Jump to content

Metallica

Staff
  • Content Count

    2,291
  • Joined

  • Last visited

4 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

164,138 profile views
  1. What is Yatab?The Malwarebytes research team has determined that Yatab is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Yatab?You may see these warnings during install:these browser add-ons:these changed settings:and you will see this icon in the menubar of the affected browser(s):How did Yatab get on my computer?Browser hijackers use different methods for distributing themselves. These particular ones were downloaded from the respective webstores:after a redirect from their website:How do I remove Yatab?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Yatab? No, Malwarebytes removes Yatab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Yatab hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: {708c3ac3-c8d9-486d-9d93-2ecfd512ef97} FF Extension: (YaTab) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{708c3ac3-c8d9-486d-9d93-2ecfd512ef97}.xpi [2019-02-22] CHR NewTab: Default -> Active:"chrome-extension://fkkfdilehekamhmocmkicmebbhcanobi/newtab.html" CHR DefaultSearchURL: Default -> hxxps://yatab.net/search.php?q={searchTerms} CHR DefaultSearchKeyword: Default -> search.yatab.net CHR DefaultSuggestURL: Default -> hxxps://yatab.net/suggestions.php?q={searchTerms} CHR Extension: (search.yatab.net) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi [2019-02-22] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0 Adds the file manifest.json"="2/22/2019 10:44 AM, 2176 bytes, A Adds the file newtab.html"="10/29/2018 8:32 PM, 6315 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\_metadata Adds the file computed_hashes.json"="2/22/2019 10:44 AM, 335588 bytes, A Adds the file verified_contents.json"="11/28/2018 11:22 AM, 51140 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app Adds the file app.js"="9/14/2018 5:35 PM, 2845 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\ Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib Adds the file angular.js"="9/14/2018 5:35 PM, 1270821 bytes, A Adds the file angular-animate.js"="9/14/2018 5:35 PM, 151136 bytes, A Adds the file angular-route.js"="9/14/2018 5:35 PM, 45008 bytes, A Adds the file angular-sanitize.js"="9/14/2018 5:35 PM, 29773 bytes, A Adds the file angular-ui-tree.js"="9/14/2018 5:35 PM, 69846 bytes, A Adds the file ngDialog.js"="9/14/2018 5:35 PM, 45061 bytes, A Adds the file ocLazyLoad.js"="9/14/2018 5:35 PM, 59778 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared Adds the file activity.service.js"="9/14/2018 5:35 PM, 544 bytes, A Adds the file bg.service.js"="10/18/2018 4:29 PM, 3335 bytes, A Adds the file cache.service.js"="9/14/2018 5:35 PM, 918 bytes, A Adds the file countdown.directive.js"="9/14/2018 5:35 PM, 1201 bytes, A Adds the file highlight.filter.js"="9/14/2018 5:35 PM, 226 bytes, A Adds the file ng-blur-delay.directive.js"="9/14/2018 5:35 PM, 311 bytes, A Adds the file notification.service.js"="9/14/2018 5:35 PM, 3306 bytes, A Adds the file require-action.filter.js"="9/14/2018 5:35 PM, 132 bytes, A Adds the file to-fahrenheit.filter.js"="9/14/2018 5:35 PM, 170 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js Adds the file background.js"="10/11/2018 1:10 PM, 416 bytes, A Adds the file init.js"="10/18/2018 4:26 PM, 2009 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations Adds the file anim_01.js"="9/14/2018 5:35 PM, 7572 bytes, A Adds the file anim_02.js"="9/14/2018 5:35 PM, 6679 bytes, A Adds the file anim_03.js"="9/14/2018 5:35 PM, 393 bytes, A Adds the file anim_03.json"="9/14/2018 5:35 PM, 118613 bytes, A Adds the file anim_04.js"="9/14/2018 5:35 PM, 2639 bytes, A Adds the file anim_05.js"="9/14/2018 5:35 PM, 393 bytes, A Adds the file anim_05.json"="9/14/2018 5:35 PM, 28108 bytes, A Adds the file anim_07.js"="9/14/2018 5:35 PM, 4966 bytes, A Adds the file lottie2.js"="9/14/2018 5:35 PM, 376916 bytes, A Adds the file MarchingCubes.js"="9/14/2018 5:35 PM, 34440 bytes, A Adds the file OrbitControls.js"="9/14/2018 5:35 PM, 22569 bytes, A Adds the file Stats.js"="9/14/2018 5:35 PM, 2176 bytes, A Adds the file three.js"="9/14/2018 5:35 PM, 1058675 bytes, A Adds the file TweenMax.js"="9/14/2018 5:35 PM, 111633 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi Adds the file 000003.log"="2/22/2019 10:47 AM, 1505 bytes, A Adds the file CURRENT"="2/22/2019 10:47 AM, 16 bytes, A Adds the file LOCK"="2/22/2019 10:47 AM, 0 bytes, A Adds the file LOG"="2/22/2019 10:47 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/22/2019 10:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi Adds the file 000003.log"="2/22/2019 10:47 AM, 161 bytes, A Adds the file CURRENT"="2/22/2019 10:47 AM, 16 bytes, A Adds the file LOCK"="2/22/2019 10:47 AM, 0 bytes, A Adds the file LOG"="2/22/2019 10:47 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/22/2019 10:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{708c3ac3-c8d9-486d-9d93-2ecfd512ef97} Adds the file storage.js"="2/22/2019 10:47 AM, 101 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {708c3ac3-c8d9-486d-9d93-2ecfd512ef97}.xpi"="2/22/2019 10:41 AM, 22365209 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fkkfdilehekamhmocmkicmebbhcanobi"="REG_SZ", "9287A4E289244EE8C0538DED8BF6046C7DCC3FD61BF7A91CD6B2974F7413C5CA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/22/19 Scan Time: 10:55 AM Log File: 03144b08-3688-11e9-a96c-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.538 Update Package Version: 1.0.9386 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235963 Threats Detected: 430 Threats Quarantined: 430 Time Elapsed: 9 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.YaTab, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fkkfdilehekamhmocmkicmebbhcanobi, Quarantined, [242], [642648],1.0.9386 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 33 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notifications, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\extensions, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\bookmarks, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\quick-bar, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\settings, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\history, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\search, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notes, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\to-do, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\weather-icons, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\main, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\page, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\rate, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\bg_old, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\bg, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\_metadata, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\fkkfdilehekamhmocmkicmebbhcanobi, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{PROFILE}.DEFAULT\BROWSER-EXTENSION-DATA\{708C3AC3-C8D9-486D-9D93-2ECFD512EF97}, Quarantined, [242], [643047],1.0.9386 File: 396 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{PROFILE}.DEFAULT\EXTENSIONS\{708C3AC3-C8D9-486D-9D93-2ECFD512EF97}.XPI, Quarantined, [242], [643049],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_01.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_02.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_03.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_04.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_05.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_06.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\animations\anim_07.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\bookmarks\bookmarks-bar.directive.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\bookmarks\bookmarks-bar.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\bookmarks\bookmarks.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\bookmarks\bookmarks.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\extensions\extensions.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\extensions\extensions.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\extensions\install-type.filter.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\history\history.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\history\history.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\main\main.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notes\notes.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notes\notes.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notifications\notifications.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\notifications\notifications.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\page\page.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\page\page.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\quick-bar\quick-bar-settings.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\quick-bar\quick-bar-settings.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\rate\rate.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\rate\rate.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\search\search-cities.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\search\search.directive.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\search\search.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\settings\settings.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\settings\settings.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\to-do\to-do.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\to-do\to-do.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather\weather-settings.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather\weather-settings.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather\weather.controller.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather\weather.service.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\components\weather\weather.view.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\angular-animate.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\angular-route.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\angular-sanitize.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\angular-ui-tree.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\angular.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\ngDialog.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\lib\ocLazyLoad.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\activity.service.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\bg.service.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\cache.service.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\countdown.directive.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\highlight.filter.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\ng-blur-delay.directive.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\notification.service.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\require-action.filter.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\shared\to-fahrenheit.filter.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\app\app.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_apps-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_history-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_notes-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_quick-bar-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_settings-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_todo-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\widgets\_weather-widget.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\style.css, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\style.css.map, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\style.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_animations.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_dark-theme.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_mixins.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_modal.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_ngdialog.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_reset.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\css\_ui-tree.scss, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\vk.svg, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\widgets-icon-black.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\widgets-icon-black@2x.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\widgets-icon-white.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\images\widgets-icon-white@2x.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\icon_bookmarks_logo.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\icon_history_logo.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\icon_note_logo.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\icon_to-do_logo.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\icon_weather_logo.png, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\img\logo.svg, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_01.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_02.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_03.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_03.json, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_04.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_05.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_05.json, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\anim_07.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\lottie2.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\MarchingCubes.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\OrbitControls.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\Stats.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\three.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\animations\TweenMax.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\background.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\js\init.js, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\_metadata\computed_hashes.json, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\_metadata\verified_contents.json, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\manifest.json, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkfdilehekamhmocmkicmebbhcanobi\4.1.1_0\newtab.html, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\000003.log, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\CURRENT, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\LOCK, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\LOG, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\MANIFEST-000001, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\000003.log, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\CURRENT, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\LOCK, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\LOG, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fkkfdilehekamhmocmkicmebbhcanobi\MANIFEST-000001, Quarantined, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [242], [642648],1.0.9386 PUP.Optional.YaTab, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{708c3ac3-c8d9-486d-9d93-2ecfd512ef97}\storage.js, Quarantined, [242], [643047],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [242], [642649],1.0.9386 PUP.Optional.YaTab, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [242], [642649],1.0.9386 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Incognito Search?The Malwarebytes research team has determined that Incognito Search is a newtab hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Incognito Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Incognito Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Incognito Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Incognito Search? No, Malwarebytes removes Incognito Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Incognito Search hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://baihgfknnciojligbncdndkkbgmnnllg/html/newtab.html" CHR Extension: (Incognito Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg [2019-02-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0 Adds the file Archive created by free jZip.url"="11/26/2013 10:21 AM, 58 bytes, A Adds the file manifest.json"="2/21/2019 9:07 AM, 1263 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\_metadata Adds the file computed_hashes.json"="2/21/2019 9:07 AM, 1663 bytes, A Adds the file verified_contents.json"="1/29/2019 4:30 PM, 2616 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\css Adds the file style.css"="1/29/2019 4:29 PM, 5100 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\html Adds the file newtab.html"="1/29/2019 4:29 PM, 3428 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\icons Adds the file checker.gif"="1/29/2019 4:29 PM, 1095 bytes, A Adds the file IncognitoSearch-128.png"="2/21/2019 9:07 AM, 4833 bytes, A Adds the file sprite.png"="1/29/2019 4:29 PM, 24467 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js Adds the file brand.js"="1/29/2019 4:29 PM, 627 bytes, A Adds the file common.js"="1/29/2019 4:29 PM, 350 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\bg Adds the file background.js"="1/29/2019 4:29 PM, 12827 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\newtab Adds the file clock.js"="1/29/2019 4:29 PM, 5857 bytes, A Adds the file searchItem.js"="1/29/2019 4:29 PM, 6943 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "baihgfknnciojligbncdndkkbgmnnllg"="REG_SZ", "47F4F28F65E4DB17FCC143F9D246D492054EF10824D3BE4427E6BDE41A896409" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/19 Scan Time: 9:19 AM Log File: 71b1a88b-35b1-11e9-bac3-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.538 Update Package Version: 1.0.9368 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235963 Threats Detected: 27 Threats Quarantined: 27 Time Elapsed: 3 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.BlpSearch.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|baihgfknnciojligbncdndkkbgmnnllg, Quarantined, [14569], [443081],1.0.9368 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\newtab, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\_metadata, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\images, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\icons, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\bg, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\html, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\css, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BAIHGFKNNCIOJLIGBNCDNDKKBGMNNLLG\1.0.848.436_0, Quarantined, [14569], [443081],1.0.9368 File: 16 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BAIHGFKNNCIOJLIGBNCDNDKKBGMNNLLG\1.0.848.436_0\JS\BRAND.JS, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\css\style.css, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\html\newtab.html, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\icons\checker.gif, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\icons\IncognitoSearch-128.png, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\icons\sprite.png, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\bg\background.js, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\newtab\clock.js, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\newtab\searchItem.js, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\js\common.js, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\_metadata\computed_hashes.json, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\_metadata\verified_contents.json, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\Archive created by free jZip.url, Quarantined, [14569], [443081],1.0.9368 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\baihgfknnciojligbncdndkkbgmnnllg\1.0.848.436_0\manifest.json, Quarantined, [14569], [443081],1.0.9368 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is GamesMuze Search?The Malwarebytes research team has determined that GamesMuze Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by GamesMuze Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did GamesMuze Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove GamesMuze Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GamesMuze Search? No, Malwarebytes removes GamesMuze Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the GamesMuze Search hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://games.searchalgo.com/search/?category=web&s=gmds&q={searchTerms} CHR DefaultSearchKeyword: Default -> GamesMuze CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (GamesMuze Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien [2019-02-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0 Adds the file background.js"="12/8/2015 8:33 AM, 4328 bytes, A Adds the file manifest.json"="2/20/2019 8:45 AM, 1800 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/20/2019 8:45 AM, 183 bytes, A Adds the file verified_contents.json"="12/8/2015 8:33 AM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\icons Adds the file icon128.png"="2/20/2019 8:45 AM, 4171 bytes, A Adds the file icon16.png"="2/20/2019 8:45 AM, 513 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mgbdaibcnpbhieicggggmacifjfflien"="REG_SZ", "C00B1EB764CA731124A73E067B622D4F7DC487497A8C81D4B26CFD655A6F87CD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/20/19 Scan Time: 8:55 AM Log File: d5a19bb6-34e4-11e9-856a-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9348 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235827 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Muze, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mgbdaibcnpbhieicggggmacifjfflien, Quarantined, [2297], [316915],1.0.9348 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\_metadata, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\icons, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MGBDAIBCNPBHIEICGGGGMACIFJFFLIEN, Quarantined, [2297], [316915],1.0.9348 File: 10 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\icons\icon128.png, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\icons\icon16.png, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\_metadata\verified_contents.json, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\background.js, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgbdaibcnpbhieicggggmacifjfflien\1.0.0_0\manifest.json, Quarantined, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2297], [316915],1.0.9348 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2297], [316915],1.0.9348 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9348 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9348 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Advanced Clean Pro?The Malwarebytes research team has determined that Advanced Clean Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Advanced Clean Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Advanced Clean Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website.How do I remove Advanced Clean Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Advanced Clean Pro? No, Malwarebytes removes Advanced Clean Pro completely. This PUP creates a scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Advanced Clean Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername} C:\ProgramData\Advanced-Clean-Pro for {computername} C:\Windows\System32\Tasks\Advanced-Clean-Pro_Logon C:\Users\Public\Desktop\Advanced-Clean-Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced-Clean-Pro for {computername} C:\Program Files\Advanced-Clean-Pro for {computername} ( ) C:\Users\{username}\Desktop\AdvancedCleanPro.exe Advanced-Clean-Pro (HKLM\...\{F07F0D86-0824-412D-BDA7-7BD8C1B77B15}_is1) (Version: 1.0.0.0 - ) Task: {A4D49888-5F8A-4EED-B8C9-991853EC73C6} - System32\Tasks\Advanced-Clean-Pro_Logon => C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe (PC Fixers Tools -> ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Advanced-Clean-Pro for {computername} Adds the file application.ico"="1/8/2019 1:56 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="1/25/2019 12:09 PM, 1971368 bytes, A Adds the file HtmlRenderer.dll"="1/25/2019 12:09 PM, 236712 bytes, A Adds the file HtmlRenderer.WinForms.dll"="1/25/2019 12:09 PM, 75432 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/25/2019 12:09 PM, 64168 bytes, A Adds the file Interop.SHDocVw.dll"="1/25/2019 12:09 PM, 178856 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/25/2019 12:09 PM, 186024 bytes, A Adds the file NAudio.dll"="1/25/2019 12:09 PM, 486056 bytes, A Adds the file Newtonsoft.Json.dll"="1/25/2019 12:09 PM, 475816 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="1/25/2019 12:09 PM, 73896 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="1/25/2019 12:08 PM, 2437288 bytes, A Adds the file rtc.exe.config"="1/25/2019 12:07 PM, 6372 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="1/25/2019 12:09 PM, 305832 bytes, A Adds the file TAFactory.IconPack.dll"="1/25/2019 12:09 PM, 51880 bytes, A Adds the file unins000.dat"="2/18/2019 8:57 AM, 85601 bytes, A Adds the file unins000.exe"="2/18/2019 8:56 AM, 1243816 bytes, A Adds the file unins000.msg"="2/18/2019 8:57 AM, 22701 bytes, A Adds the folder C:\Program Files\Advanced-Clean-Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="1/25/2019 12:08 PM, 1190568 bytes, A Adds the folder C:\Program Files\Advanced-Clean-Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="1/25/2019 12:08 PM, 869544 bytes, A Adds the folder C:\ProgramData\Advanced-Clean-Pro for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced-Clean-Pro for {computername} Adds the file Advanced-Clean-Pro.lnk"="2/18/2019 8:57 AM, 988 bytes, A Adds the file Buy Advanced-Clean-Pro.lnk"="2/18/2019 8:57 AM, 1000 bytes, A Adds the file Uninstall Advanced-Clean-Pro.lnk"="2/18/2019 8:57 AM, 1019 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername} Adds the file Errorlog.txt"="2/18/2019 8:58 AM, 36156 bytes, A Adds the file exlist.bin"="2/18/2019 8:57 AM, 258019 bytes, A Adds the file notifier.xml"="2/18/2019 8:57 AM, 17480 bytes, A Adds the file res.xml"="2/18/2019 8:58 AM, 23964 bytes, A Adds the file update.xml"="2/18/2019 8:57 AM, 46280 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Advanced-Clean-Pro.lnk"="2/18/2019 8:57 AM, 970 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Advanced-Clean-Pro_Logon"="2/18/2019 8:57 AM, 3078 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Advanced-Clean-Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins1.alfactiv.com/install/acpo/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.sdmypcutils.live/acpo/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.alfactiv.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 60 "lstscandate"="REG_SZ", "2/18/2019 8:58:50 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 60 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.alfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.alfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.sdmypcutils.live/acpo/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.sdmypcutils.live/acpo/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.sdmypcutils.live/help/" "TELNO"="REG_SZ", "877-884-1178" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "877-884-1178" "WebURL"="REG_SZ", "http://www.sdmypcutils.live/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_199" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07F0D86-0824-412D-BDA7-7BD8C1B77B15}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "Advanced-Clean-Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18715 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Advanced-Clean-Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190218" "InstallLocation"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Advanced-Clean-Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Advanced-Clean-Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QWR2YW5jZWQtQ2xlYW4tUHJv\ACT] "data"="REG_BINARY, ................................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Advanced-Clean-Pro For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "877-884-1178" "TELNO_us"="REG_SZ", "877-884-1178" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_199" [HKEY_CURRENT_USER\Software\Advanced-Clean-Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Advanced-Clean-Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/19 Scan Time: 9:10 AM Log File: 9a0378b8-3354-11e9-a464-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9312 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235920 Threats Detected: 80 Threats Quarantined: 80 Time Elapsed: 4 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe, Quarantined, [442], [640343],1.0.9312 Module: 7 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [640343],1.0.9312 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Advanced-Clean-Pro_Logon, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A4D49888-5F8A-4EED-B8C9-991853EC73C6}, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{A4D49888-5F8A-4EED-B8C9-991853EC73C6}, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F07F0D86-0824-412D-BDA7-7BD8C1B77B15}_is1, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, HKCU\SOFTWARE\Advanced-Clean-Pro For {computername}, Quarantined, [442], [640342],1.0.9312 PUP.Optional.Jawego, HKLM\SOFTWARE\QWR2YW5jZWQtQ2xlYW4tUHJv, Quarantined, [591], [535314],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\Advanced-Clean-Pro For {computername}, Quarantined, [442], [640348],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [442], [540842],1.0.9312 Registry Value: 5 PUP.Optional.PCVARK, HKCU\SOFTWARE\Advanced-Clean-Pro For {computername}|TELNO_US, Quarantined, [442], [640342],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\Advanced-Clean-Pro For {computername}|AFFIRED, Quarantined, [442], [640348],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [442], [540842],1.0.9312 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1185], [484510],1.0.9312 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A4D49888-5F8A-4EED-B8C9-991853EC73C6}|PATH, Quarantined, [442], [640338],1.0.9312 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\x64, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\x86, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAM FILES\Advanced-Clean-Pro for {computername}, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\ProgramData\Advanced-Clean-Pro for {computername}\offers, Quarantined, [442], [640345],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAMDATA\Advanced-Clean-Pro for {computername}, Quarantined, [442], [640345],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Advanced-Clean-Pro for {computername}, Quarantined, [442], [640344],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\smico, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Advanced-Clean-Pro For {computername}, Quarantined, [442], [640347],1.0.9312 File: 51 PUP.Optional.PCVARK, C:\PROGRAM FILES\Advanced-Clean-Pro for {computername}\unins000.dat, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\application.ico, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\danish_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Dutch_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\english_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\finish_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\French_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\german_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\gmtrs.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\HtmlRenderer.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\italian_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\japanese_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\langs.db, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\NAudio.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\norwegian_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\portuguese_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\rtc.exe.config, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\russian_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\spanish_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\swedish_iss.ini, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\unins000.exe, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\Program Files\Advanced-Clean-Pro for {computername}\unins000.msg, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Advanced-Clean-Pro_Logon, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Advanced-Clean-Pro.lnk, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\Advanced-Clean-Pro.lnk, Quarantined, [442], [640343],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAMDATA\Advanced-Clean-Pro for {computername}\mdb.db, Quarantined, [442], [640345],1.0.9312 PUP.Optional.PCVARK, C:\ProgramData\Advanced-Clean-Pro for {computername}\offers\a_p_t.exe, Quarantined, [442], [640345],1.0.9312 PUP.Optional.PCVARK, C:\ProgramData\Advanced-Clean-Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [442], [640345],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Advanced-Clean-Pro for {computername}\Buy Advanced-Clean-Pro.lnk, Quarantined, [442], [640344],1.0.9312 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced-Clean-Pro for {computername}\Advanced-Clean-Pro.lnk, Quarantined, [442], [640344],1.0.9312 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced-Clean-Pro for {computername}\Uninstall Advanced-Clean-Pro.lnk, Quarantined, [442], [640344],1.0.9312 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Advanced-Clean-Pro For {computername}\Errorlog.txt, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\a_p_t_2.xml, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\exlist.bin, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\notifier.xml, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\res.xml, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Advanced-Clean-Pro For {computername}\update.xml, Quarantined, [442], [640347],1.0.9312 PUP.Optional.PCVARK, C:\PROGRAMDATA\ADVANCED-CLEAN-PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [442], [583068],1.0.9312 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [442], [583068],1.0.9312 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\ADVANCEDCLEANPRO.EXE, Quarantined, [442], [602750],1.0.9312 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is mixGames Search?The Malwarebytes research team has determined that mixGames Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by mixGames Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did mixGames Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove mixGames Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of mixGames Search? No, Malwarebytes removes mixGames Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the mixGames Search hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://games.searchalgo.com/search/?category=web&s=xgds&q={searchTerms} CHR DefaultSearchKeyword: Default -> mixGames CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (mixGames Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha [2019-02-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0 Adds the file background.js"="2/22/2016 7:34 PM, 4336 bytes, A Adds the file manifest.json"="2/15/2019 8:48 AM, 1797 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/15/2019 8:48 AM, 183 bytes, A Adds the file verified_contents.json"="2/22/2016 7:51 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons Adds the file icon128.png"="2/15/2019 8:48 AM, 9579 bytes, A Adds the file icon16.png"="2/15/2019 8:48 AM, 637 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kcboafodfidhkjhhagekcbeepegnccha"="REG_SZ", "7F4395AA55C2A03E3A5A8BE2113C18F11F89D281466C449A996239D2C59E2F5B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/19 Scan Time: 8:56 AM Log File: 40f0053e-30f7-11e9-86b0-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9276 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236112 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchAlgo.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kcboafodfidhkjhhagekcbeepegnccha, Quarantined, [14646], [443230],1.0.9276 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCBOAFODFIDHKJHHAGEKCBEEPEGNCCHA, Quarantined, [14646], [443230],1.0.9276 File: 10 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCBOAFODFIDHKJHHAGEKCBEEPEGNCCHA\1.0.0_0\MANIFEST.JSON, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons\icon128.png, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons\icon16.png, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata\verified_contents.json, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\background.js, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9276 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9276 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is My Sport Tab?The Malwarebytes research team has determined that My Sport Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.My Sport Tab is a member of the APN family now known as IAC Applications.How do I know if my computer is affected by My Sport Tab?You may see these browser extensions/add-ons:these warnings during install:You may see this changed setting:this icon in the browsers menu-bar:and this new homepage in the affected browsers:How did My Sport Tab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.after a redirect to the webstore:How do I remove My Sport Tab?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Sport Tab? No, Malwarebytes' Anti-Malware removes My Sport Tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the My Sport Tab hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in a FRST log: CHR NewTab: Default -> Active:"chrome-extension://cpbogamaeokccmfbaclibdjjnjlpkill/newtabproduct.html" CHR Extension: (MySportTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill [2019-02-14] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0 Adds the file manifest.json"="2/14/2019 9:14 AM, 2387 bytes, A Adds the file newtabproduct.html"="10/18/2018 5:24 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en Adds the file messages.json"="2/14/2019 9:14 AM, 251 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata Adds the file computed_hashes.json"="2/14/2019 9:14 AM, 4560 bytes, A Adds the file verified_contents.json"="10/18/2018 5:24 PM, 5403 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config Adds the file config.json"="10/18/2018 5:24 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons Adds the file icon128.png"="2/14/2019 9:14 AM, 4986 bytes, A Adds the file icon16.png"="10/18/2018 5:24 PM, 412 bytes, A Adds the file icon19disabled.png"="10/18/2018 5:24 PM, 371 bytes, A Adds the file icon19on.png"="2/14/2019 9:14 AM, 580 bytes, A Adds the file icon48.png"="2/14/2019 9:14 AM, 1997 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js Adds the file ajax.js"="10/18/2018 5:24 PM, 2218 bytes, A Adds the file b2b-partner-tracking.js"="10/18/2018 5:24 PM, 11186 bytes, A Adds the file background.js"="10/18/2018 5:24 PM, 21476 bytes, A Adds the file browserUtils.js"="10/18/2018 5:24 PM, 912 bytes, A Adds the file chrome.js"="10/18/2018 5:24 PM, 146 bytes, A Adds the file content_script.js"="10/18/2018 5:24 PM, 2151 bytes, A Adds the file dlp.js"="10/18/2018 5:24 PM, 5659 bytes, A Adds the file dlpHelper.js"="10/18/2018 5:24 PM, 1799 bytes, A Adds the file extension_detect.js"="10/18/2018 5:24 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="10/18/2018 5:24 PM, 2855 bytes, A Adds the file index.js"="10/18/2018 5:24 PM, 49 bytes, A Adds the file initOfferCEF.js"="10/18/2018 5:24 PM, 8802 bytes, A Adds the file logger.js"="10/18/2018 5:24 PM, 541 bytes, A Adds the file offerService.js"="10/18/2018 5:24 PM, 10325 bytes, A Adds the file pageUtils.js"="10/18/2018 5:24 PM, 2805 bytes, A Adds the file PartnerId.js"="10/18/2018 5:24 PM, 16402 bytes, A Adds the file product.js"="10/18/2018 5:24 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="10/18/2018 5:24 PM, 2868 bytes, A Adds the file storage.js"="10/18/2018 5:24 PM, 1640 bytes, A Adds the file TabManager.js"="10/18/2018 5:24 PM, 151 bytes, A Adds the file TemplateParser.js"="10/18/2018 5:24 PM, 3038 bytes, A Adds the file ul.js"="10/18/2018 5:24 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="10/18/2018 5:24 PM, 1825 bytes, A Adds the file urlUtils.js"="10/18/2018 5:24 PM, 5349 bytes, A Adds the file util.js"="10/18/2018 5:24 PM, 3004 bytes, A Adds the file webtooltabAPI.js"="10/18/2018 5:24 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="10/18/2018 5:24 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill Adds the file 000003.log"="2/14/2019 9:14 AM, 5351 bytes, A Adds the file CURRENT"="2/14/2019 9:14 AM, 16 bytes, A Adds the file LOCK"="2/14/2019 9:14 AM, 0 bytes, A Adds the file LOG"="2/14/2019 9:14 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/14/2019 9:14 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpbogamaeokccmfbaclibdjjnjlpkill"="REG_SZ", "896FE33B1C7541398512D772773A6115630DCFB13CAF62DFD078E86E80C358F4" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/14/19 Scan Time: 9:25 AM Log File: 11825bc8-3032-11e9-97a2-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9260 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235954 Threats Detected: 55 Threats Quarantined: 55 Time Elapsed: 4 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MySearch.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cpbogamaeokccmfbaclibdjjnjlpkill, Quarantined, [1881], [443097],1.0.9260 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBOGAMAEOKCCMFBACLIBDJJNJLPKILL, Quarantined, [1881], [443097],1.0.9260 File: 45 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\000003.log, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\CURRENT, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\LOCK, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\LOG, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\MANIFEST-000001, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBOGAMAEOKCCMFBACLIBDJJNJLPKILL\13.817.14.15106_0\MANIFEST.JSON, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config\config.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon128.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon16.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon19disabled.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon19on.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon48.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\initOfferCEF.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\ajax.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\b2b-partner-tracking.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\background.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\browserUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\chrome.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\content_script.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\dlp.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\dlpHelper.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\extension_detect.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\genericLoadRemoteSettings.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\index.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\logger.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\offerService.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\pageUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\PartnerId.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\product.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\splashPageRedirectHandler.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\storage.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\TabManager.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\TemplateParser.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\ul.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\urlFragmentActions.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\urlUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\util.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\webtooltabAPI.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\webTooltabAPIProxy.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en\messages.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata\computed_hashes.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata\verified_contents.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\newtabproduct.html, Quarantined, [1881], [443097],1.0.9260 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Catalina?The Malwarebytes research team has determined that Catalina is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by Catalina?You may see these warnings during install:these icons in your startmenu, your taskbar and on your desktop:these tasks in your Scheduled Tasks:and this entry in your list of installed Programs and Features:How did Catalina get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.In this case with the Citrio browser:How do I remove Catalina?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Catalina? No, Malwarebytes removes Catalina completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. Malwarebytes does not remove the Citrio browser. If you want to remove it, you can uninstall that from the Windows Control Panel. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the Catalina adware. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [CatalinaGroup Update] => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe [132104 2019-02-13] (Catalina Group Limited -> Catalina Group Ltd.) <==== ATTENTION FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=3 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.) FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=9 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.) C:\Users\{username}\Desktop\Chrome Web Store.lnk C:\Users\{username}\Desktop\Facebook.lnk C:\Users\{username}\Desktop\YouTube.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrio.lnk C:\Users\{username}\Desktop\Citrio.lnk C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job C:\Users\{username}\AppData\Local\CatalinaGroup C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe Citrio (HKCU\...\Citrio) (Version: 50.0.2661.276 - © Catalinagroup Ltd.) <==== ATTENTION Task: {18948E4E-B2F0-4193-BCD3-984AB9734C95} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION Task: {467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION ShortcutWithArgument: C:\Users\{username}\Desktop\Facebook.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.facebook.com" ShortcutWithArgument: C:\Users\{username}\Desktop\YouTube.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.youtube.com" FirewallRules: [{E73D6DA6-FC7D-4EBA-8C14-BBAA3BFDD8FD}] => (Allow) C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (Catalina Group Limited -> CatalinaGroup Ltd.) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application Adds the file chrome.VisualElementsManifest.xml"="2/13/2019 10:26 AM, 342 bytes, A Adds the file citrio.exe"="5/31/2017 6:03 AM, 1083264 bytes, A Adds the file debug.log"="2/13/2019 10:26 AM, 258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\CrashReports Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225 Adds the file CatalinaCrashHandler.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the file CatalinaUpdateBroker.exe"="2/13/2019 10:25 AM, 59912 bytes, A Adds the file CatalinaUpdateHelper.msi"="2/13/2019 10:25 AM, 40960 bytes, A Adds the file CatalinaUpdateOnDemand.exe"="2/13/2019 10:25 AM, 59912 bytes, A Adds the file goopdate.dll"="2/13/2019 10:25 AM, 802312 bytes, A Adds the file goopdateres_am.dll"="2/13/2019 10:25 AM, 24072 bytes, A Adds the file goopdateres_ar.dll"="2/13/2019 10:25 AM, 25608 bytes, A Adds the file goopdateres_bg.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_bn.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ca.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_cs.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_da.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_de.dll"="2/13/2019 10:25 AM, 30216 bytes, A Adds the file goopdateres_el.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_en.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_en-GB.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_es.dll"="2/13/2019 10:25 AM, 30216 bytes, A Adds the file goopdateres_es-419.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_et.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_fa.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_fi.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_fil.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_fr.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_gu.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_hi.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_hr.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_hu.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_id.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_is.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_it.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_iw.dll"="2/13/2019 10:25 AM, 25096 bytes, A Adds the file goopdateres_ja.dll"="2/13/2019 10:25 AM, 23560 bytes, A Adds the file goopdateres_kn.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_ko.dll"="2/13/2019 10:25 AM, 23048 bytes, A Adds the file goopdateres_lt.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_lv.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_ml.dll"="2/13/2019 10:25 AM, 30728 bytes, A Adds the file goopdateres_mr.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_ms.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_nl.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_no.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_pl.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_pt-BR.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_pt-PT.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ro.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_ru.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_sk.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_sl.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_sr.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_sv.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_sw.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ta.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_te.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_th.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_tr.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_uk.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_ur.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_vi.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_zh-CN.dll"="2/13/2019 10:25 AM, 21000 bytes, A Adds the file goopdateres_zh-TW.dll"="2/13/2019 10:25 AM, 21000 bytes, A Adds the file npCatalinaUpdate3.dll"="2/13/2019 10:25 AM, 237576 bytes, A Adds the file psmachine.dll"="2/13/2019 10:25 AM, 156680 bytes, A Adds the file psuser.dll"="2/13/2019 10:25 AM, 162824 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.276 Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Install\{5066949F-6C76-4D2D-B5F4-9BA14B8C062B} Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Offline\{BD55EF3F-9661-4327-B056-D2D1C9BD36F7} In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2455 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Chrome Web Store.lnk"="2/13/2019 10:26 AM, 2533 bytes, A Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2453 bytes, A Adds the file Facebook.lnk"="2/13/2019 10:26 AM, 2493 bytes, A Adds the file YouTube.lnk"="2/13/2019 10:26 AM, 2489 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core"="2/13/2019 10:25 AM, 3540 bytes, A Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA"="2/13/2019 10:25 AM, 3936 bytes, A In the existing folder C:\Windows\Tasks Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="2/13/2019 10:25 AM, 902 bytes, A Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="2/13/2019 10:25 AM, 954 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="REG_BINARY, ............................$... "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job.fp"="REG_DWORD", 1917796137 "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="REG_BINARY, ................................ "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job.fp"="REG_DWORD", 1081281079 [HKEY_CURRENT_USER\Software\CatalinaGroup\CitrioDownloader] [HKEY_CURRENT_USER\Software\CatalinaGroup\Update] "LastInstallerError"="REG_DWORD", 0 "LastInstallerResult"="REG_DWORD", 0 "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe"" "path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe" "uid"="REG_SZ", "{6AC4AB17-5F65-4002-8353-583D7EDA74B4}" "version"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}] "bt"="REG_SZ", "1" "lang"="REG_SZ", "en" "name"="REG_SZ", "Citrio App Launcher" "oopcrashes"="REG_DWORD", 1 "pv"="REG_SZ", "50.0.2661.276" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}] "name"="REG_SZ", "Catalina Update" "pv"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}] "bt"="REG_SZ", "1" "lang"="REG_SZ", "en" "name"="REG_SZ", "Citrio" "oopcrashes"="REG_DWORD", 1 "pv"="REG_SZ", "50.0.2661.276" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade] "AutoRunOnOSUpgrade"="REG_DWORD", 1 "CommandLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --on-os-upgrade --verbose-logging" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}] "brand"="REG_SZ", "GGLS" "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}" "InstallTime"="REG_DWORD", 1550049952 "pv"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}] "_NumAccounts"="REG_SZ", "1" "_NumSignedIn"="REG_SZ", "0" "brand"="REG_SZ", "GGLS" "bt"="REG_SZ", "1" "dr"="REG_SZ", "1" "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}" "InstallTime"="REG_DWORD", 1550049966 "lang"="REG_SZ", "en" "LastCheckSuccess"="REG_DWORD", 1550049978 "LastInstallerError"="REG_DWORD", 0 "LastInstallerResult"="REG_DWORD", 0 "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe"" "lastrun"="REG_SZ", "13194523582822146" "LastWasDefault"="REG_QWORD, .... "pv"="REG_SZ", "50.0.2661.276" "referral"="REG_SZ", "1:citrio_website" "UninstallArguments"="REG_SZ", " --uninstall" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" "usagestats"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\network\secure] [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\proxy] "source"="REG_SZ", "IE" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CatalinaGroup Update"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe" /c" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe,0" "DisplayName"="REG_SZ", "Citrio" "DisplayVersion"="REG_SZ", "50.0.2661.276" "InstallDate"="REG_SZ", "20190213" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "© Catalinagroup Ltd." "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --uninstall" "Version"="REG_SZ", "50.0.2661.276" "VersionMajor"="REG_DWORD", 2661 "VersionMinor"="REG_DWORD", 276 [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3] "Description"="REG_SZ", "CatalinaGroup Update" "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll" "ProductName"="REG_SZ", "CatalinaGroup Update" "Vendor"="REG_SZ", "Catalina Group Ltd." "Version"="REG_SZ", "3" [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3\MimeTypes\application/x-vnd.catalinahub.update3webcontrol.3] [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9] "Description"="REG_SZ", "CatalinaGroup Update" "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll" "ProductName"="REG_SZ", "CatalinaGroup Update" "Vendor"="REG_SZ", "Catalina Group Ltd." "Version"="REG_SZ", "9" [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9\MimeTypes\application/x-vnd.catalinahub.oneclickctrl.9] [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats] "qico4.dll"="REG_MULTI_SZ, "2017-02-17T13:35:50 ico " [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats] "qico4.dll"="REG_MULTI_SZ, "40806 0 Windows msvc release full-config 2017-02-17T13:35:50 " Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/13/19 Scan Time: 10:34 AM Log File: 99374b67-2f72-11e9-8ffc-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.527 Update Package Version: 1.0.9238 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236076 Threats Detected: 26 Threats Quarantined: 26 Time Elapsed: 4 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 Module: 2 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 Registry Key: 6 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238 Registry Value: 1 PUP.Optional.Catalina, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|CatalinaGroup Update, Quarantined, [500], [635491],1.0.9238 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 16 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\CATALINAUPDATE.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\CATALINAUPDATESETUP.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Start Menu\Programs\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Chrome Web Store.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Facebook.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\YouTube.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE, Quarantined, [500], [635491],1.0.9238 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Search Secure?The Malwarebytes research team has determined that Search Secure is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search Secure?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search Secure get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Search Secure?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Secure? No, Malwarebytes removes Search Secure completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search Secure hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.searchsecureprime.co/search.html?type=search&id=MTI3NT#q={searchTerms} CHR DefaultSearchKeyword: Default -> Yahoo CHR DefaultSuggestURL: Default -> hxxps://www.searchsecureprime.co/sugg/ie?output=fxjson&command={searchTerms}&nResults=10 CHR Extension: (Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj [2019-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0 Adds the file manifest.json"="2/12/2019 11:08 AM, 2208 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata Adds the file computed_hashes.json"="2/12/2019 11:08 AM, 10670 bytes, A Adds the file verified_contents.json"="1/7/2019 2:40 PM, 7156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core Adds the file content.js"="1/7/2019 2:40 PM, 9135 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block Adds the file block.html"="1/7/2019 2:40 PM, 2076 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css Adds the file annotations.css"="1/7/2019 2:40 PM, 147281 bytes, A Adds the file blockedPage.css"="1/7/2019 2:40 PM, 4533 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img Adds the file annotations-sprite_new.png"="1/7/2019 2:40 PM, 10135 bytes, A Adds the file at-risk-icon.png"="1/7/2019 2:40 PM, 1247 bytes, A Adds the file bg.jpg"="1/7/2019 2:40 PM, 2614 bytes, A Adds the file btn-search.svg"="1/7/2019 2:40 PM, 675 bytes, A Adds the file caution.png"="1/7/2019 2:40 PM, 2738 bytes, A Adds the file caution_.png"="1/7/2019 2:40 PM, 489 bytes, A Adds the file close-pop.png"="1/7/2019 2:40 PM, 693 bytes, A Adds the file footer-bg1-new.png"="1/7/2019 2:40 PM, 2283 bytes, A Adds the file img-blocked.svg"="1/7/2019 2:40 PM, 364 bytes, A Adds the file layer.png"="1/7/2019 2:40 PM, 30798 bytes, A Adds the file pointer.png"="1/7/2019 2:40 PM, 2699 bytes, A Adds the file popupimage.png"="1/7/2019 2:40 PM, 39964 bytes, A Adds the file safe.png"="1/7/2019 2:40 PM, 3452 bytes, A Adds the file safe_.png"="1/7/2019 2:40 PM, 842 bytes, A Adds the file safe-icon.png"="1/7/2019 2:40 PM, 1251 bytes, A Adds the file search.svg"="1/7/2019 2:40 PM, 332 bytes, A Adds the file searchicon.png"="1/7/2019 2:40 PM, 1425 bytes, A Adds the file search-icon-2.png"="1/7/2019 2:40 PM, 9539 bytes, A Adds the file searchmagnifier.png"="1/7/2019 2:40 PM, 4127 bytes, A Adds the file sf_overlay_sprite.png"="1/7/2019 2:40 PM, 13244 bytes, A Adds the file sf-magni.png"="1/7/2019 2:40 PM, 1433 bytes, A Adds the file sf-sprite.png"="1/7/2019 2:40 PM, 17709 bytes, A Adds the file small-search.png"="1/7/2019 2:40 PM, 3875 bytes, A Adds the file srch.png"="1/7/2019 2:40 PM, 1241 bytes, A Adds the file ss-logo.png"="1/7/2019 2:40 PM, 28412 bytes, A Adds the file tick.png"="1/7/2019 2:40 PM, 2513 bytes, A Adds the file trans1.png"="1/7/2019 2:40 PM, 935 bytes, A Adds the file untested.png"="1/7/2019 2:40 PM, 2705 bytes, A Adds the file untested_.png"="1/7/2019 2:40 PM, 790 bytes, A Adds the file untested-icon.png"="1/7/2019 2:40 PM, 1288 bytes, A Adds the file warning.png"="1/7/2019 2:40 PM, 2909 bytes, A Adds the file warning_.png"="1/7/2019 2:40 PM, 676 bytes, A Adds the file warning-icon.png"="1/7/2019 2:40 PM, 1137 bytes, A Adds the file website.svg"="1/7/2019 2:40 PM, 6696 bytes, A Adds the file welcome-box-bg.png"="1/7/2019 2:40 PM, 45548 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js Adds the file content-ui.js"="1/7/2019 2:40 PM, 4104 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup Adds the file popup.html"="1/7/2019 2:40 PM, 8857 bytes, A Adds the file popup.js"="1/7/2019 2:40 PM, 6948 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons Adds the file icon128.png"="2/12/2019 11:08 AM, 5411 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js Adds the file blockpage.js"="1/7/2019 2:40 PM, 2062 bytes, A Adds the file custombackground.js"="1/7/2019 2:40 PM, 12588 bytes, A Adds the file jquery-3.2.1.min.js"="1/7/2019 2:40 PM, 86659 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj Adds the file 000003.log"="2/12/2019 11:20 AM, 2991 bytes, A Adds the file CURRENT"="2/12/2019 11:08 AM, 16 bytes, A Adds the file LOCK"="2/12/2019 11:08 AM, 0 bytes, A Adds the file LOG"="2/12/2019 11:20 AM, 409 bytes, A Adds the file LOG.old"="2/12/2019 11:08 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/12/2019 11:08 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj Adds the file 000003.log"="2/12/2019 11:18 AM, 3893 bytes, A Adds the file CURRENT"="2/12/2019 11:18 AM, 16 bytes, A Adds the file LOCK"="2/12/2019 11:18 AM, 0 bytes, A Adds the file LOG"="2/12/2019 11:18 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/12/2019 11:18 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eamojhigmclkheifikgdfnaihmmeaedj"="REG_SZ", "CD6ACF0592B9DDBBBD42C84385488F522090911D9A11FB24C9EA990F544DE1C2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/19 Scan Time: 11:26 AM Log File: b4ce00c6-2eb0-11e9-b8af-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9224 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235892 Threats Detected: 79 Threats Quarantined: 79 Time Elapsed: 5 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchSecure, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 File: 64 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core\content.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block\block.html, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css\annotations.css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css\blockedPage.css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\annotations-sprite_new.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\at-risk-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\bg.jpg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\btn-search.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\caution.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\caution_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\close-pop.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\footer-bg1-new.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\img-blocked.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\layer.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\pointer.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\popupimage.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\search-icon-2.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\search.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\searchicon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\searchmagnifier.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf-magni.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf-sprite.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf_overlay_sprite.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\small-search.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\srch.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\ss-logo.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\tick.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\trans1.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\website.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\welcome-box-bg.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js\content-ui.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup\popup.html, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup\popup.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons\icon128.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\blockpage.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\custombackground.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\jquery-3.2.1.min.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata\computed_hashes.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata\verified_contents.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\manifest.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\000003.log, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\CURRENT, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOCK, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG.old, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\MANIFEST-000001, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\000003.log, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\CURRENT, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOCK, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\MANIFEST-000001, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631849],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631849],1.0.9224 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is System Clean Pro?The Malwarebytes research team has determined that System Clean Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with System Clean Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did System Clean Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove System Clean Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of System Clean Pro? No, Malwarebytes removes System Clean Pro completely. This PUP creates a scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the System Clean Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\System-Clean Pro for {computername}\rtc.exe C:\Windows\System32\Tasks\System-Clean Pro_Logon C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername} C:\ProgramData\System-Clean Pro for {computername} C:\Users\Public\Desktop\System-Clean Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername} C:\Program Files\System-Clean Pro for {computername} System-Clean Pro (HKLM\...\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1) (Version: 1.0.0.1 - ) Task: {7B430A13-C971-4F9A-81D1-4AAA9CFECF21} - System32\Tasks\System-Clean Pro_Logon => C:\Program Files\System-Clean Pro for {computername}\rtc.exe (PC Speedup Tools Inc. -> ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\System-Clean Pro for {computername} Adds the file application.ico"="1/21/2019 3:58 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="2/4/2019 12:29 PM, 1976408 bytes, A Adds the file HtmlRenderer.dll"="2/4/2019 12:29 PM, 236632 bytes, A Adds the file HtmlRenderer.WinForms.dll"="2/4/2019 12:29 PM, 75352 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="2/4/2019 12:29 PM, 64088 bytes, A Adds the file Interop.SHDocVw.dll"="2/4/2019 12:29 PM, 178776 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="2/4/2019 12:29 PM, 185944 bytes, A Adds the file NAudio.dll"="2/4/2019 12:29 PM, 485976 bytes, A Adds the file Newtonsoft.Json.dll"="2/4/2019 12:29 PM, 475736 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="2/4/2019 12:29 PM, 73816 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="2/4/2019 12:29 PM, 2439256 bytes, A Adds the file rtc.exe.config"="2/4/2019 12:28 PM, 6387 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="2/4/2019 12:29 PM, 305752 bytes, A Adds the file TAFactory.IconPack.dll"="2/4/2019 12:29 PM, 51800 bytes, A Adds the file unins000.dat"="2/11/2019 9:01 AM, 85281 bytes, A Adds the file unins000.exe"="2/11/2019 9:01 AM, 1243736 bytes, A Adds the file unins000.msg"="2/11/2019 9:01 AM, 22701 bytes, A Adds the folder C:\Program Files\System-Clean Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="2/4/2019 12:29 PM, 1190488 bytes, A Adds the folder C:\Program Files\System-Clean Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="2/4/2019 12:29 PM, 869464 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername} Adds the file Buy System-Clean Pro.lnk"="2/11/2019 9:01 AM, 986 bytes, A Adds the file System-Clean Pro.lnk"="2/11/2019 9:01 AM, 974 bytes, A Adds the file Uninstall System-Clean Pro.lnk"="2/11/2019 9:01 AM, 1005 bytes, A Adds the folder C:\ProgramData\System-Clean Pro for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\ProgramData\System-Clean Pro for {computername}\offers Adds the file a_p_t.exe"="2/11/2019 9:06 AM, 832040 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername} Adds the file a_p_t_2.xml"="2/11/2019 9:06 AM, 1206 bytes, A Adds the file Errorlog.txt"="2/11/2019 9:06 AM, 32904 bytes, A Adds the file exlist.bin"="2/11/2019 9:02 AM, 258015 bytes, A Adds the file notifier.xml"="2/11/2019 9:03 AM, 17312 bytes, A Adds the file param.ini"="2/11/2019 9:01 AM, 1006 bytes, A Adds the file res.xml"="2/11/2019 9:05 AM, 23196 bytes, A Adds the file update.xml"="2/11/2019 9:03 AM, 45832 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file System-Clean Pro.lnk"="2/11/2019 9:01 AM, 956 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file System-Clean Pro_Logon"="2/11/2019 9:02 AM, 3074 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "System-Clean Pro" "DisplayVersion"="REG_SZ", "1.0.0.1" "EstimatedSize"="REG_DWORD", 18726 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "System-Clean Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190211" "InstallLocation"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\System-Clean Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\System-Clean Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referUrl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "4050853299" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\System-Clean Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/scpo/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "buybowinapp"="REG_SZ", "http://store.bitssystools.club/scpo/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .............................................................. "Installstring"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 58 "lstscandate"="REG_SZ", "2/11/2019 9:05:15 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 58 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "pdtm"="REG_DWORD", 45 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trkinstl.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.bitssystools.club/scpo/price?" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referurl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.bitssystools.club/scpo/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.bitssystools.club/help/" "TELNO"="REG_SZ", "877-884-1178" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "877-884-1178" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "WebURL"="REG_SZ", "http://www.bitssystools.club/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "XXXXX" "x-ccode"="REG_SZ", "us" "x-context"="REG_SZ", "4050853299" "x-datetime"="REG_SZ", "02-11-2019 08:01:56 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "77_234_46_211" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\U3lzdGVtLUNsZWFuIFBybw==\ACT] "data"="REG_BINARY, ........................................... [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\System-Clean Pro For {computername}] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referurl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "TELNO"="REG_SZ", "877-884-1178" "TELNO_us"="REG_SZ", "877-884-1178" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "4050853299" "x-datetime"="REG_SZ", "02-11-2019 08:01:56 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "77_234_46_211" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\System-Clean Pro For {computername}\1.0.0.1] "Installstring"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/11/19 Scan Time: 9:13 AM Log File: dce45506-2dd4-11e9-a97b-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9204 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235984 Threats Detected: 80 Threats Quarantined: 80 Time Elapsed: 4 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 Module: 7 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [635146],1.0.9204 Registry Key: 7 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System-Clean Pro_Logon, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [442], [540842],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\System-Clean Pro For {computername}, Quarantined, [442], [635144],1.0.9204 PUP.Optional.PCVARK, HKCU\SOFTWARE\System-Clean Pro For {computername}, Quarantined, [442], [635145],1.0.9204 Registry Value: 6 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}|PATH, Quarantined, [442], [635141],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [442], [540842],1.0.9204 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1189], [484510],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\System-Clean Pro For {computername}|AFFIRED, Quarantined, [442], [635144],1.0.9204 PUP.Optional.PCVARK, HKCU\SOFTWARE\System-Clean Pro For {computername}|AFFILIATEID, Quarantined, [442], [635145],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1|DISPLAYNAME, Quarantined, [442], [635151],1.0.9204 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\System-Clean Pro for {computername}, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\smico, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\System-Clean Pro For {computername}, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x86, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAM FILES\System-Clean Pro for {computername}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\offers, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\System-Clean Pro for {computername}, Quarantined, [442], [635148],1.0.9204 File: 51 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\System-Clean Pro for {computername}\Buy System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername}\System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername}\Uninstall System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\System-Clean Pro For {computername}\Errorlog.txt, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\a_p_t_2.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\exlist.bin, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\notifier.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\param.ini, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\res.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\update.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAM FILES\System-Clean Pro for {computername}\unins000.dat, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\application.ico, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\danish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Dutch_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\english_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\finish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\French_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\german_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\gmtrs.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\HtmlRenderer.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\italian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\japanese_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\langs.db, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\NAudio.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\norwegian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\portuguese_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe.config, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\russian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\spanish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\swedish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\unins000.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\unins000.msg, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\System-Clean Pro_Logon, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\System-Clean Pro.lnk, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\System-Clean Pro.lnk, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\System-Clean Pro for {computername}\mdb.db, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\offers\a_p_t.exe, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\SYSTEM-CLEAN PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [442], [583068],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [442], [583068],1.0.9204 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is SecuryBrowse Shield?The Malwarebytes research team has determined that SecuryBrowse Shield is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SecuryBrowse Shield?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did SecuryBrowse Shield get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SecuryBrowse Shield?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SecuryBrowse Shield? No, Malwarebytes removes SecuryBrowse Shield completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SecuryBrowse Shield hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.securybrowse.com/?dss&yh&q={searchTerms} CHR DefaultSearchKeyword: Default -> securyBrowse CHR Extension: (securyBrowse) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc [2019-02-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0 Adds the file extenv.js"="5/6/2018 5:56 PM, 1444 bytes, A Adds the file init.js"="3/11/2018 2:35 PM, 4097 bytes, A Adds the file manifest.json"="2/8/2019 8:57 AM, 2132 bytes, A Adds the file popup.html"="3/11/2018 2:35 PM, 2767 bytes, A Adds the file popup.js"="3/11/2018 2:35 PM, 2092 bytes, A Adds the file safeUtils.js"="3/11/2018 2:35 PM, 426 bytes, A Adds the file settings.js"="3/11/2018 2:35 PM, 425 bytes, A Adds the file wa.png"="3/11/2018 2:35 PM, 68 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata Adds the file computed_hashes.json"="2/8/2019 8:57 AM, 3117 bytes, A Adds the file verified_contents.json"="5/28/2018 5:49 PM, 2988 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external Adds the file jquery.js"="3/11/2018 2:35 PM, 86713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons Adds the file icon128.png"="2/8/2019 8:57 AM, 7265 bytes, A Adds the file icon128_warn.png"="2/22/2018 3:55 PM, 7186 bytes, A Adds the file icon16.png"="2/8/2019 8:57 AM, 7841 bytes, A Adds the file icon16_warn.png"="3/11/2018 2:35 PM, 7224 bytes, A Adds the file logo_med.png"="3/11/2018 2:35 PM, 9363 bytes, A Adds the file scanbg.png"="3/11/2018 2:35 PM, 32861 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js Adds the file background.js"="3/11/2018 2:35 PM, 10961 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc Adds the file 000003.log"="2/8/2019 8:57 AM, 0 bytes, A Adds the file CURRENT"="2/8/2019 8:57 AM, 16 bytes, A Adds the file LOCK"="2/8/2019 8:57 AM, 0 bytes, A Adds the file LOG"="2/8/2019 8:57 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/8/2019 8:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjincgipkjkimkcmolmajgcfpdjbckgc"="REG_SZ", "39F82F23BDFE7C4A8DBF71E3160AE0B93054FF9D7AF89A127318255D5601B8A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/8/19 Scan Time: 9:15 AM Log File: b3e6008a-2b79-11e9-8274-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9170 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236020 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 4 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SecuryBrowse, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 File: 26 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external\jquery.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon128.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon128_warn.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon16.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon16_warn.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\logo_med.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\scanbg.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js\background.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata\computed_hashes.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata\verified_contents.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\extenv.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\init.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\manifest.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\popup.html, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\popup.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\safeUtils.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\settings.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\wa.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\000003.log, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\CURRENT, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\LOCK, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\LOG, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\MANIFEST-000001, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [596810],1.0.9170 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Boost My PC Pro?The Malwarebytes research team has determined that Boost My PC Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Boost My PC Pro?This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install: and this type of tooltips during "operations": You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did Boost My PC Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove Boost My PC Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Boost My PC Pro? No, Malwarebytes removes Boost My PC Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Boost My PC Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe C:\Windows\System32\Tasks\Boost My-PC Pro_Logon C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername} C:\ProgramData\Boost My-PC Pro for {computername} C:\Users\Public\Desktop\Boost My-PC Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername} C:\Program Files\Boost My-PC Pro for {computername} ( ) C:\Users\{username}\Desktop\bmppsetup.exe Boost My-PC Pro (HKLM\...\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1) (Version: 1.0.0.0 - ) Task: {82B712BC-4674-4991-9980-F1CC1C7726D7} - System32\Tasks\Boost My-PC Pro_Logon => C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe [2019-02-05] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Boost My-PC Pro for {computername} Adds the file application.ico"="1/21/2019 3:58 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="2/5/2019 3:04 PM, 1973408 bytes, A Adds the file HtmlRenderer.dll"="2/5/2019 3:04 PM, 236704 bytes, A Adds the file HtmlRenderer.WinForms.dll"="2/5/2019 3:04 PM, 75424 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="2/5/2019 3:04 PM, 64160 bytes, A Adds the file Interop.SHDocVw.dll"="2/5/2019 3:04 PM, 178848 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="2/5/2019 3:04 PM, 186016 bytes, A Adds the file NAudio.dll"="2/5/2019 3:04 PM, 486048 bytes, A Adds the file Newtonsoft.Json.dll"="2/5/2019 3:04 PM, 475808 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="2/5/2019 3:04 PM, 73888 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="2/5/2019 3:04 PM, 2439328 bytes, A Adds the file rtc.exe.config"="2/5/2019 3:03 PM, 6440 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="2/5/2019 3:04 PM, 305824 bytes, A Adds the file TAFactory.IconPack.dll"="2/5/2019 3:04 PM, 51872 bytes, A Adds the file unins000.dat"="2/7/2019 9:02 AM, 85143 bytes, A Adds the file unins000.exe"="2/7/2019 9:01 AM, 1243808 bytes, A Adds the file unins000.msg"="2/7/2019 9:02 AM, 22701 bytes, A Adds the folder C:\Program Files\Boost My-PC Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="2/5/2019 3:04 PM, 1190560 bytes, A Adds the folder C:\Program Files\Boost My-PC Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="2/5/2019 3:04 PM, 869536 bytes, A Adds the folder C:\ProgramData\Boost My-PC Pro for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\ProgramData\Boost My-PC Pro for {computername}\offers Adds the file a_p_t.exe"="2/7/2019 9:07 AM, 832040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername} Adds the file Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 967 bytes, A Adds the file Buy Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 979 bytes, A Adds the file Uninstall Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 998 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername} Adds the file a_p_t_2.xml"="2/7/2019 9:07 AM, 1206 bytes, A Adds the file Errorlog.txt"="2/7/2019 9:07 AM, 33648 bytes, A Adds the file exlist.bin"="2/7/2019 9:03 AM, 258013 bytes, A Adds the file notifier.xml"="2/7/2019 9:04 AM, 16128 bytes, A Adds the file res.xml"="2/7/2019 9:06 AM, 21217 bytes, A Adds the file update.xml"="2/7/2019 9:04 AM, 43090 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 949 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Boost My-PC Pro_Logon"="2/7/2019 9:03 AM, 3072 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Boost My-PC Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins1.alfactiv.com/install/bmpp/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.alfactiv.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 53 "lstscandate"="REG_SZ", "2/7/2019 9:06:00 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 53 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.alfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.alfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.bitscleanuputils.xyz/help/" "TELNO"="REG_SZ", "877-884-1178" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "877-884-1178" "WebURL"="REG_SZ", "http://www.bitscleanuputils.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_211" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "Boost My-PC Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18721 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Boost My-PC Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190207" "InstallLocation"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Qm9vc3QgTXktUEMgUHJv\ACT] "data"="REG_BINARY, ........................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\Boost My-PC Pro For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "877-884-1178" "TELNO_us"="REG_SZ", "877-884-1178" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_211" [HKEY_CURRENT_USER\Software\Boost My-PC Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/7/19 Scan Time: 9:15 AM Log File: 94433fb5-2ab0-11e9-a3ea-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9150 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236097 Threats Detected: 76 Threats Quarantined: 76 Time Elapsed: 3 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 Module: 7 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [863], [512031],1.0.9150 Registry Key: 8 PUP.Optional.BoostPCPro, HKCU\SOFTWARE\Boost My-PC Pro For {computername}, Quarantined, [863], [512035],1.0.9150 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [442], [540842],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\Boost My-PC Pro For {computername}, Quarantined, [863], [512034],1.0.9150 PUP.Optional.PCVARK, HKLM\SOFTWARE\Qm9vc3QgTXktUEMgUHJv, Quarantined, [442], [635162],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Boost My-PC Pro_Logon, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{82B712BC-4674-4991-9980-F1CC1C7726D7}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{82B712BC-4674-4991-9980-F1CC1C7726D7}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1, Quarantined, [863], [512031],1.0.9150 Registry Value: 2 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [442], [540842],1.0.9150 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1187], [484510],1.0.9150 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x86, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAM FILES\Boost My-PC Pro for {computername}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\offers, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAMDATA\Boost My-PC Pro for {computername}, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\smico, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\{username}\APPDATA\ROAMING\Boost My-PC Pro For {computername}, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Boost My-PC Pro for {computername}, Quarantined, [863], [512033],1.0.9150 File: 50 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\application.ico, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\danish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Dutch_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\english_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\finish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\French_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\german_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\gmtrs.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\HtmlRenderer.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\italian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\japanese_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\langs.db, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\NAudio.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\norwegian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\portuguese_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe.config, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\russian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\spanish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\swedish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.dat, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.msg, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\WINDOWS\SYSTEM32\TASKS\Boost My-PC Pro_Logon, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Boost My-PC Pro.lnk, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\PUBLIC\DESKTOP\Boost My-PC Pro.lnk, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\offers\a_p_t.exe, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\mdb.db, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\a_p_t_2.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\Errorlog.txt, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\exlist.bin, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\notifier.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\res.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\update.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Buy Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Uninstall Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\{username}\DESKTOP\BMPPSETUP.EXE, Quarantined, [863], [512030],1.0.9150 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [442], [583068],1.0.9150 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Funky Stream?The Malwarebytes research team has determined that Funky Stream is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service that is blocked by Malwarebytes for fraud.How do I know if my computer is affected by Funky Stream?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Funky Stream get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Funky Stream?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Funky Stream? No, Malwarebytes removes Funky Stream completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Funky Stream hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.funkystreams.com/?q={searchTerms}&publisher=fctry_funkystreams&barcodeid=531630000000000 CHR DefaultSearchKeyword: Default -> FunkyStreams CHR DefaultSuggestURL: Default -> hxxps://api.funkystreams.com/suggest/get?q={searchTerms} CHR Extension: (FunkyStreams) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf [2019-02-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="2/6/2019 9:11 AM, 2352 bytes, A Adds the file popup.html"="4/4/2018 12:44 PM, 1154 bytes, A Adds the file tab.html"="9/13/2017 11:07 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata Adds the file computed_hashes.json"="2/6/2019 9:11 AM, 2655 bytes, A Adds the file verified_contents.json"="1/15/2019 8:06 AM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images Adds the file how-1.png"="4/4/2018 12:44 PM, 2862 bytes, A Adds the file how-2.png"="4/4/2018 12:44 PM, 3247 bytes, A Adds the file logo-small.png"="3/27/2018 9:35 AM, 11485 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons Adds the file 128x128.png"="2/6/2019 9:11 AM, 3475 bytes, A Adds the file 16x16.png"="2/6/2019 9:11 AM, 332 bytes, A Adds the file 64x64.png"="2/6/2019 9:11 AM, 1735 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts Adds the file background.js"="1/17/2019 2:23 PM, 31654 bytes, A Adds the file jquery-3.3.1.min.js"="4/4/2018 12:44 PM, 86927 bytes, A Adds the file popup.js"="4/4/2018 12:46 PM, 545 bytes, A Adds the file sitecontent.js"="4/4/2018 12:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles Adds the file popup.css"="4/4/2018 12:44 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aoekoghmabmcdailcompkbfclkjlofmf Adds the file Funky Stream.ico"="2/6/2019 9:11 AM, 166101 bytes, A Adds the file Funky Stream.ico.md5"="2/6/2019 9:11 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "aoekoghmabmcdailcompkbfclkjlofmf"="REG_SZ", "6F298B3B802EDD6A1FED028ABBF31D50C0D0732B76F04FFB681F2C5D588A421C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/6/19 Scan Time: 9:19 AM Log File: f6c08abc-29e7-11e9-98dd-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9136 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236045 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 3 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FunkyStreams, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aoekoghmabmcdailcompkbfclkjlofmf, Quarantined, [247], [554848],1.0.9136 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf, Quarantined, [247], [554848],1.0.9136 File: 21 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\128x128.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\16x16.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\64x64.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\how-1.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\how-2.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\logo-small.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\background.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\popup.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\sitecontent.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles\popup.css, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata\computed_hashes.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata\verified_contents.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\closer.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\manifest.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\popup.html, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\tab.html, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Kittens new tab?The Malwarebytes research team has determined that Kittens new tab is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Kittens new tab?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Kittens new tab get on my computer?Browser hijackers use different methods for distributing themselves. These particular ones were downloaded from their respective webstores:after a redirect from their website:How do I remove Kittens new tab?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Kittens new tab? No, Malwarebytes removes Kittens new tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Kittens new tab hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: {a36d5211-070b-4021-bca1-1b73b2ce4d73} FF Extension: (Kittens new tab) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{a36d5211-070b-4021-bca1-1b73b2ce4d73}.xpi [2019-02-05] CHR NewTab: Default -> Active:"chrome-extension://dlakdjndmfmnpcagngkijpmhpbfngdnl/newtab.html" CHR DefaultSearchURL: Default -> hxxps://searchpage.com/?ext=kittens&v=a1.6.2&keywords={searchTerms} CHR DefaultSearchKeyword: Default -> searchTerms CHR Extension: (Searchpage) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl [2019-02-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0 Adds the file 128.png"="2/5/2019 9:00 AM, 23719 bytes, A Adds the file font.woff2"="11/7/2018 11:36 AM, 49168 bytes, A Adds the file manifest.json"="2/5/2019 9:00 AM, 1804 bytes, A Adds the file newtab.html"="1/16/2019 2:19 PM, 5142 bytes, A Adds the file one.css"="1/29/2019 5:15 PM, 229240 bytes, A Adds the file pixel.js"="1/17/2019 4:18 PM, 177 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en Adds the file messages.json"="2/5/2019 9:00 AM, 149 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata Adds the file computed_hashes.json"="2/5/2019 9:00 AM, 10446 bytes, A Adds the file verified_contents.json"="1/31/2019 1:45 PM, 3227 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js Adds the file b.js"="1/22/2019 3:55 PM, 0 bytes, A Adds the file background.js"="1/31/2019 1:44 PM, 1985 bytes, A Adds the file data.js"="11/7/2018 11:36 AM, 3862 bytes, A Adds the file detailsUpdate.js"="1/16/2019 11:59 AM, 1523 bytes, A Adds the file dynamicData.json"="1/15/2019 5:52 PM, 478 bytes, A Adds the file fontawesome.js"="11/7/2018 11:36 AM, 9543 bytes, A Adds the file init.js"="1/16/2019 12:18 PM, 6583 bytes, A Adds the file initAnalytics.js"="11/7/2018 11:36 AM, 1277 bytes, A Adds the file jquery-3.3.1.min.js"="11/7/2018 6:39 PM, 271751 bytes, A Adds the file masonry.pkgd.min.js"="11/7/2018 11:36 AM, 26187 bytes, A Adds the file materialize.min.js"="11/7/2018 11:36 AM, 181214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl Adds the file 000003.log"="2/5/2019 9:00 AM, 2876 bytes, A Adds the file CURRENT"="2/5/2019 9:00 AM, 16 bytes, A Adds the file LOCK"="2/5/2019 9:00 AM, 0 bytes, A Adds the file LOG"="2/5/2019 9:00 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/5/2019 9:00 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{a36d5211-070b-4021-bca1-1b73b2ce4d73} In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {a36d5211-070b-4021-bca1-1b73b2ce4d73}.xpi"="2/5/2019 9:05 AM, 253254 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dlakdjndmfmnpcagngkijpmhpbfngdnl"="REG_SZ", "E307B096C2061CB4FDB2F2CF0B78CC1D06D232CD84772F969B60768494CA817F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/19 Scan Time: 9:11 AM Log File: a47e4bc4-291d-11e9-9cc6-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9122 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235939 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 4 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.BestText4Fun, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 PUP.Optional.KittensNewTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{A36D5211-070B-4021-BCA1-1B73B2CE4D73}, Quarantined, [1732], [634388],1.0.9122 File: 28 PUP.Optional.KittensNewTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{A36D5211-070B-4021-BCA1-1B73B2CE4D73}.XPI, Quarantined, [1732], [634389],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\b.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\background.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\data.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\detailsUpdate.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\dynamicData.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\fontawesome.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\init.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\initAnalytics.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\jquery-3.3.1.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\masonry.pkgd.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\materialize.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en\messages.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata\computed_hashes.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata\verified_contents.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\128.png, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\font.woff2, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\manifest.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\newtab.html, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\one.css, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\pixel.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\000003.log, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\CURRENT, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\LOCK, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\LOG, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\MANIFEST-000001, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [255], [631846],1.0.9122 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Search By MusixMuze?The Malwarebytes research team has determined that Search By MusixMuze is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search By MusixMuze?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search By MusixMuze get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Search By MusixMuze?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search By MusixMuze? No, Malwarebytes removes Search By MusixMuze completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search By MusixMuze hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://musixmuze.searchalgo.com/search/?category=web&s=mmds&q={searchTerms} CHR DefaultSearchKeyword: Default -> MusixMuze CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (MusixMuze) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo [2019-02-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0 Adds the file background.js"="5/2/2018 4:10 PM, 4495 bytes, A Adds the file manifest.json"="2/4/2019 8:54 AM, 1800 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata Adds the file computed_hashes.json"="2/4/2019 8:54 AM, 183 bytes, A Adds the file verified_contents.json"="5/2/2018 4:10 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons Adds the file icon128.png"="2/4/2019 8:54 AM, 4662 bytes, A Adds the file icon16.png"="2/4/2019 8:54 AM, 635 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iobjnmhjolomhiikmbglkomigcmlfhlo"="REG_SZ", "323B47BA4E0148DF312B6E535C090BEA51C0034960C7BB9B8001A73CDFE0FBF5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/19 Scan Time: 9:01 AM Log File: 048dcb46-2853-11e9-ac92-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9104 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235883 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Muze, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iobjnmhjolomhiikmbglkomigcmlfhlo, Quarantined, [2290], [316919],1.0.9104 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IOBJNMHJOLOMHIIKMBGLKOMIGCMLFHLO, Quarantined, [2290], [316919],1.0.9104 File: 10 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons\icon128.png, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons\icon16.png, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata\computed_hashes.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata\verified_contents.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\background.js, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\manifest.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2290], [316919],1.0.9104 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9104 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9104 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.