Jump to content

Metallica

Staff
  • Content Count

    2,478
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

169,609 profile views
  1. What is Quick Audio Converter?The Malwarebytes research team has determined that Quick Audio Converter is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a newtab and search hijacker and uses web push notifications.How do I know if my computer is affected by Quick Audio Converter?You may see this Chrome extension:these warnings during install:You may see this new startpage:this entry in your list of installed Programs and Features:and these new settings:How did Quick Audio Converter get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove Quick Audio Converter?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Quick Audio Converter? No, Malwarebytes' Anti-Malware removes Quick Audio Converter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Quick Audio Converter hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn (the data entry has 3 more characters). <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn SearchScopes: HKCU -> DefaultScope {20126AD1-6B9B-41E9-A3D8-B92F31CCBC31} URL = hxxp://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms} SearchScopes: HKCU -> {20126AD1-6B9B-41E9-A3D8-B92F31CCBC31} URL = hxxp://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://dhefhiblkacpepnjcdbncinodjgjapkk/index.html" CHR Extension: (Quick Audio Converter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk [2019-11-19] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Quick Audio Converter (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.2 - SpringTech (Cayman) Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0 Adds the file about.html"="9/26/2019 4:26 PM, 6806 bytes, A Adds the file icon.png"="11/19/2019 9:19 AM, 10358 bytes, A Adds the file index.html"="9/26/2019 4:26 PM, 625 bytes, A Adds the file main.js"="9/26/2019 4:26 PM, 8060 bytes, A Adds the file main.js.map"="9/26/2019 4:26 PM, 4605 bytes, A Adds the file manifest.json"="11/19/2019 9:19 AM, 1378 bytes, A Adds the file polyfills.js"="9/26/2019 4:26 PM, 276518 bytes, A Adds the file polyfills.js.map"="9/26/2019 4:26 PM, 271850 bytes, A Adds the file polyfills-es5.js"="9/26/2019 4:26 PM, 401061 bytes, A Adds the file polyfills-es5.js.map"="9/26/2019 4:26 PM, 299080 bytes, A Adds the file popup.html"="9/26/2019 4:26 PM, 573 bytes, A Adds the file runtime.js"="9/26/2019 4:26 PM, 6233 bytes, A Adds the file runtime.js.map"="9/26/2019 4:26 PM, 6206 bytes, A Adds the file styles.css"="9/26/2019 4:26 PM, 249 bytes, A Adds the file styles.js"="9/26/2019 4:26 PM, 17351 bytes, A Adds the file styles.js.map"="9/26/2019 4:26 PM, 20279 bytes, A Adds the file vendor.js"="9/26/2019 4:26 PM, 3734558 bytes, A Adds the file vendor.js.map"="9/26/2019 4:26 PM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata Adds the file computed_hashes.json"="11/19/2019 9:19 AM, 104353 bytes, A Adds the file verified_contents.json"="9/26/2019 4:26 PM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app Adds the file background.js"="9/26/2019 4:26 PM, 12471 bytes, A Adds the file index.js"="9/26/2019 4:26 PM, 5575 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_quickaudioconvertertab.com_0.indexeddb.leveldb Adds the file 000003.log"="11/19/2019 9:20 AM, 1047 bytes, A Adds the file CURRENT"="11/19/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="11/19/2019 9:19 AM, 0 bytes, A Adds the file LOG"="11/19/2019 9:20 AM, 190 bytes, A Adds the file MANIFEST-000001"="11/19/2019 9:19 AM, 23 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk Adds the file 000003.log"="11/19/2019 9:20 AM, 67 bytes, A Adds the file CURRENT"="11/19/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="11/19/2019 9:19 AM, 0 bytes, A Adds the file LOG"="11/19/2019 9:20 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/19/2019 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/19/2019 9:15 AM, 347416 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file QuickAudioConverter-27273412.exe"="11/19/2019 9:15 AM, 1117464 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dhefhiblkacpepnjcdbncinodjgjapkk"="REG_SZ", "7BE027341D4A35EECDB258C8E18102CFA2C2B0A708BF55FE07690A15332A996B" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" ==> REG_SZ, "http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" ==> REG_SZ, "{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}] "DisplayName"="REG_SZ", "Quick Audio Converter - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Quick Audio Converter" "DisplayVersion"="REG_SZ", "5.4.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}" "UninstallHomepage"="REG_SZ", "http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn" "UninstallImpression"="REG_SZ", "http://www.typeyoursearch.com/impression.do?domain=quickaudioconvertertab.com&implementation_id=audioconverter_spt__1.30&offer_id=_iei_&source=_v2-bb9-iei&sub_id=20191119&traffic_source=0&user_id=054012ce-cd8e-4406-96da-9159c3da02a9&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1574151299&sgn=907100ef78bf95073d45546b162f5a833901fdc0&subid2=11.0.9600.19540&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/19/19 Scan Time: 9:32 AM Log File: 294d1220-0aa7-11ea-94ae-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.15128 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233776 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 3 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 157, 373879, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}, Quarantined, 207, 368913, 1.0.15128, , ame, Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}|URL, Quarantined, 207, 368913, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 207, 662623, 1.0.15128, , ame, Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 157, 373878, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DHEFHIBLKACPEPNJCDBNCINODJGJAPKK\1.1_0, Quarantined, 207, 757812, 1.0.15128, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 157, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\000003.log, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\CURRENT, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\LOCK, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\LOG, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\MANIFEST-000001, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DHEFHIBLKACPEPNJCDBNCINODJGJAPKK\1.1_0\APP\BACKGROUND.JS, Quarantined, 207, 757812, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app\index.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata\computed_hashes.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata\verified_contents.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\about.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\icon.png, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\index.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\main.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\main.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\manifest.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills-es5.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills-es5.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\popup.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\runtime.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\runtime.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.css, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\vendor.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\vendor.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DOWNLOADS\QUICKAUDIOCONVERTER-27273412.EXE, Quarantined, 157, 756784, 1.0.15128, D7795909B8C4DB37C7A293AB, dds, 00464144 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is PC Mechanic Plus?The Malwarebytes research team has determined that PC Mechanic Plus is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Mechanic Plus?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC Mechanic Plus get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Mechanic Plus?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PC Mechanic Plus? No, Malwarebytes removes PC Mechanic Plus completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Mechanic Plus installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus.exe (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus_protection.exe Task: {4106AEC0-DB24-4388-AF73-C4D705152F07} - System32\Tasks\PC Mechanic Plus => C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus.exe [9475888 2019-10-29] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) Task: {FACC3246-37AD-428A-BB62-49B0A1C64C48} - System32\Tasks\PC Mechanic Plus Protection Startup => C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus_protection.exe [341296 2019-10-29] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Windows\system32\Tasks\PC Mechanic Plus Protection Startup C:\Windows\system32\Tasks\PC Mechanic Plus C:\Users\Public\Desktop\PC Mechanic Plus.lnk C:\ProgramData\Desktop\PC Mechanic Plus.lnk C:\Users\{username}\AppData\Roaming\PC Mechanic Plus C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Mechanic Plus C:\Program Files (x86)\PC Mechanic Plus PC Mechanic Plus (HKLM-x32\...\{E4CEFAE2-819E-4D71-90AB-915DCF23F43B}}_is1) (Version: V1.0.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PC Mechanic Plus Adds the file Core.dll"="8/5/2019 9:20 PM, 237568 bytes, A Adds the file DiscUtils.Common.dll"="6/14/2013 6:28 PM, 30376 bytes, A Adds the file DiscUtils.Common.pdb"="6/14/2013 6:28 PM, 50688 bytes, A Adds the file DiscUtils.Common.xml"="6/14/2013 6:28 PM, 2009 bytes, A Adds the file DiscUtils.dll"="6/14/2013 6:28 PM, 1001640 bytes, A Adds the file DiscUtils.pdb"="6/14/2013 6:28 PM, 2926080 bytes, A Adds the file DiscUtils.xml"="6/14/2013 6:28 PM, 862466 bytes, A Adds the file DynamicDataDisplay.dll"="8/5/2019 9:20 PM, 316416 bytes, A Adds the file errordetailsOpt.xml"="11/18/2019 9:24 AM, 637636 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="10/29/2019 2:47 AM, 37376 bytes, A Adds the file logo.ico"="10/24/2019 7:33 AM, 21662 bytes, A Adds the file Microsoft.Data.Edm.dll"="3/26/2015 1:35 AM, 659120 bytes, A Adds the file Microsoft.Data.Edm.xml"="3/26/2015 1:20 AM, 654503 bytes, A Adds the file Microsoft.Data.OData.dll"="3/26/2015 1:35 AM, 1520808 bytes, A Adds the file Microsoft.Data.OData.xml"="3/26/2015 1:23 AM, 3709853 bytes, A Adds the file Microsoft.Data.Services.Client.dll"="3/26/2015 1:35 AM, 667304 bytes, A Adds the file Microsoft.Data.Services.Client.xml"="3/26/2015 1:24 AM, 1459578 bytes, A Adds the file Microsoft.Data.Services.dll"="3/26/2015 1:35 AM, 911528 bytes, A Adds the file Microsoft.Data.Services.xml"="3/26/2015 1:25 AM, 1926679 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/5/2019 9:20 PM, 171008 bytes, A Adds the file pcmechanicplus.exe"="10/29/2019 2:50 AM, 9475888 bytes, A Adds the file pcmechanicplus_protection.exe"="10/29/2019 2:50 AM, 341296 bytes, A Adds the file SharpCompress.dll"="8/20/2019 8:38 PM, 530944 bytes, A Adds the file System.Data.SQLite.dll"="6/8/2019 5:50 PM, 360448 bytes, A Adds the file System.Data.SQLite.xml"="6/8/2019 5:50 PM, 1089145 bytes, A Adds the file System.Spatial.dll"="3/26/2015 1:35 AM, 118448 bytes, A Adds the file System.Spatial.xml"="3/26/2015 1:20 AM, 366878 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="8/5/2019 9:20 PM, 95064 bytes, A Adds the file unins000.dat"="11/18/2019 9:19 AM, 59331 bytes, A Adds the file unins000.exe"="11/18/2019 9:19 AM, 2556720 bytes, A Adds the file unins000.msg"="11/18/2019 9:19 AM, 23077 bytes, A Adds the file WpfAnimatedGif.dll"="2/15/2019 5:06 PM, 40448 bytes, A Adds the file WpfAnimatedGif.xml"="2/15/2019 5:06 PM, 11262 bytes, A Adds the file WPFToolkit.dll"="8/5/2019 9:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\Backup Adds the file 2019_10_25_025216.xml"="10/25/2019 3:52 AM, 65 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\de Adds the file pcmechanicplus.resources.dll"="10/29/2019 2:50 AM, 78848 bytes, A Adds the file Uninstaller.resources.dll"="10/24/2019 5:43 AM, 78336 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\uni Adds the file System.Data.SQLite.dll"="6/8/2019 5:50 PM, 360448 bytes, A Adds the file System.Data.SQLite.xml"="6/8/2019 5:50 PM, 1089145 bytes, A Adds the file Uninstaller.exe"="10/29/2019 2:50 AM, 631088 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\uni\de Adds the file Uninstaller.resources.dll"="10/29/2019 2:50 AM, 78336 bytes, A Adds the file Uninstaller.resources.dll"="10/29/2019 2:50 AM, 88576 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\uni\x64 Adds the file SQLite.Interop.dll"="6/8/2019 5:51 PM, 1632256 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\uni\x86 Adds the file SQLite.Interop.dll"="6/8/2019 5:46 PM, 1240064 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\x64 Adds the file SQLite.Interop.dll"="6/8/2019 5:51 PM, 1632256 bytes, A Adds the folder C:\Program Files (x86)\PC Mechanic Plus\x86 Adds the file SQLite.Interop.dll"="6/8/2019 5:46 PM, 1240064 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Mechanic Plus Adds the file PC Mechanic Plus.lnk"="11/18/2019 9:19 AM, 1203 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\PC Mechanic Plus\PC Repair Online\setting Adds the file PMP_sett.ash"="11/18/2019 9:24 AM, 425984 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Mechanic Plus.lnk"="11/18/2019 9:19 AM, 1185 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Mechanic Plus"="11/18/2019 9:20 AM, 3248 bytes, A Adds the file PC Mechanic Plus Protection Startup"="11/18/2019 9:20 AM, 3270 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\PMP\Activation] "Insdate"="REG_SZ", "/LLUIMuYH1T6hRj9UjJDS9kUCb23i+18u6OHoSd2cTg=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "3e04E4g4NQdCpq7hu8KRlfyJ5tpx1j2NvqsggPsi+rU=" "lbp"="REG_SZ", "3e04E4g4NQdCpq7hu8KRlfyJ5tpx1j2NvqsggPsi+rU=" "lr"="REG_SZ", "3e04E4g4NQdCpq7hu8KRlfyJ5tpx1j2NvqsggPsi+rU=" "lsp"="REG_SZ", "3e04E4g4NQdCpq7hu8KRlfyJ5tpx1j2NvqsggPsi+rU=" "PN"="REG_SZ", "1-888-200-8889" "Program"="REG_SZ", "PC Mechanic Plus" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\PMP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "PC Mechanic Plus" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E4CEFAE2-819E-4D71-90AB-915DCF23F43B}}_is1] "Comments"="REG_SZ", "PC Mechanic Plus" "Contact"="REG_SZ", "+(888)200-889" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PC Mechanic Plus\logo.ico" "DisplayName"="REG_SZ", "PC Mechanic Plus" "DisplayVersion"="REG_SZ", "V1.0.0" "EstimatedSize"="REG_DWORD", 40435 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\PC Mechanic Plus" "Inno Setup: Icon Group"="REG_SZ", "PC Mechanic Plus" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "6.0.2 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191118" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\PC Mechanic Plus\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Mechanic Plus\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Mechanic Plus\unins000.exe"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/18/19 Scan Time: 9:35 AM Log File: 59cbc17c-09de-11ea-a708-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.15088 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233805 Threats Detected: 109 Threats Quarantined: 109 Time Elapsed: 8 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus_protection.exe, Quarantined, 593, 761836, , , , Module: 4 PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x64\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x64\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus_protection.exe, Quarantined, 593, 761836, , , , Registry Key: 11 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\FT\PMP, Quarantined, 1410, 711536, 1.0.15088, , ame, PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\FT\PMP, Quarantined, 1410, 711536, 1.0.15088, , ame, PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\TRACING\pcmechanicplus_RASAPI32, Quarantined, 593, 761842, 1.0.15088, , ame, PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\TRACING\pcmechanicplus_RASMANCS, Quarantined, 593, 761842, 1.0.15088, , ame, PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Mechanic Plus, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4106AEC0-DB24-4388-AF73-C4D705152F07}, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{4106AEC0-DB24-4388-AF73-C4D705152F07}, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Mechanic Plus Protection Startup, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FACC3246-37AD-428A-BB62-49B0A1C64C48}, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{FACC3246-37AD-428A-BB62-49B0A1C64C48}, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E4CEFAE2-819E-4D71-90AB-915DCF23F43B}}_is1, Quarantined, 593, 761836, , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\ja-jp, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\x64, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\x86, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\de, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\en, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\fr, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\ja-jp, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x64, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x86, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\de, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\en, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\fr, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC MECHANIC PLUS, Quarantined, 593, 761840, 1.0.15088, , ame, PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\PC Mechanic Plus\PC Repair Online\setting, Quarantined, 593, 761841, , , , PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\PC Mechanic Plus\PC Repair Online, Quarantined, 593, 761841, , , , PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\ROAMING\PC MECHANIC PLUS, Quarantined, 593, 761841, 1.0.15088, , ame, File: 73 PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_010411.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_025216.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_030630.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_030653.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_030702.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_030730.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_030741.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_031606.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_031659.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_25_034144.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_28_023829.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_28_033902.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_002103.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_002116.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_002328.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_002502.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_014449.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Backup\2019_10_29_014811.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\de\pcmechanicplus.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\de\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\en\pcmechanicplus.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\en\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\fr\pcmechanicplus.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\fr\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\ja-jp\pcmechanicplus.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\ja-jp\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\de\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\en\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\fr\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\ja-jp\Uninstaller.resources.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\x64\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\x86\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\System.Data.SQLite.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\System.Data.SQLite.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\uni\Uninstaller.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x64\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\x86\SQLite.Interop.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Interop.IWshRuntimeLibrary.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Core.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.Common.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.Common.pdb, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.Common.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.pdb, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DiscUtils.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\DynamicDataDisplay.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\errordetailsOpt.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\logo.ico, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Microsoft.Data.Edm.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Microsoft.Data.OData.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Microsoft.Data.Services.Client.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Microsoft.Data.Services.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\Microsoft.Win32.TaskScheduler.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\pcmechanicplus_protection.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\SharpCompress.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\System.Data.SQLite.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\System.Data.SQLite.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\System.Spatial.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\unins000.dat, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\unins000.exe, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\unins000.msg, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\WpfAnimatedGif.dll, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\Program Files (x86)\PC Mechanic Plus\WpfAnimatedGif.xml, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\PC Mechanic Plus, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC Mechanic Plus.lnk, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\USERS\PUBLIC\Desktop\PC Mechanic Plus.lnk, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\PC Mechanic Plus Protection Startup, Quarantined, 593, 761836, , , , PUP.Optional.PCBooster, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Mechanic Plus\PC Mechanic Plus.lnk, Quarantined, 593, 761840, , , , PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\PC Mechanic Plus\PC Repair Online\setting\PMP_sett.ash, Quarantined, 593, 761841, , , , PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-MBDKU.TMP\PCMECHANICPLUS.TMP, Quarantined, 593, 711523, 1.0.15088, , ame, PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\7ZIPSFX.000\PCMECHANICPLUS.EXE, Quarantined, 593, 711523, 1.0.15088, 22B575820D45420969C4E126, dds, 00462655 PUP.Optional.PCBooster, C:\USERS\{username}\DOWNLOADS\PCMECHANICPLUS.EXE, Quarantined, 593, 749298, 1.0.15088, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Email Search Tools?The Malwarebytes research team has determined that Email Search Tools is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Email Search Tools?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Email Search Tools get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Email Search Tools?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Email Search Tools? No, Malwarebytes removes Email Search Tools completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Email Search Tools hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.emailsearchtools.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> email CHR Extension: (EmailSearchTools) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb [2019-11-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0 Adds the file background.js"="9/18/2019 1:42 PM, 14032 bytes, A Adds the file icon.png"="11/15/2019 9:12 AM, 5491 bytes, A Adds the file manifest.json"="11/15/2019 9:12 AM, 1554 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en Adds the file messages.json"="11/15/2019 9:12 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata Adds the file computed_hashes.json"="11/15/2019 9:12 AM, 630 bytes, A Adds the file verified_contents.json"="9/18/2019 11:23 AM, 1893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup Adds the file description.html"="9/5/2019 2:07 PM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb Adds the file 000003.log"="11/15/2019 9:12 AM, 168 bytes, A Adds the file CURRENT"="11/15/2019 9:12 AM, 16 bytes, A Adds the file LOCK"="11/15/2019 9:12 AM, 0 bytes, A Adds the file LOG"="11/15/2019 9:12 AM, 183 bytes, A Adds the file MANIFEST-000001"="11/15/2019 9:12 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jghejomglpmejfcphjbfeplpdndfccbb"="REG_SZ", "A9322B76617230A96887AEEB8993C10B62005A0728B26F171B4E0708000AC09C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/15/19 Scan Time: 9:22 AM Log File: 20bbffdc-0781-11ea-8ad9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14948 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233906 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 4 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 208, 575422, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB, Quarantined, 208, 575422, 1.0.14948, , ame, File: 15 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\000003.log, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\CURRENT, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOCK, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOG, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\MANIFEST-000001, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB\1.1_0\BACKGROUND.JS, Quarantined, 208, 575422, 1.0.14948, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\css\description.css, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\html\popup\description.html, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_locales\en\messages.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata\computed_hashes.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\_metadata\verified_contents.json, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\icon.png, Quarantined, 208, 575422, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.1_0\manifest.json, Quarantined, 208, 575422, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Find My Nascar Lineup?The Malwarebytes research team has determined that Find My Nascar Lineup is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Find My Nascar Lineup?You may see this Chrome extension:these warnings during install:You may see this new startpage:and these new settings:How did Find My Nascar Lineup get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website:How do I remove Find My Nascar Lineup?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Find My Nascar Lineup? No, Malwarebytes' Anti-Malware removes Find My Nascar Lineup completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Find My Nascar Lineup hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium and Malwarebytes Browser Guard blick their domains: Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-ms (the data entry has 4 more characters). <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn SearchScopes: HKCU -> DefaultScope {C447DB56-4C55-4194-82D4-66CA6C1AE688} URL = hxxp://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms} SearchScopes: HKCU -> {C447DB56-4C55-4194-82D4-66CA6C1AE688} URL = hxxp://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://mkdmnkkfdcpcfkdhbifiibojplamoene/index.html" CHR Extension: (Find My Nascar Lineup) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene [2019-11-14] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} (SpringTech (Cayman) Ltd.) C:\Users\{username}\Desktop\FindMyNascarLineup.exe Find My Nascar Lineup (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.2 - SpringTech (Cayman) Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0 Adds the file about.html"="10/7/2019 4:21 AM, 6802 bytes, A Adds the file icon.png"="11/14/2019 9:11 AM, 7123 bytes, A Adds the file index.html"="10/7/2019 4:21 AM, 625 bytes, A Adds the file main.js"="10/7/2019 4:21 AM, 8115 bytes, A Adds the file main.js.map"="10/7/2019 4:21 AM, 4604 bytes, A Adds the file manifest.json"="11/14/2019 9:11 AM, 1375 bytes, A Adds the file polyfills.js"="10/7/2019 4:21 AM, 276518 bytes, A Adds the file polyfills.js.map"="10/7/2019 4:21 AM, 271850 bytes, A Adds the file polyfills-es5.js"="10/7/2019 4:21 AM, 401061 bytes, A Adds the file polyfills-es5.js.map"="10/7/2019 4:21 AM, 299080 bytes, A Adds the file popup.html"="10/7/2019 4:21 AM, 570 bytes, A Adds the file runtime.js"="10/7/2019 4:21 AM, 6233 bytes, A Adds the file runtime.js.map"="10/7/2019 4:21 AM, 6206 bytes, A Adds the file styles.css"="10/7/2019 4:21 AM, 249 bytes, A Adds the file styles.js"="10/7/2019 4:21 AM, 17351 bytes, A Adds the file styles.js.map"="10/7/2019 4:21 AM, 20279 bytes, A Adds the file vendor.js"="10/7/2019 4:21 AM, 3734558 bytes, A Adds the file vendor.js.map"="10/7/2019 4:21 AM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata Adds the file computed_hashes.json"="11/14/2019 9:11 AM, 104353 bytes, A Adds the file verified_contents.json"="10/7/2019 4:21 AM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app Adds the file background.js"="10/7/2019 4:21 AM, 12302 bytes, A Adds the file index.js"="10/7/2019 4:21 AM, 5571 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene Adds the file 000003.log"="11/14/2019 9:11 AM, 67 bytes, A Adds the file CURRENT"="11/14/2019 9:11 AM, 16 bytes, A Adds the file LOCK"="11/14/2019 9:11 AM, 0 bytes, A Adds the file LOG"="11/14/2019 9:11 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/14/2019 9:11 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/14/2019 9:07 AM, 347416 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mkdmnkkfdcpcfkdhbifiibojplamoene"="REG_SZ", "41D4CF9CDC198CC27559220CAD8AC76F546BE4C3F5D87EA6942BAC565DB835B5" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{C447DB56-4C55-4194-82D4-66CA6C1AE688}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C447DB56-4C55-4194-82D4-66CA6C1AE688}] "DisplayName"="REG_SZ", "Find My Nascar Lineup - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Find My Nascar Lineup" "DisplayVersion"="REG_SZ", "5.4.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{C447DB56-4C55-4194-82D4-66CA6C1AE688}" "UninstallHomepage"="REG_SZ", "http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn" "UninstallImpression"="REG_SZ", "http://www.typeyoursearch.com/impression.do?domain=findmynascarlineuptab.com&implementation_id=sports_spt__1.30&offer_id=_iei_&source=_v1-bb9-iei&sub_id=20191114&traffic_source=appfocus553&user_id=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1573718519&sgn=9eecabf785db3129d9ed321158247c50cb04009f&subid2=11.0.9600.19507&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/14/19 Scan Time: 9:21 AM Log File: b1e51e00-06b7-11ea-a362-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14910 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233925 Threats Detected: 40 Threats Quarantined: 40 Time Elapsed: 5 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 158, 373878, , , , Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IEXPLORE, Quarantined, 208, 757195, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 158, 373878, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDMNKKFDCPCFKDHBIFIIBOJPLAMOENE\1.1_0, Quarantined, 208, 757812, 1.0.14910, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 158, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\000003.log, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\CURRENT, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\LOCK, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\LOG, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\MANIFEST-000001, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDMNKKFDCPCFKDHBIFIIBOJPLAMOENE\1.1_0\APP\BACKGROUND.JS, Quarantined, 208, 757812, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app\index.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata\computed_hashes.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata\verified_contents.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\about.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\icon.png, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\index.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\main.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\main.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\manifest.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills-es5.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills-es5.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\popup.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\runtime.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\runtime.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.css, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\vendor.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\vendor.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FINDMYNASCARLINEUP.EXE, Quarantined, 158, 756784, 1.0.14910, D7795909B8C4DB37C7A293AB, dds, 00456916 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Search Selector?The Malwarebytes research team has determined that Search Selector is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search Selector?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search Selector get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:How do I remove Search Selector?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Selector? No, Malwarebytes removes Search Selector completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://selected-search.com/search?q={searchTerms}& CHR DefaultSearchKeyword: Default -> ss CHR Extension: (Search Selector) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip [2019-11-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0 Adds the file About.pdf"="9/11/2019 12:31 PM, 62988 bytes, A Adds the file manifest.json"="11/13/2019 9:00 AM, 1938 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\_metadata Adds the file computed_hashes.json"="11/13/2019 9:01 AM, 12000 bytes, A Adds the file verified_contents.json"="9/11/2019 12:28 PM, 4525 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\css Adds the file popup.css"="9/11/2019 10:34 AM, 124 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\html Adds the file popup.html"="9/11/2019 10:34 AM, 1007 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\engines Adds the file bing.png"="9/11/2019 10:34 AM, 16569 bytes, A Adds the file google.png"="9/11/2019 10:34 AM, 21125 bytes, A Adds the file yahoo.png"="9/11/2019 10:34 AM, 49488 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons Adds the file 128.png"="11/13/2019 9:00 AM, 4052 bytes, A Adds the file 16.png"="11/13/2019 9:00 AM, 468 bytes, A Adds the file 256.png"="11/13/2019 9:00 AM, 9206 bytes, A Adds the file 32.png"="11/13/2019 9:00 AM, 991 bytes, A Adds the file 48.png"="11/13/2019 9:00 AM, 1816 bytes, A Adds the file 64.png"="11/13/2019 9:00 AM, 2141 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs Adds the file jquery.autocomplete.js"="9/11/2019 10:34 AM, 33061 bytes, A Adds the file jquery.js"="9/11/2019 10:34 AM, 247597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\css Adds the file bootstrap.css"="9/11/2019 10:34 AM, 146082 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts Adds the file glyphicons-halflings-regular.eot"="9/11/2019 10:34 AM, 20127 bytes, A Adds the file glyphicons-halflings-regular.svg"="9/11/2019 10:34 AM, 108738 bytes, A Adds the file glyphicons-halflings-regular.ttf"="9/11/2019 10:34 AM, 45404 bytes, A Adds the file glyphicons-halflings-regular.woff"="9/11/2019 10:34 AM, 23424 bytes, A Adds the file glyphicons-halflings-regular.woff2"="9/11/2019 10:34 AM, 18028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\js Adds the file bootstrap.js"="9/11/2019 10:34 AM, 68954 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts Adds the file background.js"="9/11/2019 12:33 PM, 1320 bytes, A Adds the file consts.js"="9/11/2019 10:34 AM, 871 bytes, A Adds the file popup.js"="9/11/2019 10:34 AM, 341 bytes, A Adds the file utils.js"="9/11/2019 10:34 AM, 3018 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "egenicdiafgbhogabodhpfcbcgnpocip"="REG_SZ", "C28C0190CA7F6DA54CAC043EB51AE06F71D667D55D5CB4A3962FD7EEC36A64BC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/13/19 Scan Time: 9:13 AM Log File: 6f9c8af8-05ed-11ea-b5b8-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14864 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233922 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 5 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SelectedSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|egenicdiafgbhogabodhpfcbcgnpocip, Quarantined, 281, 757187, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\css, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\engines, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\_metadata, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\html, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\css, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EGENICDIAFGBHOGABODHPFCBCGNPOCIP, Quarantined, 281, 757187, 1.0.14864, , ame, File: 31 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EGENICDIAFGBHOGABODHPFCBCGNPOCIP\2.0_0\MANIFEST.JSON, Quarantined, 281, 757187, 1.0.14864, , ame, PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\css\popup.css, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\html\popup.html, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\engines\bing.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\engines\google.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\engines\yahoo.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\128.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\16.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\256.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\32.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\48.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\images\icons\64.png, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\css\bootstrap.css, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.eot, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.svg, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.ttf, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.woff, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.woff2, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\bootstrap\js\bootstrap.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\jquery.autocomplete.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\libs\jquery.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts\background.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts\consts.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts\popup.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\scripts\utils.js, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\_metadata\computed_hashes.json, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\_metadata\verified_contents.json, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\egenicdiafgbhogabodhpfcbcgnpocip\2.0_0\About.pdf, Quarantined, 281, 757187, , , , PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 281, 757186, 1.0.14864, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) The full version of Malwarebytes can protect your computer against this type of threats.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Full System Care?The Malwarebytes research team has determined that Full System Care is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Full System Care?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Full System Care get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Full System Care?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Full System Care? No, Malwarebytes removes Full System Care completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Full System Care installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium and Browser Guard block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (RADIANT PC TOOLS -> ) C:\Program Files\Full~System~Care_{username}\pglc.exe Task: {9F9A5F83-9388-4D2C-AC22-E49C9FCDD7AF} - System32\Tasks\Full~System~Care_Logon => C:\Program Files\Full~System~Care_{username}\pglc.exe [2223792 2019-11-04] (RADIANT PC TOOLS -> ) C:\Users\{username}\AppData\Roaming\Full~System~Care_{username} C:\Windows\system32\Tasks\Full~System~Care_Logon C:\Users\Public\Desktop\Full~System~Care.lnk C:\ProgramData\Desktop\Full~System~Care.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full~System~Care_{username} C:\ProgramData\Full~System~Care_{username} C:\Program Files\Full~System~Care_{username} Full~System~Care (HKLM\...\{2512EAFE-B7D4-4D00-A1BD-782C01F797CC}_is1) (Version: 1.0.0.2 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Full~System~Care_{username} Adds the file application.ico"="11/4/2019 7:31 PM, 56164 bytes, A Adds the file HtmlRenderer.dll"="11/4/2019 8:00 PM, 235184 bytes, A Adds the file HtmlRenderer.WinForms.dll"="11/4/2019 8:00 PM, 73904 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="11/4/2019 8:00 PM, 62640 bytes, A Adds the file Interop.SHDocVw.dll"="11/4/2019 8:00 PM, 177328 bytes, A Adds the file kimg.dll"="11/4/2019 8:00 PM, 813232 bytes, A Adds the file langs.db"="10/17/2019 6:45 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="11/4/2019 8:00 PM, 184496 bytes, A Adds the file NAudio.dll"="11/4/2019 8:00 PM, 484528 bytes, A Adds the file Newtonsoft.Json.dll"="11/4/2019 8:00 PM, 474288 bytes, A Adds the file norwegian_iss.ini"="5/29/2019 4:54 PM, 2358 bytes, A Adds the file pglc.exe"="11/4/2019 8:00 PM, 2223792 bytes, A Adds the file pglc.exe.config"="11/4/2019 8:00 PM, 4525 bytes, A Adds the file System.Data.SQLite.DLL"="11/4/2019 8:00 PM, 304304 bytes, A Adds the file TAFactory.IconPack.dll"="11/4/2019 8:00 PM, 50352 bytes, A Adds the file unins000.dat"="11/12/2019 9:37 AM, 75183 bytes, A Adds the file unins000.exe"="11/12/2019 9:36 AM, 1242288 bytes, A Adds the file unins000.msg"="11/12/2019 9:37 AM, 22701 bytes, A Adds the folder C:\Program Files\Full~System~Care_{username}\x64 Adds the file SQLite.Interop.dll"="11/4/2019 8:00 PM, 1189040 bytes, A Adds the folder C:\Program Files\Full~System~Care_{username}\x86 Adds the file SQLite.Interop.dll"="11/4/2019 8:00 PM, 868016 bytes, A Adds the folder C:\ProgramData\Full~System~Care_{username} Adds the file mdb.db"="6/25/2019 7:28 PM, 6643712 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full~System~Care_{username} Adds the file Buy Full~System~Care.lnk"="11/12/2019 9:37 AM, 944 bytes, A Adds the file Full~System~Care.lnk"="11/12/2019 9:37 AM, 932 bytes, A Adds the file Uninstall Full~System~Care.lnk"="11/12/2019 9:37 AM, 956 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Full~System~Care_{username} Adds the file aptnotfr.xml"="11/12/2019 9:37 AM, 8082 bytes, A Adds the file Errorlog.txt"="11/12/2019 9:43 AM, 20804 bytes, A Adds the file exlist.bin"="11/12/2019 9:37 AM, 258007 bytes, A Adds the file res.xml"="11/12/2019 9:40 AM, 16123 bytes, A Adds the file upt.xml"="11/12/2019 9:37 AM, 24518 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Full~System~Care.lnk"="11/12/2019 9:37 AM, 914 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Full~System~Care_Logon"="11/12/2019 9:37 AM, 3062 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Full~System~Care_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.abrpc-tunetools.bid/install/fsc/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .................................................................. "Installstring"="REG_SZ", "C:\Program Files\Full~System~Care_{username}" "ipaddrurl"="REG_SZ", "http://ins.abrpc-tunetools.bid/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 1 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 40 "lstscandate"="REG_SZ", "11/12/2019 9:40:58 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 40 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/fsc/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/fsc/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.abrpc-tunetools.bid/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.abrpc-tunetools.bid/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user_IP}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2512EAFE-B7D4-4D00-A1BD-782C01F797CC}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Full~System~Care_{username}\pglc.exe" "DisplayName"="REG_SZ", "Full~System~Care" "DisplayVersion"="REG_SZ", "1.0.0.2" "EstimatedSize"="REG_DWORD", 16034 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Full~System~Care_{username}" "Inno Setup: Icon Group"="REG_SZ", "Full~System~Care_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191112" "InstallLocation"="REG_SZ", "C:\Program Files\Full~System~Care_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Full~System~Care_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Full~System~Care_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\RnVsbH5TeXN0ZW1+Q2FyZQ==\ACT] "data"="REG_BINARY, ................................................................................. [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Full~System~Care_{username}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Full~System~Care_{username}" "LangCode"="REG_SZ", "en" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user_IP}" [HKEY_CURRENT_USER\Software\Full~System~Care_{username}\1.0.0.2] "Installstring"="REG_SZ", "C:\Program Files\Full~System~Care_{username}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/12/19 Scan Time: 9:53 AM Log File: e6ebc994-0529-11ea-8b34-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14826 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233959 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 6 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\pglc.exe, Quarantined, 491, 760279, , , , Module: 6 PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\x64\SQLite.Interop.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\pglc.exe, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\System.Data.SQLite.DLL, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\TAFactory.IconPack.dll, Quarantined, 491, 760279, , , , Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9F9A5F83-9388-4D2C-AC22-E49C9FCDD7AF}, Quarantined, 491, 760276, , , , PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{9F9A5F83-9388-4D2C-AC22-E49C9FCDD7AF}, Quarantined, 491, 760276, , , , PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Full~System~Care_Logon, Quarantined, 491, 760276, 1.0.14826, , ame, PUP.Optional.PCVARK, HKLM\SOFTWARE\Full~System~Care_{username}, Quarantined, 491, 760283, 1.0.14826, , ame, PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{2512EAFE-B7D4-4D00-A1BD-782C01F797CC}_is1, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, HKLM\SOFTWARE\RnVsbH5TeXN0ZW1+Q2FyZQ==, Quarantined, 491, 760272, 1.0.14826, , ame, PUP.Optional.PCVARK, HKCU\SOFTWARE\Full~System~Care_{username}, Quarantined, 491, 760281, 1.0.14826, , ame, PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, 491, 698879, 1.0.14826, , ame, Registry Value: 4 PUP.Optional.PCVARK, HKLM\SOFTWARE\Full~System~Care_{username}|AFFIRED, Quarantined, 491, 760283, 1.0.14826, , ame, PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9F9A5F83-9388-4D2C-AC22-E49C9FCDD7AF}|PATH, Quarantined, 491, 760278, 1.0.14826, , ame, PUP.Optional.PCVARK, HKCU\SOFTWARE\Full~System~Care_{username}|AFFILIATEID, Quarantined, 491, 760281, 1.0.14826, , ame, PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, 491, 698879, 1.0.14826, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\x64, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\x86, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\PROGRAM FILES\Full~System~Care_{username}, Quarantined, 491, 760279, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\smico, Quarantined, 491, 760273, , , , PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Full~System~Care_{username}, Quarantined, 491, 760273, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Full~System~Care_{username}, Quarantined, 491, 760277, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\PROGRAMDATA\Full~System~Care_{username}, Quarantined, 491, 760275, 1.0.14826, , ame, File: 46 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\FULL~SYSTEM~CARE_LOGON, Quarantined, 491, 760276, , , , PUP.Optional.PCVARK, C:\PROGRAM FILES\Full~System~Care_{username}\unins000.dat, Quarantined, 491, 760279, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\x64\SQLite.Interop.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\x86\SQLite.Interop.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\kimg.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\application.ico, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\danish_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Dutch_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\english_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\finish_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\French_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\german_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\HtmlRenderer.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\HtmlRenderer.WinForms.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Interop.SHDocVw.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\italian_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\japanese_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\langs.db, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\NAudio.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\Newtonsoft.Json.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\norwegian_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\pglc.exe, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\pglc.exe.config, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\portuguese_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\russian_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\spanish_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\swedish_iss.ini, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\System.Data.SQLite.DLL, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\TAFactory.IconPack.dll, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\unins000.exe, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\Program Files\Full~System~Care_{username}\unins000.msg, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Full~System~Care.lnk, Quarantined, 491, 760279, , , , PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Full~System~Care_{username}\Errorlog.txt, Quarantined, 491, 760273, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\aptnotfr.xml, Quarantined, 491, 760273, , , , PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\exlist.bin, Quarantined, 491, 760273, , , , PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\res.xml, Quarantined, 491, 760273, , , , PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full~System~Care_{username}\upt.xml, Quarantined, 491, 760273, , , , PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\Full~System~Care.lnk, Quarantined, 491, 760271, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Full~System~Care_{username}\Buy Full~System~Care.lnk, Quarantined, 491, 760277, 1.0.14826, , ame, PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full~System~Care_{username}\Full~System~Care.lnk, Quarantined, 491, 760277, , , , PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full~System~Care_{username}\Uninstall Full~System~Care.lnk, Quarantined, 491, 760277, , , , PUP.Optional.PCVARK, C:\PROGRAMDATA\Full~System~Care_{username}\mdb.db, Quarantined, 491, 760275, 1.0.14826, , ame, Generic.Malware/Suspicious, C:\USERS\{username}\DESKTOP\FULL SYSTEM CARE.ZIP, Quarantined, 0, 392686, 1.0.14826, , shuriken, Generic.Malware/Suspicious, C:\USERS\{username}\DESKTOP\FULL SYSTEM CARE\FULL SYSTEM CARE.EXE, Quarantined, 0, 392686, 1.0.14826, , shuriken, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is PC Power Plus?The Malwarebytes research team has determined that PC Power Plus is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Power Plus?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC Power Plus get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Power Plus?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of PC Power Plus? No, Malwarebytes removes PC Power Plus completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Power Plus installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Power Plus\pcpowerplus.exe (Econosoft Global Services Pte. Ltd.) [File not signed] C:\Program Files (x86)\PC Power Plus\pcpowerplus_protection.exe Task: {78DC7C88-6364-4E0A-8B02-EFD9EBE92698} - System32\Tasks\PC Power Plus => C:\Program Files (x86)\PC Power Plus\pcpowerplus.exe [7954736 2019-09-04] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) Task: {90E0DE76-2482-4611-9C0C-628B96CEB92F} - System32\Tasks\PC Power Plus Startup => C:\Program Files (x86)\PC Power Plus\pcpowerplus_protection.exe [333312 2019-09-04] (Econosoft Global Services Pte. Ltd.) [File not signed] C:\Windows\system32\Tasks\PC Power Plus C:\Windows\system32\Tasks\PC Power Plus Startup C:\Users\Public\Desktop\PC Power Plus.lnk C:\ProgramData\Desktop\PC Power Plus.lnk C:\Users\{username}\AppData\Roaming\PC Power Plus C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Power Plus C:\Program Files (x86)\PC Power Plus PC Power Plus (HKLM-x32\...\{8D7026DD-DFA4-49AB-B943-F72565C02ACC}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PC Power Plus Adds the file Core.dll"="4/19/2018 1:01 AM, 237568 bytes, A Adds the file DiscUtils.Common.dll"="4/19/2018 1:01 AM, 23040 bytes, A Adds the file DiscUtils.dll"="4/19/2018 1:01 AM, 915456 bytes, A Adds the file DiscUtils.MSBuild.dll"="4/19/2018 1:01 AM, 8192 bytes, A Adds the file DynamicDataDisplay.dll"="4/19/2018 1:01 AM, 316416 bytes, A Adds the file errordetailsOpt.xml"="11/11/2019 9:14 AM, 1278464 bytes, A Adds the file errorlog.txt"="7/12/2019 1:46 AM, 189 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="4/19/2018 1:01 AM, 49152 bytes, A Adds the file Interop.NATUPNPLib.dll"="4/19/2018 1:01 AM, 7680 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 1:01 AM, 10240 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 1:01 AM, 19456 bytes, A Adds the file ISID.dll"="4/19/2018 1:01 AM, 1605120 bytes, A Adds the file logo.ico"="8/20/2019 10:37 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 1:01 AM, 171008 bytes, A Adds the file OptErr.xml"="4/19/2018 1:01 AM, 10 bytes, A Adds the file pcpowerplus.exe"="9/4/2019 8:00 AM, 7954736 bytes, A Adds the file pcpowerplus_protection.exe"="9/4/2019 7:59 AM, 333312 bytes, A Adds the file SharpCompress.dll"="4/19/2018 1:01 AM, 418304 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 1:01 AM, 280576 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="4/19/2018 1:01 AM, 95064 bytes, A Adds the file unins000.dat"="11/11/2019 9:06 AM, 51495 bytes, A Adds the file unins000.exe"="11/11/2019 9:06 AM, 2556720 bytes, A Adds the file unins000.msg"="11/11/2019 9:06 AM, 23053 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 1:01 AM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 1:01 AM, 467288 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\Backup Adds the file 2019_07_22_052127.xml"="7/22/2019 6:21 AM, 65 bytes, A Adds the file 2019_07_22_052142.xml"="7/22/2019 6:21 AM, 65 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\de Adds the file pcpowerplus.resources.dll"="9/4/2019 7:59 AM, 74752 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\en Adds the file pcpowerplus.resources.dll"="9/4/2019 7:59 AM, 68096 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\ja-jp Adds the file pcpowerplus.resources.dll"="9/4/2019 7:59 AM, 84480 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\slider Adds the file Slider-1.jpg"="4/19/2018 1:01 AM, 77585 bytes, A Adds the file Slider-2.jpg"="4/19/2018 1:01 AM, 79413 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\x64 Adds the file SQLite.Interop.dll"="4/19/2018 1:01 AM, 1205248 bytes, A Adds the folder C:\Program Files (x86)\PC Power Plus\x86 Adds the file SQLite.Interop.dll"="4/19/2018 1:01 AM, 903168 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Power Plus Adds the file PC Power Plus.lnk"="11/11/2019 9:06 AM, 1161 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\PC Power Plus\PC Repair Online\setting Adds the file pbp_sett.ash"="11/11/2019 9:14 AM, 629760 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Power Plus.lnk"="11/11/2019 9:06 AM, 1143 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Power Plus"="11/11/2019 9:07 AM, 3236 bytes, A Adds the file PC Power Plus Startup"="11/11/2019 9:06 AM, 3258 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\PPP\Activation] "Insdate"="REG_SZ", "3KWZZbJPi/EZhwSfDTfO82FFhzaWlRljLbU8mOVLMr4=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "1IjHfkbSeJTetKGLwHOauaIv2VoS3XD13MC4S6/GLXc=" "lbp"="REG_SZ", "1IjHfkbSeJTetKGLwHOauaIv2VoS3XD13MC4S6/GLXc=" "lr"="REG_SZ", "1IjHfkbSeJTetKGLwHOauaIv2VoS3XD13MC4S6/GLXc=" "lsp"="REG_SZ", "1IjHfkbSeJTetKGLwHOauaIv2VoS3XD13MC4S6/GLXc=" "Program"="REG_SZ", "PC Power Plus" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\PPP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "PC Power Plus" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8D7026DD-DFA4-49AB-B943-F72565C02ACC}}_is1] "Comments"="REG_SZ", "PC Power Plus" "Contact"="REG_SZ", "+33800919479" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PC Power Plus\logo.ico" "DisplayName"="REG_SZ", "PC Power Plus" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 20217 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\PC Power Plus" "Inno Setup: Icon Group"="REG_SZ", "PC Power Plus" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "6.0.2 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191111" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\PC Power Plus\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Power Plus\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Power Plus\unins000.exe"" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/11/19 Scan Time: 9:22 AM Log File: 678709ca-045c-11ea-87c1-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14786 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233952 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 4 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS.EXE, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS_PROTECTION.EXE, Quarantined, 593, 749298, , , , Module: 2 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS.EXE, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS_PROTECTION.EXE, Quarantined, 593, 749298, , , , Registry Key: 9 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\FT\PPP, Quarantined, 1410, 711536, 1.0.14786, , ame, PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\FT\PPP, Quarantined, 1410, 711536, 1.0.14786, , ame, PUP.Optional.PCBooster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{8D7026DD-DFA4-49AB-B943-F72565C02ACC}}_is1, Quarantined, 593, 711523, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Power Plus, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{78DC7C88-6364-4E0A-8B02-EFD9EBE92698}, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{78DC7C88-6364-4E0A-8B02-EFD9EBE92698}, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Power Plus Startup, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{90E0DE76-2482-4611-9C0C-628B96CEB92F}, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{90E0DE76-2482-4611-9C0C-628B96CEB92F}, Quarantined, 593, 749298, , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 12 PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{204552CF-62FF-4D4F-8DE4-DAD46E5D5807}-PCPOWERPLUS.EXE, Quarantined, 593, 711523, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\UNINS000.EXE, Quarantined, 593, 711523, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\PC Power Plus, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC Power Plus.lnk, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\USERS\PUBLIC\Desktop\PC Power Plus.lnk, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS.EXE, Quarantined, 593, 749298, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\PC Power Plus Startup, Quarantined, 593, 749298, , , , PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\PC POWER PLUS\PCPOWERPLUS_PROTECTION.EXE, Quarantined, 593, 749298, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{DE21909F-098A-45F2-AE02-0E7C2C62B0FA}-PCPOWERPLUS (1).EXE, Quarantined, 593, 711523, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{AC22A9F7-486C-4F54-AE34-B3AB05587231}-PCPOWERPLUS.EXE, Quarantined, 593, 711523, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-RLHLI.TMP\PCPOWERPLUS.TMP, Quarantined, 593, 711523, 1.0.14786, , ame, PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\PCPOWERPLUS.EXE, Quarantined, 593, 711523, 1.0.14786, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Vudu Search?The Malwarebytes research team has determined that Vudu Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by Vudu Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Vudu Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Vudu Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Vudu Search? No, Malwarebytes removes Vudu Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard as well as the full version of Malwarebytes would have protected you against the Vudu Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.vudusearch.com?q={searchTerms}&publisher=vudusearchds&barcodeid=561880000000000 CHR DefaultSearchKeyword: Default -> VuduSearch CHR DefaultSuggestURL: Default -> hxxps://api.vudusearch.com/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.vudusearch.com CHR Extension: (VuduSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia [2019-11-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0 Adds the file manifest.json"="11/8/2019 8:40 AM, 2055 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\_metadata Adds the file computed_hashes.json"="11/8/2019 8:40 AM, 6204 bytes, A Adds the file verified_contents.json"="10/4/2019 2:00 AM, 2044 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons Adds the file 128x128.png"="11/8/2019 8:40 AM, 3752 bytes, A Adds the file 16x16.png"="11/8/2019 8:40 AM, 532 bytes, A Adds the file 32x32.png"="11/8/2019 8:40 AM, 1036 bytes, A Adds the file 64x64.png"="9/22/2019 5:13 PM, 1950 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\scripts Adds the file background.js"="9/22/2019 5:13 PM, 511559 bytes, A Adds the file sitecontent.js"="9/22/2019 5:13 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gmomohdgmmnpnjfgmlaednfedmgnnpia Adds the file Vudu Search.ico"="11/8/2019 8:40 AM, 181925 bytes, A Adds the file Vudu Search.ico.md5"="11/8/2019 8:40 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gmomohdgmmnpnjfgmlaednfedmgnnpia"="REG_SZ", "6C6320DBD6EE702224DE74B7819A951934F55D9B195254AC0335C6682AB8EAEF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/8/19 Scan Time: 8:53 AM Log File: e2dba962-01fc-11ea-85b4-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14664 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234040 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 4 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.VuduSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gmomohdgmmnpnjfgmlaednfedmgnnpia, Quarantined, 438, 728118, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\_metadata, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\scripts, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GMOMOHDGMMNPNJFGMLAEDNFEDMGNNPIA, Quarantined, 438, 728118, 1.0.14664, , ame, File: 13 PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 438, 728118, , , , PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 438, 728118, , , , PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GMOMOHDGMMNPNJFGMLAEDNFEDMGNNPIA\4.0.3_0\MANIFEST.JSON, Quarantined, 438, 728118, 1.0.14664, , ame, PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons\128x128.png, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons\16x16.png, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons\32x32.png, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\images\icons\64x64.png, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\scripts\background.js, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\scripts\sitecontent.js, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\_metadata\computed_hashes.json, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmomohdgmmnpnjfgmlaednfedmgnnpia\4.0.3_0\_metadata\verified_contents.json, Quarantined, 438, 728118, , , , PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 438, 728119, 1.0.14664, , ame, PUP.Optional.VuduSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 438, 728119, 1.0.14664, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is MarketAdvior?The Malwarebytes research team has determined that MarketAdvior is adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by MarketAdvior?You may see these warnings during install:this task in your Scheduled Tasks:and this entry in your list of installed Programs and Features:How did MarketAdvior get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.How do I remove MarketAdvior?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MarketAdvior? No, Malwarebytes removes MarketAdvior completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the MarketAdvior adware. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: (Python Software Foundation -> Python Software Foundation) C:\Users\{username}\AppData\Roaming\MarketAdvior\python\python.exe HKCU\...\Run: [MarketAdvior] => C:\Users\{username}\AppData\Roaming\MarketAdvior\python\pythonw.exe [95760 2019-07-08] (Python Software Foundation -> Python Software Foundation) <==== ATTENTION Task: {9ECC5596-05B7-452A-BCA0-C45FB1F0F59B} - System32\Tasks\MarketAdvior2 => C:\Users\{username}\AppData\Roaming\MarketAdvior\python\pythonw.exe [95760 2019-07-08] (Python Software Foundation -> Python Software Foundation) <==== ATTENTION C:\Windows\system32\Tasks\MarketAdvior2 C:\Users\{username}\AppData\Roaming\Python C:\Users\{username}\AppData\Roaming\MarketAdvior MarketAdvior (HKCU\...\MarketAdvior) (Version: - ) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\MarketAdvior Adds the file load.bin"="10/28/2019 7:22 PM, 715163 bytes, A Adds the file load.pyc"="10/28/2019 7:22 PM, 5457 bytes, A Adds the file mcfckchjhehcdgoeihjjjbkcdpdfmloa.crx"="10/28/2019 7:22 PM, 1295189 bytes, A Adds the file norepair.txt"="10/28/2019 7:22 PM, 1 bytes, A Adds the file pb2url.txt"="11/7/2019 8:41 AM, 0 bytes, A Adds the file pbid.txt"="11/7/2019 8:41 AM, 0 bytes, A Adds the file pbsent.txt"="11/7/2019 8:41 AM, 4 bytes, A Adds the file pburl.txt"="11/7/2019 8:41 AM, 0 bytes, A Adds the file pi.txt"="11/7/2019 8:42 AM, 2 bytes, A Adds the file subid.txt"="11/7/2019 8:41 AM, 0 bytes, A Adds the file uninstall.exe"="11/7/2019 8:41 AM, 55693 bytes, A Adds the file uuid.txt"="11/7/2019 8:41 AM, 36 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\MarketAdvior\python Adds the file _asyncio.pyd"="7/8/2019 6:30 PM, 54288 bytes, A Adds the file _bz2.pyd"="7/8/2019 6:30 PM, 72720 bytes, A Adds the file _ctypes.pyd"="7/8/2019 6:30 PM, 107536 bytes, A Adds the file _decimal.pyd"="7/8/2019 6:30 PM, 226320 bytes, A Adds the file _elementtree.pyd"="7/8/2019 6:30 PM, 170000 bytes, A Adds the file _hashlib.pyd"="7/8/2019 6:30 PM, 31760 bytes, A Adds the file _lzma.pyd"="7/8/2019 6:31 PM, 184848 bytes, A Adds the file _msi.pyd"="7/8/2019 6:30 PM, 32784 bytes, A Adds the file _multiprocessing.pyd"="7/8/2019 6:30 PM, 25104 bytes, A Adds the file _overlapped.pyd"="7/8/2019 6:30 PM, 35856 bytes, A Adds the file _queue.pyd"="7/8/2019 6:30 PM, 24080 bytes, A Adds the file _socket.pyd"="7/8/2019 6:30 PM, 66576 bytes, A Adds the file _sqlite3.pyd"="7/8/2019 6:30 PM, 66576 bytes, A Adds the file _ssl.pyd"="7/8/2019 6:30 PM, 104464 bytes, A Adds the file libcrypto-1_1.dll"="7/8/2019 6:28 PM, 2219552 bytes, A Adds the file libssl-1_1.dll"="7/8/2019 6:28 PM, 537120 bytes, A Adds the file LICENSE.txt"="7/8/2019 6:24 PM, 13023 bytes, A Adds the file pyexpat.pyd"="7/8/2019 6:30 PM, 166416 bytes, A Adds the file python.exe"="7/8/2019 6:31 PM, 97296 bytes, A Adds the file python3.dll"="7/8/2019 6:30 PM, 58896 bytes, A Adds the file python37._pth"="7/8/2019 6:36 PM, 79 bytes, A Adds the file python37.dll"="7/8/2019 6:29 PM, 3606032 bytes, A Adds the file python37.zip"="8/25/2019 9:55 PM, 2664675 bytes, A Adds the file pythonw.exe"="7/8/2019 6:31 PM, 95760 bytes, A Adds the file select.pyd"="7/8/2019 6:30 PM, 23056 bytes, A Adds the file sqlite3.dll"="7/8/2019 6:30 PM, 1002000 bytes, A Adds the file unicodedata.pyd"="7/8/2019 6:30 PM, 1064976 bytes, A Adds the file vcruntime140.dll"="5/22/2019 8:32 PM, 80128 bytes, A Adds the file winsound.pyd"="7/8/2019 6:30 PM, 24080 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Python\Python37\comtypes_cache In the existing folder C:\Windows\System32\Tasks Adds the file MarketAdvior2"="11/7/2019 8:41 AM, 3364 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\MarketAdvior] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MarketAdvior" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MarketAdvior"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\MarketAdvior\python\pythonw.exe" "load.pyc" ml2" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MarketAdvior] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MarketAdvior\uninstall.exe" "DisplayName"="REG_SZ", "MarketAdvior" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MarketAdvior\uninstall.exe" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/7/19 Scan Time: 9:33 AM Log File: 3cb589cc-0139-11ea-bb5b-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.717 Update Package Version: 1.0.14620 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234232 Threats Detected: 33 Threats Quarantined: 33 Time Elapsed: 9 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Disabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 5 Adware.PBot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MarketAdvior, Quarantined, 502, 758391, 1.0.14620, , ame, Adware.PBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MarketAdvior2, Quarantined, 502, 758395, , , , Adware.PBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9ECC5596-05B7-452A-BCA0-C45FB1F0F59B}, Quarantined, 502, 758395, , , , Adware.PBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{9ECC5596-05B7-452A-BCA0-C45FB1F0F59B}, Quarantined, 502, 758395, , , , Adware.PBot, HKCU\SOFTWARE\MarketAdvior, Quarantined, 502, 758393, 1.0.14620, , ame, Registry Value: 2 Adware.PBot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MARKETADVIOR, Quarantined, 502, 758392, 1.0.14620, , ame, Adware.PBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9ECC5596-05B7-452A-BCA0-C45FB1F0F59B}|PATH, Quarantined, 502, 758390, 1.0.14620, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 26 Adware.PBot, C:\WINDOWS\SYSTEM32\TASKS\MarketAdvior2, Quarantined, 502, 758395, 1.0.14620, , ame, Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\python\LICENSE.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\python\python37.zip, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\python\python37._pth, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\load.bin, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\load.pyc, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\mcfckchjhehcdgoeihjjjbkcdpdfmloa.crx, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\norepair.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\pb2url.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\pbid.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\pbsent.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\pburl.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\pi.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\subid.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\uninstall.exe, Quarantined, 502, 758387, , , , Adware.PBot, C:\Users\{username}\AppData\Roaming\MarketAdvior\uuid.txt, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\load.pyc.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\norepair.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\pb2url.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\pbid.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\pbsent.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\pburl.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\pi.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\subid.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\uuid.txt.lnk, Quarantined, 502, 758387, , , , Adware.PBot.NSIS, C:\USERS\{username}\DESKTOP\MARKETADVIOR.EXE, Quarantined, 14504, 755474, 1.0.14620, 5F270EE5E6CD32792F231B6B, dds, 00446792 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is MyOfficeX Search?The Malwarebytes research team has determined that MyOfficeX Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by MyOfficeX Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did MyOfficeX Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MyOfficeX Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyOfficeX Search? No, Malwarebytes removes MyOfficeX Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the MyOfficeX Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://services.myofficex-svc.org/search/{searchTerms} CHR DefaultSearchKeyword: Default -> search CHR DefaultSuggestURL: Default -> hxxps://sug.myofficex-svc.org/sug/?s={searchTerms} CHR Notifications: Default -> hxxps://myofficex.org CHR Extension: (Yahoo Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn [2019-11-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0 Adds the file manifest.json"="11/6/2019 9:04 AM, 1926 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\_metadata Adds the file computed_hashes.json"="11/6/2019 9:04 AM, 1804 bytes, A Adds the file verified_contents.json"="8/19/2019 9:05 PM, 3077 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background Adds the file ext.js"="8/19/2019 9:05 PM, 4221 bytes, A Adds the file index.html"="8/19/2019 9:05 PM, 354 bytes, A Adds the file listeners.js"="8/19/2019 9:05 PM, 739 bytes, A Adds the file search.js"="8/19/2019 9:05 PM, 412 bytes, A Adds the file settings.js"="8/19/2019 9:05 PM, 263 bytes, A Adds the file startup.js"="8/19/2019 9:05 PM, 2996 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons Adds the file 128.png"="11/6/2019 9:04 AM, 31293 bytes, A Adds the file 16.png"="11/6/2019 9:04 AM, 775 bytes, A Adds the file 32.png"="11/6/2019 9:04 AM, 2399 bytes, A Adds the file 48.png"="11/6/2019 9:04 AM, 4941 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\newtab Adds the file index.html"="8/19/2019 9:05 PM, 145 bytes, A Adds the file newtab.js"="8/19/2019 9:05 PM, 101 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\prompt Adds the file green-up-arrow.png"="8/19/2019 9:05 PM, 18182 bytes, A Adds the file ok-green-square.png"="8/19/2019 9:05 PM, 28585 bytes, A Adds the file prompt.js"="8/19/2019 9:05 PM, 3241 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn Adds the file 000003.log"="11/6/2019 9:04 AM, 743 bytes, A Adds the file CURRENT"="11/6/2019 9:04 AM, 16 bytes, A Adds the file LOCK"="11/6/2019 9:04 AM, 0 bytes, A Adds the file LOG"="11/6/2019 9:04 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/6/2019 9:04 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn Adds the file 000003.log"="11/6/2019 9:04 AM, 83 bytes, A Adds the file CURRENT"="11/6/2019 9:04 AM, 16 bytes, A Adds the file LOCK"="11/6/2019 9:04 AM, 0 bytes, A Adds the file LOG"="11/6/2019 9:04 AM, 183 bytes, A Adds the file MANIFEST-000001"="11/6/2019 9:04 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jmkloakbojijdhjbddliblmabmpokcnn"="REG_SZ", "F972F8B46F510C9BFA0446B864A406722C9CE3D94A37F44E0B08896E3CD62209" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/6/19 Scan Time: 9:13 AM Log File: 58abc9f6-006d-11ea-8288-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.717 Update Package Version: 1.0.14586 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234098 Threats Detected: 40 Threats Quarantined: 40 Time Elapsed: 8 min, 49 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MyOfficeXSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jmkloakbojijdhjbddliblmabmpokcnn, Quarantined, 14904, 757816, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\_metadata, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\newtab, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\prompt, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMKLOAKBOJIJDHJBDDLIBLMABMPOKCNN, Quarantined, 14904, 757816, 1.0.14586, , ame, File: 30 PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\000003.log, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\CURRENT, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\LOCK, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\LOG, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\MANIFEST-000001, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\000003.log, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\CURRENT, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\LOCK, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\LOG, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jmkloakbojijdhjbddliblmabmpokcnn\MANIFEST-000001, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JMKLOAKBOJIJDHJBDDLIBLMABMPOKCNN\1.0.19.523_0\MANIFEST.JSON, Quarantined, 14904, 757816, 1.0.14586, , ame, PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\ext.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\index.html, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\listeners.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\search.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\settings.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\background\startup.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons\128.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons\16.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons\32.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\icons\48.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\newtab\index.html, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\newtab\newtab.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\prompt\green-up-arrow.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\prompt\ok-green-square.png, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\prompt\prompt.js, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\_metadata\computed_hashes.json, Quarantined, 14904, 757816, , , , PUP.Optional.MyOfficeXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmkloakbojijdhjbddliblmabmpokcnn\1.0.19.523_0\_metadata\verified_contents.json, Quarantined, 14904, 757816, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Search Selector Beta?The Malwarebytes research team has determined that Search Selector Beta is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search Selector Beta?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search Selector Beta get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:How do I remove Search Selector Beta?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Selector Beta? No, Malwarebytes removes Search Selector Beta completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://selected-search.com/search?q={searchTerms}& CHR DefaultSearchKeyword: Default -> ss CHR Extension: (Search Selector Beta) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof [2019-11-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0 Adds the file About.pdf"="9/11/2019 12:31 PM, 62988 bytes, A Adds the file manifest.json"="11/5/2019 8:48 AM, 1953 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\_metadata Adds the file computed_hashes.json"="11/5/2019 8:48 AM, 12000 bytes, A Adds the file verified_contents.json"="9/11/2019 3:06 PM, 4525 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\css Adds the file popup.css"="9/11/2019 2:59 PM, 144 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\html Adds the file popup.html"="9/11/2019 2:59 PM, 1007 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\engines Adds the file bing.png"="9/11/2019 2:59 PM, 16569 bytes, A Adds the file google.png"="9/11/2019 2:59 PM, 21125 bytes, A Adds the file yahoo.png"="9/11/2019 2:59 PM, 49488 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons Adds the file 128.png"="11/5/2019 8:48 AM, 4123 bytes, A Adds the file 16.png"="11/5/2019 8:48 AM, 380 bytes, A Adds the file 256.png"="11/5/2019 8:48 AM, 9753 bytes, A Adds the file 32.png"="11/5/2019 8:48 AM, 813 bytes, A Adds the file 48.png"="11/5/2019 8:48 AM, 1485 bytes, A Adds the file 64.png"="11/5/2019 8:48 AM, 1868 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs Adds the file jquery.autocomplete.js"="9/11/2019 2:59 PM, 33061 bytes, A Adds the file jquery.js"="9/11/2019 2:59 PM, 247597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\css Adds the file bootstrap.css"="9/11/2019 2:59 PM, 146082 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts Adds the file glyphicons-halflings-regular.eot"="9/11/2019 2:59 PM, 20127 bytes, A Adds the file glyphicons-halflings-regular.svg"="9/11/2019 2:59 PM, 108738 bytes, A Adds the file glyphicons-halflings-regular.ttf"="9/11/2019 2:59 PM, 45404 bytes, A Adds the file glyphicons-halflings-regular.woff"="9/11/2019 2:59 PM, 23424 bytes, A Adds the file glyphicons-halflings-regular.woff2"="9/11/2019 2:59 PM, 18028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\js Adds the file bootstrap.js"="9/11/2019 2:59 PM, 68954 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts Adds the file background.js"="9/11/2019 3:05 PM, 1317 bytes, A Adds the file consts.js"="9/11/2019 2:59 PM, 850 bytes, A Adds the file popup.js"="9/11/2019 2:59 PM, 341 bytes, A Adds the file utils.js"="9/11/2019 2:59 PM, 2356 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gboaiodgdajeapekadgejlbmabjganof"="REG_SZ", "ABF55023E4AD7B7381DCB832626AACD3B79676C479AEB58770647D03DC513BA6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/5/19 Scan Time: 9:00 AM Log File: 5facfd40-ffa2-11e9-ba7c-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.629 Update Package Version: 1.0.13181 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234082 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 8 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SelectedSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gboaiodgdajeapekadgejlbmabjganof, Quarantined, [277], [757187],1.0.13181 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\css, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\engines, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\_metadata, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\html, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\css, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GBOAIODGDAJEAPEKADGEJLBMABJGANOF, Quarantined, [277], [757187],1.0.13181 File: 31 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GBOAIODGDAJEAPEKADGEJLBMABJGANOF\2.0_0\MANIFEST.JSON, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\css\popup.css, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\html\popup.html, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\engines\bing.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\engines\google.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\engines\yahoo.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\128.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\16.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\256.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\32.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\48.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\images\icons\64.png, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\css\bootstrap.css, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.eot, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.svg, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.ttf, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.woff, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\fonts\glyphicons-halflings-regular.woff2, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\bootstrap\js\bootstrap.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\jquery.autocomplete.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\libs\jquery.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts\background.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts\consts.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts\popup.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\scripts\utils.js, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\_metadata\computed_hashes.json, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\_metadata\verified_contents.json, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gboaiodgdajeapekadgejlbmabjganof\2.0_0\About.pdf, Quarantined, [277], [757187],1.0.13181 PUP.Optional.SelectedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [277], [757186],1.0.13181 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) The full version of Malwarebytes can protect your computer against threats of this type.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Pdf2DocPro?The Malwarebytes research team has determined that Pdf2DocPro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Pdf2DocPro?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did Pdf2DocPro get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Pdf2DocPro?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Pdf2DocPro? No, Malwarebytes' Anti-Malware removes Pdf2DocPro completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.The full version of Malwarebytes would have protected you against the Pdf2DocPro hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://finccmbmjdmhdcdjkfkkfdkbodjgelpc/html/newtab-init.html" CHR Extension: (Pdf2DocPro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc [2019-11-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0 Adds the file manifest.json"="11/4/2019 8:57 AM, 1257 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\_metadata Adds the file computed_hashes.json"="11/4/2019 8:57 AM, 15689 bytes, A Adds the file verified_contents.json"="7/4/2019 2:17 PM, 10831 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html Adds the file newTab.html"="6/17/2019 4:05 PM, 26467 bytes, A Adds the file newtab-init.html"="6/25/2017 2:18 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\css Adds the file helper.css"="6/17/2019 4:05 PM, 8777 bytes, A Adds the file spin.css"="6/17/2019 3:59 PM, 959 bytes, A Adds the file style.css"="6/12/2019 12:47 PM, 11646 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img Adds the file ajax-loader.gif"="5/25/2017 1:58 PM, 3208 bytes, A Adds the file aliexpress.png"="9/4/2017 1:15 PM, 2466 bytes, A Adds the file amazon.png"="8/24/2017 11:57 AM, 3831 bytes, A Adds the file arrow.png"="5/24/2017 4:05 PM, 215 bytes, A Adds the file arrow-down.png"="4/17/2015 1:48 PM, 18774 bytes, A Adds the file bestbuy.jpg"="9/27/2017 3:34 PM, 1704 bytes, A Adds the file bestbuy.png"="9/27/2017 4:56 PM, 2962 bytes, A Adds the file blank-wait.png"="5/25/2017 1:10 PM, 359 bytes, A Adds the file booking.png"="9/4/2017 1:57 PM, 3221 bytes, A Adds the file btn-browse-doc-pdf.png"="5/14/2017 4:42 PM, 1066 bytes, A Adds the file btn-browse-doc-pdf-hover.png"="5/25/2017 12:11 PM, 1026 bytes, A Adds the file btn-browse-pdf-doc.png"="5/25/2017 11:56 AM, 1105 bytes, A Adds the file btn-browse-pdf-doc-hover.png"="5/25/2017 12:02 PM, 1069 bytes, A Adds the file btn-convert-to-doc.png"="5/25/2017 11:32 AM, 1675 bytes, A Adds the file btn-convert-to-doc-hover.png"="5/25/2017 11:34 AM, 1647 bytes, A Adds the file btn-convert-to-pdf.png"="5/25/2017 10:50 AM, 1643 bytes, A Adds the file btn-convert-to-pdf-hover.png"="5/25/2017 5:05 PM, 1662 bytes, A Adds the file btn-download-doc-pdf.png"="5/25/2017 10:05 AM, 1638 bytes, A Adds the file btn-download-doc-pdf-hover.png"="5/25/2017 10:12 AM, 1735 bytes, A Adds the file btn-download-pdf-doc.png"="5/25/2017 2:59 PM, 1694 bytes, A Adds the file btn-download-pdf-doc-hover.png"="5/25/2017 3:01 PM, 1778 bytes, A Adds the file btn-transfer.png"="5/22/2017 2:59 PM, 487 bytes, A Adds the file btn-transfer-hover.png"="5/25/2017 12:18 PM, 428 bytes, A Adds the file btn-translate.png"="5/22/2017 4:00 PM, 1100 bytes, A Adds the file btn-translate-hover.png"="5/25/2017 12:16 PM, 1070 bytes, A Adds the file btn-X-close.png"="9/10/2017 3:01 PM, 699 bytes, A Adds the file btn-X-close-hover.png"="9/10/2017 3:02 PM, 693 bytes, A Adds the file convert2doc.png"="5/14/2017 2:46 PM, 11428 bytes, A Adds the file convert2pdf.png"="5/14/2017 2:47 PM, 11510 bytes, A Adds the file currencyconvert.png"="5/14/2017 2:47 PM, 14313 bytes, A Adds the file ebay.png"="9/18/2017 9:01 AM, 1222 bytes, A Adds the file facebook.gif"="8/26/2017 12:53 PM, 1496 bytes, A Adds the file facebook.png"="9/27/2017 5:00 PM, 1247 bytes, A Adds the file gmail.png"="8/26/2017 12:27 PM, 2438 bytes, A Adds the file index.html"="6/20/2019 1:29 PM, 6754 bytes, A Adds the file instagram.png"="8/24/2017 11:57 AM, 6183 bytes, A Adds the file keep-changes.png"="5/29/2017 4:39 PM, 10121 bytes, A Adds the file logo.png"="8/24/2017 4:34 PM, 3985 bytes, A Adds the file popup-doc-pdf.png"="5/14/2017 4:22 PM, 3150 bytes, A Adds the file popup-pdf-doc.png"="5/25/2017 11:45 AM, 3179 bytes, A Adds the file search.png"="9/3/2017 4:09 PM, 1287 bytes, A Adds the file search_hover.png"="9/3/2017 4:06 PM, 1227 bytes, A Adds the file search_sprite.png"="3/29/2017 12:29 PM, 3087 bytes, A Adds the file target.png"="8/24/2017 11:59 AM, 3267 bytes, A Adds the file tranlate-logo.png"="5/22/2017 2:36 PM, 2556 bytes, A Adds the file translate.png"="5/22/2017 2:43 PM, 12311 bytes, A Adds the file wait.png"="5/25/2017 10:47 AM, 1417 bytes, A Adds the file walmart.png"="8/24/2017 11:57 AM, 5223 bytes, A Adds the file x.png"="7/16/2017 2:26 PM, 1172 bytes, A Adds the file x-close.png"="5/16/2017 1:24 PM, 362 bytes, A Adds the file yahoo.jfif"="8/26/2017 12:23 PM, 2297 bytes, A Adds the file yahoo.png"="9/3/2017 2:33 PM, 2091 bytes, A Adds the file youtube.png"="8/26/2017 12:30 PM, 2331 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files Adds the file 128.png"="6/20/2019 1:29 PM, 3370 bytes, A Adds the file analytics.js.download"="6/20/2019 1:29 PM, 43964 bytes, A Adds the file f(1).txt"="6/20/2019 1:29 PM, 24519 bytes, A Adds the file f.txt"="6/20/2019 1:29 PM, 1777 bytes, A Adds the file helper.css"="6/20/2019 1:29 PM, 12824 bytes, A Adds the file screen.png"="6/20/2019 1:29 PM, 36822 bytes, A Adds the file style.css"="6/20/2019 1:29 PM, 11667 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js Adds the file ConvertAPI.js"="7/4/2019 2:33 PM, 12630 bytes, A Adds the file jquery.min.js"="6/12/2019 11:00 AM, 88145 bytes, A Adds the file jquery-ui.min.js"="6/12/2019 10:58 AM, 253668 bytes, A Adds the file newtab-init.js"="7/4/2019 2:16 PM, 303 bytes, A Adds the file page.js"="7/4/2019 2:33 PM, 9505 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons Adds the file 128.png"="11/4/2019 8:57 AM, 3231 bytes, A Adds the file 16.png"="11/4/2019 8:57 AM, 207 bytes, A Adds the file 48.png"="11/4/2019 8:57 AM, 1392 bytes, A Adds the file faviocn.ico"="5/14/2017 12:06 PM, 1150 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\js Adds the file background.js"="7/1/2019 6:48 PM, 1877 bytes, A Adds the file usages.js"="7/3/2019 2:39 PM, 14829 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "finccmbmjdmhdcdjkfkkfdkbodjgelpc"="REG_SZ", "12CD8D281799471BED35A0A61D425B832D47DB7A8B3FB5805CF82DF2F7CCFA94" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/4/19 Scan Time: 9:07 AM Log File: 2e604c56-feda-11e9-8a94-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.629 Update Package Version: 1.0.13167 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234125 Threats Detected: 92 Threats Quarantined: 92 Time Elapsed: 8 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PDF2DocPro, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|finccmbmjdmhdcdjkfkkfdkbodjgelpc, Quarantined, [259], [756717],1.0.13167 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\_metadata, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FINCCMBMJDMHDCDJKFKKFDKBODJGELPC, Quarantined, [259], [756717],1.0.13167 File: 81 PUP.Optional.PDF2DocPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FINCCMBMJDMHDCDJKFKKFDKBODJGELPC\2.0.0.14_0\MANIFEST.JSON, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\css\helper.css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\css\spin.css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\css\style.css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\128.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\analytics.js.download, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\f(1).txt, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\f.txt, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\helper.css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\screen.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index_files\style.css, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\ajax-loader.gif, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\aliexpress.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\amazon.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\arrow-down.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\arrow.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\bestbuy.jpg, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\bestbuy.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\blank-wait.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\booking.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-browse-doc-pdf-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-browse-doc-pdf.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-browse-pdf-doc-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-browse-pdf-doc.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-convert-to-doc-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-convert-to-doc.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-convert-to-pdf-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-convert-to-pdf.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-download-doc-pdf-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-download-doc-pdf.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-download-pdf-doc-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-download-pdf-doc.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-transfer-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-transfer.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-translate-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-translate.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-X-close-hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\btn-X-close.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\convert2doc.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\convert2pdf.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\currencyconvert.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\ebay.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\facebook.gif, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\facebook.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\gmail.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\index.html, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\instagram.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\keep-changes.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\logo.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\popup-doc-pdf.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\popup-pdf-doc.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\search.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\search_hover.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\search_sprite.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\target.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\tranlate-logo.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\translate.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\wait.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\walmart.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\x-close.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\x.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\yahoo.jfif, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\yahoo.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\img\youtube.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js\ConvertAPI.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js\jquery-ui.min.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js\jquery.min.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js\newtab-init.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\js\page.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\newtab-init.html, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\html\newTab.html, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons\128.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons\16.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons\48.png, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\icons\faviocn.ico, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\js\background.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\js\usages.js, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\_metadata\computed_hashes.json, Quarantined, [259], [756717],1.0.13167 PUP.Optional.PDF2DocPro, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\finccmbmjdmhdcdjkfkkfdkbodjgelpc\2.0.0.14_0\_metadata\verified_contents.json, Quarantined, [259], [756717],1.0.13167 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is True PC Booster Master?The Malwarebytes research team has determined that True PC Booster Master is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with True PC Booster Master?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did True PC Booster Master get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove True PC Booster Master?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of True PC Booster Master? No, Malwarebytes removes True PC Booster Master completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the True PC Booster Master installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium and Browser Guard block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\True PC Booster Master\pcpowerplus.exe (Econosoft Global Services Pte. Ltd.) [File not signed] C:\Program Files (x86)\True PC Booster Master\pcpowerplus_protection.exe Task: {12C05BE5-E4D8-4B6A-99B1-232261167CD1} - System32\Tasks\True PC Booster Master Startup => C:\Program Files (x86)\True PC Booster Master\pcpowerplus_protection.exe [333312 2019-09-24] (Econosoft Global Services Pte. Ltd.) [File not signed] Task: {5BA42EA2-3F3C-4415-9A97-3E059C2FC45D} - System32\Tasks\True PC Booster Master => C:\Program Files (x86)\True PC Booster Master\pcpowerplus.exe [7879984 2019-09-24] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Windows\system32\Tasks\True PC Booster Master Startup C:\Windows\system32\Tasks\True PC Booster Master C:\Users\Public\Desktop\True PC Booster Master.lnk C:\ProgramData\Desktop\True PC Booster Master.lnk C:\Users\{username}\AppData\Roaming\True PC Booster Master C:\ProgramData\Microsoft\Windows\Start Menu\Programs\True PC Booster Master C:\Program Files (x86)\True PC Booster Master (Econosoft Global Services Pte. Ltd. ) C:\Users\{username}\Downloads\truepcboostermaster.exe True PC Booster Master (HKLM-x32\...\{61CB58F3-6B6F-488A-9163-2B56F3F44296}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\True PC Booster Master Adds the file Core.dll"="4/19/2018 1:01 AM, 237568 bytes, A Adds the file DiscUtils.Common.dll"="4/19/2018 1:01 AM, 23040 bytes, A Adds the file DiscUtils.dll"="4/19/2018 1:01 AM, 915456 bytes, A Adds the file DiscUtils.MSBuild.dll"="4/19/2018 1:01 AM, 8192 bytes, A Adds the file DynamicDataDisplay.dll"="4/19/2018 1:01 AM, 316416 bytes, A Adds the file errordetailsOpt.xml"="10/31/2019 11:29 AM, 1189982 bytes, A Adds the file errorlog.txt"="7/12/2019 1:46 AM, 189 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="4/19/2018 1:01 AM, 49152 bytes, A Adds the file Interop.NATUPNPLib.dll"="4/19/2018 1:01 AM, 7680 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 1:01 AM, 10240 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 1:01 AM, 19456 bytes, A Adds the file ISID.dll"="4/19/2018 1:01 AM, 1605120 bytes, A Adds the file logo.ico"="9/11/2019 4:10 AM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 1:01 AM, 171008 bytes, A Adds the file pcpowerplus.exe"="9/24/2019 10:21 AM, 7879984 bytes, A Adds the file pcpowerplus_protection.exe"="9/24/2019 10:20 AM, 333312 bytes, A Adds the file SharpCompress.dll"="4/19/2018 1:01 AM, 418304 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 1:01 AM, 280576 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="4/19/2018 1:01 AM, 95064 bytes, A Adds the file unins000.dat"="10/31/2019 11:17 AM, 54831 bytes, A Adds the file unins000.exe"="10/31/2019 11:17 AM, 2556720 bytes, A Adds the file unins000.msg"="10/31/2019 11:17 AM, 23125 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 1:01 AM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 1:01 AM, 467288 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\Backup Adds the file 2019_07_22_052127.xml"="7/22/2019 6:21 AM, 65 bytes, A Adds the file 2019_07_22_052142.xml"="7/22/2019 6:21 AM, 65 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\de Adds the file pcpowerplus.resources.dll"="9/24/2019 10:21 AM, 73728 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\en Adds the file pcpowerplus.resources.dll"="9/24/2019 10:21 AM, 68608 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\fr Adds the file pcpowerplus.resources.dll"="9/24/2019 10:21 AM, 76288 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\ja-jp Adds the file pcpowerplus.resources.dll"="9/24/2019 10:21 AM, 86016 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\slider Adds the file Slider-1.jpg"="4/19/2018 1:01 AM, 77585 bytes, A Adds the file Slider-2.jpg"="4/19/2018 1:01 AM, 79413 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\uni Adds the file System.Data.SQLite.dll"="3/1/2018 10:21 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="3/1/2018 10:21 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="9/24/2019 10:20 AM, 468992 bytes, A Adds the file Uninstaller.exe.config"="8/21/2019 3:28 AM, 1552 bytes, A Adds the file Uninstaller.pdb"="9/24/2019 10:20 AM, 259584 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\uni\de Adds the file Uninstaller.resources.dll"="9/24/2019 10:20 AM, 27648 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\uni\en Adds the file Uninstaller.resources.dll"="9/24/2019 10:20 AM, 25600 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\uni\ja-jp Adds the file Uninstaller.resources.dll"="9/24/2019 10:20 AM, 33280 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\x64 Adds the file SQLite.Interop.dll"="4/19/2018 1:01 AM, 1205248 bytes, A Adds the folder C:\Program Files (x86)\True PC Booster Master\x86 Adds the file SQLite.Interop.dll"="4/19/2018 1:01 AM, 903168 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\True PC Booster Master Adds the file True PC Booster Master.lnk"="10/31/2019 11:17 AM, 1242 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\True PC Booster Master Adds the folder C:\Users\{username}\AppData\Roaming\True PC Booster Master\PC Repair Online Adds the folder C:\Users\{username}\AppData\Roaming\True PC Booster Master\PC Repair Online\setting Adds the file TPCBM.ash"="10/31/2019 11:29 AM, 590848 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file True PC Booster Master.lnk"="10/31/2019 11:17 AM, 1224 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file True PC Booster Master"="10/31/2019 11:17 AM, 3254 bytes, A Adds the file True PC Booster Master Startup"="10/31/2019 11:17 AM, 3276 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\TPBM\Activation] "Insdate"="REG_SZ", "4YHHUl1i1Br9iF7MWsYJCuGaAfmboNGpoAgMpwXQ1BI=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "MaJ2gPoqxd8XfUpiR6yGApWiy6PWHK7vLv3JQKF+yuU=" "lbp"="REG_SZ", "MaJ2gPoqxd8XfUpiR6yGApWiy6PWHK7vLv3JQKF+yuU=" "lr"="REG_SZ", "MaJ2gPoqxd8XfUpiR6yGApWiy6PWHK7vLv3JQKF+yuU=" "lsp"="REG_SZ", "MaJ2gPoqxd8XfUpiR6yGApWiy6PWHK7vLv3JQKF+yuU=" "Program"="REG_SZ", "True PC Booster Master" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\TPBM\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "True PC Booster Master" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{61CB58F3-6B6F-488A-9163-2B56F3F44296}}_is1] "Comments"="REG_SZ", "True PC Booster Master" "Contact"="REG_SZ", "+1 (888)200-8889" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\True PC Booster Master\logo.ico" "DisplayName"="REG_SZ", "True PC Booster Master" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 22389 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\True PC Booster Master" "Inno Setup: Icon Group"="REG_SZ", "True PC Booster Master" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "6.0.2 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191031" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\True PC Booster Master\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\True PC Booster Master\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\True PC Booster Master\unins000.exe"" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/31/19 Scan Time: 11:45 AM Log File: 85603082-fbcb-11e9-a177-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.629 Update Package Version: 1.0.13127 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234214 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 14 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS_PROTECTION.EXE, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS.EXE, Quarantined, [587], [749298],1.0.13127 Module: 2 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS_PROTECTION.EXE, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS.EXE, Quarantined, [587], [749298],1.0.13127 Registry Key: 7 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\True PC Booster Master Startup, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{12C05BE5-E4D8-4B6A-99B1-232261167CD1}, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{12C05BE5-E4D8-4B6A-99B1-232261167CD1}, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\True PC Booster Master, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5BA42EA2-3F3C-4415-9A97-3E059C2FC45D}, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{5BA42EA2-3F3C-4415-9A97-3E059C2FC45D}, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61CB58F3-6B6F-488A-9163-2B56F3F44296}}_is1, Quarantined, [587], [711523],1.0.13127 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\True PC Booster Master Startup, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS_PROTECTION.EXE, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\True PC Booster Master, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\True PC Booster Master.lnk, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\USERS\PUBLIC\Desktop\True PC Booster Master.lnk, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\PCPOWERPLUS.EXE, Quarantined, [587], [749298],1.0.13127 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\TRUE PC BOOSTER MASTER\UNINS000.EXE, Quarantined, [587], [711523],1.0.13127 PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\TRUEPCBOOSTERMASTER.EXE, Quarantined, [587], [711523],1.0.13127 PUP.Optional.PCBooster, C:\USERS\{username}\DOWNLOADS\TRUEPCBOOSTERMASTER.EXE, Quarantined, [587], [711523],1.0.13127 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Free Live Radio?The Malwarebytes research team has determined that Free Live Radio is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Free Live Radio?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did Free Live Radio get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:How do I remove Free Live Radio?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Free Live Radio? No, Malwarebytes' Anti-Malware removes Free Live Radio completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes and Malwarebytes Browser Guard would have protected you against the Free Live Radio hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://pacogkibldhicojmklpbapiilaleilbp/newtabfile/fastesttab.html" CHR Extension: (Free Live Radio) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp [2019-10-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0 Adds the file after.js"="7/16/2019 3:49 PM, 1264 bytes, A Adds the file bg.js"="7/16/2019 3:49 PM, 15172 bytes, A Adds the file contentscript.js"="7/16/2019 3:49 PM, 1247 bytes, A Adds the file icon.png"="10/31/2019 8:28 AM, 2449 bytes, A Adds the file manifest.json"="10/31/2019 8:28 AM, 1442 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en Adds the file messages.json"="10/31/2019 8:28 AM, 274 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata Adds the file computed_hashes.json"="10/31/2019 8:28 AM, 1195 bytes, A Adds the file verified_contents.json"="7/16/2019 3:49 PM, 2613 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css Adds the file browserAction.css"="7/16/2019 3:49 PM, 95 bytes, A Adds the file description.css"="7/16/2019 3:49 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction Adds the file browserAction.html"="7/16/2019 3:49 PM, 230 bytes, A Adds the file description.html"="7/16/2019 3:49 PM, 264 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js Adds the file newTab.js"="7/16/2019 3:49 PM, 1720 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile Adds the file fastesttab.html"="7/16/2019 3:49 PM, 208 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp Adds the file 000003.log"="10/31/2019 8:28 AM, 234 bytes, A Adds the file CURRENT"="10/31/2019 8:28 AM, 16 bytes, A Adds the file LOCK"="10/31/2019 8:28 AM, 0 bytes, A Adds the file LOG"="10/31/2019 8:28 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/31/2019 8:28 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pacogkibldhicojmklpbapiilaleilbp"="REG_SZ", "4D051C639B48ED7E29B08E2845AB4CC7F2AA46F4775F75186BC4F68E5DF81F71" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/31/19 Scan Time: 8:40 AM Log File: bf66dd55-fbb1-11e9-9600-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.13123 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234128 Threats Detected: 33 Threats Quarantined: 33 Time Elapsed: 7 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pacogkibldhicojmklpbapiilaleilbp, Quarantined, [209], [754439],1.0.13123 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOGKIBLDHICOJMKLPBAPIILALEILBP, Quarantined, [209], [754439],1.0.13123 File: 21 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\000003.log, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\CURRENT, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\LOCK, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\LOG, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pacogkibldhicojmklpbapiilaleilbp\MANIFEST-000001, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PACOGKIBLDHICOJMKLPBAPIILALEILBP\4.1_0\BG.JS, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css\browserAction.css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\css\description.css, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction\browserAction.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\html\browserAction\description.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\js\newTab.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\newtabfile\fastesttab.html, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_locales\en\messages.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata\computed_hashes.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\_metadata\verified_contents.json, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\after.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\contentscript.js, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\icon.png, Quarantined, [209], [754439],1.0.13123 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacogkibldhicojmklpbapiilaleilbp\4.1_0\manifest.json, Quarantined, [209], [754439],1.0.13123 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Speed Test Ace?The Malwarebytes research team has determined that Speed Test Ace is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a newtab hijacker and uses web push notifications.How do I know if my computer is affected by Speed Test Ace?You may see this browser extension:and this display when you are using the extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and these new settings:How did Speed Test Ace get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Speed Test Ace?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Speed Test Ace? No, Malwarebytes' Anti-Malware removes Speed Test Ace completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.The full version of Malwarebytes would have protected you against the Speed Test Ace hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://hkipljkimgkboldkjchljjhkoebhbkge/web_page_home.html" CHR Notifications: Default -> hxxps://www.speedtestace.co CHR Extension: (Speed Test Ace) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge [2019-10-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0 Adds the file manifest.json"="10/30/2019 8:21 AM, 1390 bytes, A Adds the file web_page_home.html"="9/16/2019 4:41 PM, 173 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\_metadata Adds the file computed_hashes.json"="10/30/2019 8:21 AM, 3339 bytes, A Adds the file verified_contents.json"="9/16/2019 4:41 PM, 2389 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\core Adds the file content.js"="9/16/2019 4:41 PM, 1304 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\icons Adds the file icon128.png"="10/30/2019 8:21 AM, 2916 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\js Adds the file background.js"="9/16/2019 4:41 PM, 8788 bytes, A Adds the file jquery-3.2.1.min.js"="9/16/2019 4:41 PM, 86574 bytes, A Adds the file web_page_home.js"="9/16/2019 4:41 PM, 675 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission Adds the file fetch.js"="9/16/2019 4:41 PM, 6670 bytes, A Adds the file index.html"="9/16/2019 4:41 PM, 13667 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission\img Adds the file faviconfinal.ico"="9/16/2019 4:41 PM, 101036 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge Adds the file 000003.log"="10/30/2019 8:28 AM, 10569 bytes, A Adds the file CURRENT"="10/30/2019 8:21 AM, 16 bytes, A Adds the file LOCK"="10/30/2019 8:21 AM, 0 bytes, A Adds the file LOG"="10/30/2019 8:22 AM, 410 bytes, A Adds the file LOG.old"="10/30/2019 8:21 AM, 184 bytes, A Adds the file MANIFEST-000001"="10/30/2019 8:21 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hkipljkimgkboldkjchljjhkoebhbkge"="REG_SZ", "44CF32FF597E344DCDA32C24DDA33F4A43D59BB81B2D7B1EFA47CDF5E6BD2368" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/30/19 Scan Time: 8:35 AM Log File: e423023c-fae7-11e9-afe5-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.13111 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234222 Threats Detected: 30 Threats Quarantined: 30 Time Elapsed: 9 min, 20 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SpeedTestAce, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hkipljkimgkboldkjchljjhkoebhbkge, Quarantined, [268], [752614],1.0.13111 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission\img, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\_metadata, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\icons, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\core, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\hkipljkimgkboldkjchljjhkoebhbkge, Quarantined, [268], [752614],1.0.13111 File: 20 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\core\content.js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\icons\icon128.png, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\js\background.js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\js\jquery-3.2.1.min.js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\js\web_page_home.js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission\img\faviconfinal.ico, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission\fetch.js, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\permission\index.html, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\_metadata\computed_hashes.json, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\_metadata\verified_contents.json, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\manifest.json, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkipljkimgkboldkjchljjhkoebhbkge\2.8.27.17_0\web_page_home.html, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\000003.log, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\CURRENT, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\LOCK, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\LOG, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\LOG.old, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hkipljkimgkboldkjchljjhkoebhbkge\MANIFEST-000001, Quarantined, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [268], [752614],1.0.13111 PUP.Optional.SpeedTestAce, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [268], [752614],1.0.13111 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.