHealer\" "MajorVersion"="REG_DWORD", 4 "MinorVersion"="REG_DWORD", 4 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "SystemHealer" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SystemHealer\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\SystemHealer\unins000.exe" /VERYSILENT" "URLInfoAbout"="REG_SZ", "http://www.systemhealer.com" "VersionMajor"="REG_DWORD", 4 "VersionMinor"="REG_DWORD", 4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\04262113-2a31-48e1-b4bb-3b42174bea0f] "Description"="REG_EXPAND_SZ, "One System Care battery save scheme." "FriendlyName"="REG_EXPAND_SZ, "One System Care Saver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\04262113-2a31-48e1-b4bb-3b42174bea0f\245d8541-3943-4422-b025-13a784f679b7] "ACSettingIndex"="REG_DWORD", 0 "DCSettingIndex"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\e24b7131-d039-43cb-9e6f-ad4be601ec1f] "Description"="REG_EXPAND_SZ, "One System Care game scheme." "FriendlyName"="REG_EXPAND_SZ, "One System Care Gaming" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\e24b7131-d039-43cb-9e6f-ad4be601ec1f\245d8541-3943-4422-b025-13a784f679b7] "ACSettingIndex"="REG_DWORD", 1 "DCSettingIndex"="REG_DWORD", 1 [HKEY_CURRENT_USER\Console\%SystemRoot%_System32_svchost.exe] "WindowPosition"="REG_DWORD", 201329664 [HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe] "WindowPosition"="REG_DWORD", 201329664 [HKEY_CURRENT_USER\Console\taskeng.exe] "WindowPosition"="REG_DWORD", 201329664 [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted] "C:\Users\{username}\Desktop\SystemHealerSetup.exe"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\System Healer] "CartURL"="REG_SZ", "1" "Configuration"="REG_BINARY, ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ "InitialScan"="REG_DWORD", 1 "InstLang"="REG_SZ", "1033" "RegularScan"="REG_DWORD", 1 "rn"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/15/17 Scan Time: 11:09 AM Log File: a36a5650-99f5-11e7-a9d1-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2811 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 319521 Threats Detected: 88 Threats Quarantined: 88 Time Elapsed: 3 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 3 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\RescueMonitor.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE, Quarantined, [980], [116850],1.0.2811 Module: 1 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811 Registry Key: 18 PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{797E7947-080C-7D79-7E11-790C0C791179}, Quarantined, [980], [-1],0.0.0 PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{380B6879-EC7D-43F3-ABAF-3E445AE73FE1}, Quarantined, [980], [-1],0.0.0 PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{380B6879-EC7D-43F3-ABAF-3E445AE73FE1}, Quarantined, [980], [-1],0.0.0 PUP.Optional.SystemHealer, HKCU\SOFTWARE\SYSTEM HEALER, Quarantined, [980], [261796],1.0.2811 Adware.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564, Quarantined, [1728], [424293],1.0.2811 PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\TASKENG.EXE, Quarantined, [5380], [425125],1.0.2811 PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE, Quarantined, [5380], [425124],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{64630517-7171-4191-851F-CB0FD50AEDD4}, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{92F7FABC-FAAB-434B-9BF3-302E5C4C7195}, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System HealerPeriod, Quarantined, [980], [252787],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99A76278-74FF-462F-9D05-232DD1F1C3C6}, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B544A224-833D-4E79-A01E-55F82594FF32}, Quarantined, [980], [258706],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E941C75D-D6B7-4742-8FFE-8630DF08C36E}, Quarantined, [980], [258706],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System HealerStartUp, Quarantined, [980], [252787],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Monitor, Quarantined, [980], [252788],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Run Delay, Quarantined, [980], [252788],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SystemHealer_is1, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Task, Quarantined, [980], [252788],1.0.2811 Registry Value: 9 PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_WINDOWSPOWERSHELL_V1.0_POWERSHELL.EXE|WINDOWPOSITION, Quarantined, [5380], [425126],1.0.2811 PUP.Optional.SystemHealer, HKCU\SOFTWARE\SYSTEM HEALER|CARTURL, Quarantined, [980], [261796],1.0.2811 PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\TASKENG.EXE|WINDOWPOSITION, Quarantined, [5380], [425125],1.0.2811 PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE|WINDOWPOSITION, Quarantined, [5380], [425124],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{64630517-7171-4191-851F-CB0FD50AEDD4}|PATH, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{92F7FABC-FAAB-434B-9BF3-302E5C4C7195}|PATH, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99A76278-74FF-462F-9D05-232DD1F1C3C6}|PATH, Quarantined, [980], [258707],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B544A224-833D-4E79-A01E-55F82594FF32}|PATH, Quarantined, [980], [258706],1.0.2811 PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E941C75D-D6B7-4742-8FFE-8630DF08C36E}|PATH, Quarantined, [980], [258706],1.0.2811 Registry Data: 4 Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [1728], [-1],0.0.0 Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [1728], [-1],0.0.0 Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{EDB0D6D8-B1F7-496F-A023-44DF7155F1CD}|NameServer, Replaced, [1728], [-1],0.0.0 Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{EDB0D6D8-B1F7-496F-A023-44DF7155F1CD}|DhcpNameServer, Replaced, [1728], [-1],0.0.0 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\WL, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\USERS\{username}\APPDATA\ROAMING\SYSTEM HEALER, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM HEALER, Quarantined, [980], [181295],1.0.2811 PUP.Optional.SystemHealer, C:\PROGRAM FILES (X86)\SYSTEMHEALER, Quarantined, [980], [182463],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-1aa1-0, Quarantined, [8358], [407181],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-2ca3-1, Quarantined, [8358], [407181],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-4b67-0, Quarantined, [8358], [407181],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-60f3-1, Quarantined, [8358], [407181],1.0.2811 File: 44 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\System HealerPeriod, Quarantined, [980], [252783],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\{797E7947-080C-7D79-7E11-790C0C791179}, Quarantined, [980], [-1],0.0.0 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\System HealerStartUp, Quarantined, [980], [252783],1.0.2811 PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\LAUNCH SYSTEM HEALER.LNK, Quarantined, [980], [252782],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Monitor, Quarantined, [980], [252784],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Run Delay, Quarantined, [980], [252784],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Task, Quarantined, [980], [252784],1.0.2811 PUP.Optional.Amonetize.Gen, C:\PROGRAMDATA\65502caa-2ca3-1\BITD931.tmp, Quarantined, [14727], [257931],1.0.2811 PUP.Optional.Amonetize.Gen, C:\PROGRAMDATA\65502caa-4b67-0\BITD961.tmp, Quarantined, [14727], [257931],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\TASKS\System HealerPeriod.job, Quarantined, [980], [252785],1.0.2811 PUP.Optional.SystemHealer, C:\WINDOWS\TASKS\System HealerStartUp.job, Quarantined, [980], [252785],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Danish.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Dutch.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\English.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\EnglishPC.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\French.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\German.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Italian.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Norwegian.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Parameters.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Portuguese.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Spanish.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Swedish.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\tmpLang.json, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\CallBanner.png, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\FinishedScan.png, Quarantined, [980], [181294],1.0.2811 PUP.Optional.SystemHealer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer\Launch System Healer.lnk, Quarantined, [980], [181295],1.0.2811 PUP.Optional.SystemHealer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer\System Healer on the Web.url, Quarantined, [980], [181295],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\HealerConsole.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\RescueMonitor.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.ini, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.dat, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.exe, Quarantined, [980], [182463],1.0.2811 PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.msg, Quarantined, [980], [182463],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\ProgramData\65502caa-1aa1-0\65502caa-1aa1-0.d, Quarantined, [8358], [407181],1.0.2811 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [8358], [-1],0.0.0 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [8358], [-1],0.0.0 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [8358], [-1],0.0.0 PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [8358], [-1],0.0.0 PUP.Optional.BitsInstall.BITSRST, C:\ProgramData\65502caa-60f3-1\65502caa-60f3-1.d, Quarantined, [8358], [407181],1.0.2811 PUP.Optional.SystemHealer, C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE, Quarantined, [980], [116850],1.0.2811 PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\SYSTEMHEALER.EXE, Quarantined, [980], [434913],1.0.2811 PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\SYSTEMHEALERSETUP.EXE, Quarantined, [980], [424479],1.0.2811 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

MBAM2 Version: v2017.09.14.04 MBAM3 Version: 1.0.2802