Jump to content

Metallica

Staff
  • Content Count

    2,515
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

171,010 profile views
  1. What is SAntivirus?The Malwarebytes research team has determined that SAntivirus is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with SAntivirus?This is how the main screen of the system optimizer looks:You will find this icon in your taskbar, and your startmenu:and see these warnings during install:and these new services:and this new driver:and this entry in your list of installed programs:How did SAntivirus get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was installed by a bundler.How do I remove SAntivirus?Our program Malwarebytes can detect and remove this potentially unwanted application.This program needs to be removed in Safe Mode.Please follow these instructions:Run Malwarebytes from Safe Mode with Networking:Step 1:Boot into Safe Mode with Networking: Restart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point, you should gently tap the F8 key repeatedly until you are presented with the Advanced Boot Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press Enter on your keyboard to boot into Safe Mode. If prompted to choose a user account to login, click on your normal user name (not Administrator unless that is your normal user account) to log into Windows Step 2: Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system back into normal mode. Is there anything else I need to do to get rid of SAntivirus? No, Malwarebytes removes SAntivirus completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the SAntivirus installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusClient.exe (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusService.exe "SAntivirusIC" => service was unlocked. <==== ATTENTION R2 SAntivirusIC; C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe [6988496 2020-01-24] (Digital Communications Inc -> Digital Com. Inc) R2 SAntivirusSvc; C:\Program Files (x86)\SAntivirus\SAntivirusService.exe [141008 2020-01-24] (Digital Communications Inc -> Digital Com. Inc) R1 SANTIVIRUSKD; C:\Program Files (x86)\SAntivirus\SAntivirusKD.sys [90096 2020-01-24] (Digital Communications Inc. -> Digital Comm. Inc) C:\Users\{username}\AppData\Roaming\santivirusclient C:\Program Files (x86)\SAntivirus C:\ProgramData\SAntivirus C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus (Digital Com. Inc ©) C:\Users\{username}\Desktop\SetupS.exe SAntivirus Product (HKLM-x32\...\SAntivirus) (Version: 1.0.21.19 - Digital Com. Inc) ContextMenuHandlers1: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) ContextMenuHandlers4: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) ContextMenuHandlers6: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SAntivirus Adds the file Errors.dat"="1/24/2020 9:50 AM, 330 bytes, A Adds the file ExclusionsList.dat"="1/24/2020 9:50 AM, 81196 bytes, A Adds the file Microsoft.Diagnostics.Tracing.TraceEvent.dll"="12/19/2018 12:23 PM, 1008944 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/19/2018 12:23 PM, 310784 bytes, A Adds the file package.dat"="12/26/2019 4:43 PM, 20129892 bytes, A Adds the file rsEngine.config"="1/24/2020 9:50 AM, 256 bytes, A Adds the file rsEngine.dll"="12/6/2019 2:43 PM, 5570328 bytes, A Adds the file rsEngineHelper.exe"="1/24/2020 9:48 AM, 164120 bytes, A Adds the file rsEngineHelper.exe.config"="12/19/2018 12:23 PM, 383 bytes, A Adds the file rsEngineSDK.dll"="12/6/2019 2:43 PM, 242456 bytes, A Adds the file SAntivirusClient.exe"="1/24/2020 9:48 AM, 1726672 bytes, A Adds the file SAntivirusClient.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusEngine.dll"="1/24/2020 9:48 AM, 1031376 bytes, A Adds the file SAntivirusIC.config"="1/24/2020 9:54 AM, 1 bytes, A Adds the file SAntivirusIC.exe"="1/24/2020 9:48 AM, 6988496 bytes, A Adds the file SAntivirusKD.sys"="1/24/2020 9:48 AM, 90096 bytes, A Adds the file SAntivirusService.config"="1/24/2020 9:53 AM, 2048 bytes, A Adds the file SAntivirusService.exe"="1/24/2020 9:48 AM, 141008 bytes, A Adds the file SAntivirusService.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusShell64_v102119.dll"="1/24/2020 9:48 AM, 185040 bytes, A Adds the file SAntivirusShell86_v102119.dll"="1/24/2020 9:48 AM, 154832 bytes, A Adds the file SAntivirusTools.dll"="1/24/2020 9:48 AM, 55504 bytes, A Adds the file SAntivirusUninstaller.exe"="1/24/2020 9:48 AM, 1253072 bytes, A Adds the file SAntivirusUninstaller.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file Signatures.dat"="1/24/2020 9:50 AM, 1108824 bytes, A Adds the file SignaturesPacks.dat"="1/24/2020 9:50 AM, 204460 bytes, A Adds the file System.Threading.dll"="12/19/2018 12:23 PM, 387408 bytes, A Adds the file un.ico"="12/26/2019 4:04 PM, 34494 bytes, A Adds the file WhiteList.dat"="1/24/2020 9:50 AM, 311020 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\amd64 Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 223008 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1380512 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\Cache Adds the folder C:\Program Files (x86)\SAntivirus\x64 Adds the file 7z64.dll"="12/19/2018 12:23 PM, 1646592 bytes, A Adds the file ext_x64.dll"="12/19/2018 12:23 PM, 375576 bytes, A Adds the file lz4_x64.dll"="12/19/2018 12:23 PM, 119064 bytes, A Adds the file rsEngineFW_x64.dll"="12/19/2018 12:23 PM, 104216 bytes, A Adds the file rsEnginePM_x64.dll"="12/19/2018 12:23 PM, 228120 bytes, A Adds the file rsLggrServer_x64.dll"="12/19/2018 12:23 PM, 821528 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1658136 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\x86 Adds the file 7z86.dll"="12/19/2018 12:23 PM, 1113088 bytes, A Adds the file ext_x86.dll"="12/19/2018 12:23 PM, 280344 bytes, A Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 167200 bytes, A Adds the file lz4_x86.dll"="12/19/2018 12:23 PM, 98584 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1081656 bytes, A Adds the file rsEngineFW_x86.dll"="12/19/2018 12:23 PM, 88856 bytes, A Adds the file rsEnginePM_x86.dll"="12/19/2018 12:23 PM, 190744 bytes, A Adds the file rsLggrServer_x86.dll"="12/19/2018 12:23 PM, 569344 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1209624 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus Adds the file SAntivirus Product.lnk"="1/24/2020 9:48 AM, 1011 bytes, A Adds the folder C:\ProgramData\SAntivirus Adds the file b.dat"="1/24/2020 9:48 AM, 19050864 bytes, A Adds the folder C:\ProgramData\SAntivirus\b Adds the file Microsoft.Diagnostics.Tracing.TraceEvent.dll"="12/19/2018 12:23 PM, 1008944 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/19/2018 12:23 PM, 310784 bytes, A Adds the file rsEngine.dll"="12/6/2019 2:43 PM, 5570328 bytes, A Adds the file rsEngineHelper.exe"="1/24/2020 9:48 AM, 164120 bytes, A Adds the file rsEngineHelper.exe.config"="12/19/2018 12:23 PM, 383 bytes, A Adds the file rsEngineSDK.dll"="12/6/2019 2:43 PM, 242456 bytes, A Adds the file SAntivirusClient.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusService.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusUninstaller.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file System.Threading.dll"="12/19/2018 12:23 PM, 387408 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\amd64 Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 223008 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1380512 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\x64 Adds the file 7z64.dll"="12/19/2018 12:23 PM, 1646592 bytes, A Adds the file ext_x64.dll"="12/19/2018 12:23 PM, 375576 bytes, A Adds the file lz4_x64.dll"="12/19/2018 12:23 PM, 119064 bytes, A Adds the file rsEngineFW_x64.dll"="12/19/2018 12:23 PM, 104216 bytes, A Adds the file rsEnginePM_x64.dll"="12/19/2018 12:23 PM, 228120 bytes, A Adds the file rsLggrServer_x64.dll"="12/19/2018 12:23 PM, 821528 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1658136 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\x86 Adds the file 7z86.dll"="12/19/2018 12:23 PM, 1113088 bytes, A Adds the file ext_x86.dll"="12/19/2018 12:23 PM, 280344 bytes, A Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 167200 bytes, A Adds the file lz4_x86.dll"="12/19/2018 12:23 PM, 98584 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1081656 bytes, A Adds the file rsEngineFW_x86.dll"="12/19/2018 12:23 PM, 88856 bytes, A Adds the file rsEnginePM_x86.dll"="12/19/2018 12:23 PM, 190744 bytes, A Adds the file rsLggrServer_x86.dll"="12/19/2018 12:23 PM, 569344 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1209624 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\santivirusclient Adds the file santivirusclientConfig.xml"="1/24/2020 9:50 AM, 1233 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}] "(Default)"="REG_SZ", "SAntivirusShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\*\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Folder\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\lnkfile\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}] "(Default)"="REG_SZ", "SAntivirusShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusShell86_v102119.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\SAntivirus\Protected] [HKEY_LOCAL_MACHINE\SOFTWARE\SAntivirus] "campid"="REG_SZ", "" "channel"="REG_SZ", "" "DIUCIE"="REG_SZ", "oPeivQUmp1HQIdzZWWYABAr9vhEl/K1fdKcJ7hJ6vnywqDG2B5iBnmpea/CqXWRf" "EVNLSA"="REG_SZ", "637154562580668961" "fbsd_ictssd"="REG_DWORD", 1579820400 "FirstRun"="REG_SZ", "1/24/2020 9:50:00 AM" "INSTDT"="REG_SZ", "637154562016873158" "ite"="REG_DWORD", 1579855733 "iuid"="REG_SZ", "0" "lhsday"="REG_DWORD", 1579820400 "lvsday"="REG_DWORD", 1579820400 "pixel"="REG_SZ", "" "PMDPP"="REG_SZ", "0" "RGUSR"="REG_SZ", "637154562017964466" "SDKLFC"="REG_SZ", "637154562577666195" "SDKLUC"="REG_SZ", "637154562575272531" "ServicePipe"="REG_SZ", "SAntivirus1" "SIGLC"="REG_SZ", "1/24/2020 9:50:56 AM" "su"="REG_SZ", "8a803927793b13626b59dcb4adcbc283f2feda7d196e4eb3f807fb4cc6b183d9" "tg"="REG_SZ", "" "U"="REG_SZ", "0ab2630c-b6c0-4568-aa9d-7394687dd436" "UH"="REG_SZ", "840A88286A38BC706482266E552A7018" "WLLCK"="REG_SZ", "1/24/2020 9:50:57 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\SegOption] "fst"="REG_DWORD", 1 "gui"="REG_DWORD", 42 "guisc"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SAntivirus] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SAntivirus\un.ico" "DisplayName"="REG_SZ", "SAntivirus Product" "DisplayVersion"="REG_SZ", "1.0.21.19" "EstimatedSize"="REG_DWORD", 49640 "Publisher"="REG_SZ", "Digital Com. Inc" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusUninstaller.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\SAntivirus\Protected] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAntivirus] "cr"="REG_DWORD", 1579855627 "EVNLSA"="REG_SZ", "637154562580668961" "FirstRun"="REG_SZ", "1/24/2020 9:50:00 AM" "IMode"="REG_DWORD", 0 "InstallDir"="REG_SZ", "C:\Program Files (x86)\SAntivirus" "INSTDT"="REG_SZ", "637154562016873158" "PMDPP"="REG_SZ", "0" "RGUSR"="REG_SZ", "637154562017964466" "SDKLFC"="REG_SZ", "637154562577666195" "SDKLUC"="REG_SZ", "637154562575272531" "SIGLC"="REG_SZ", "1/24/2020 9:50:56 AM" "U"="REG_SZ", "0ab2630c-b6c0-4568-aa9d-7394687dd436" "UH"="REG_SZ", "840A88286A38BC706482266E552A7018" "WLLCK"="REG_SZ", "1/24/2020 9:50:57 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAntivirusProduct] "InstallEnd"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\SAntivirusSvc] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusIC] "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SAntivirusIC" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe -service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusIC\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SANTIVIRUSKD] "DisplayName"="REG_SZ", "SAntivirus Kernel Driver" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "SAntivirus Kernel Driver" "ImagePath"="REG_EXPAND_SZ, "\??\C:\Program Files (x86)\SAntivirus\SAntivirusKD.sys" "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 1 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SANTIVIRUSKD\Enum] "0"="REG_SZ", "Root\LEGACY_SANTIVIRUSKD\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusSvc] "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SAntivirusSvc" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SAntivirus\SAntivirusService.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusSvc\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/24/20 Scan Time: 11:00 AM Log File: 55ffdc54-3e90-11ea-b6a9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18176 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235953 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 4 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 22 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\SAntivirusShellExtension.FileContextMenuExt, Quarantined, 1553, 783943, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SAntivirusIC, Quarantined, 1553, 783952, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SANTIVIRUSKD, Quarantined, 1553, 783953, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SAntivirusSvc, Quarantined, 1553, 783954, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\SAntivirus, Quarantined, 1553, 783949, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\SegOption, Quarantined, 1553, 757809, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\SAntivirus, Quarantined, 1553, 783948, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SAntivirus, Quarantined, 1553, 783950, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\*\SHELLEX\CONTEXTMENUHANDLERS\SAntivirusShellExtension.FileContextMenuExt, Quarantined, 1553, 783945, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\SAntivirus, Quarantined, 1553, 783949, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\SAntivirusProduct, Quarantined, 1553, 783951, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\santivirusclient_RASAPI32, Quarantined, 1553, 783946, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\santivirusclient_RASMANCS, Quarantined, 1553, 783946, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SAntivirusService_RASAPI32, Quarantined, 1553, 783947, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SAntivirusService_RASMANCS, Quarantined, 1553, 783947, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\SAntivirus, Quarantined, 1553, 783948, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, 1.0.18176, , ame, Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SANTIVIRUS, Quarantined, 1553, 783939, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAMDATA\SANTIVIRUS, Quarantined, 1553, 783940, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\USERS\{username}\APPDATA\ROAMING\SANTIVIRUSCLIENT, Quarantined, 1553, 783941, 1.0.18176, , ame, File: 11 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSIC.EXE, Quarantined, 1553, 783952, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSKD.SYS, Quarantined, 1553, 783953, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSERVICE.EXE, Quarantined, 1553, 783954, , , , PUP.Optional.Segurazo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus\SAntivirus Product.lnk, Quarantined, 1553, 783939, , , , PUP.Optional.Segurazo, C:\Users\{username}\AppData\Roaming\santivirusclient\santivirusclientConfig.xml, Quarantined, 1553, 783941, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSHELL64_V102119.DLL, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSHELL86_V102119.DLL, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSKD.SYS, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSIC.EXE, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSERVICE.EXE, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\USERS\{username}\DESKTOP\SETUPS.EXE, Quarantined, 1553, 783956, 1.0.18176, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is The Cooking Club? The Malwarebytes research team has determined that The Cooking Club is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by The Cooking Club? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did The Cooking Club get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove The Cooking Club? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of The Cooking Club? No, Malwarebytes removes The Cooking Club completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the The Cooking Club hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.thecooking.club/?q={searchTerms}&publisher=thecookingclub&barcodeid=550870000000000 CHR DefaultSearchKeyword: Default -> TheCookingClub CHR DefaultSuggestURL: Default -> hxxps://api.thecooking.club/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.thecooking.club CHR Extension: (TheCookingClub) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb [2020-01-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0 Adds the file manifest.json"="1/23/2020 8:56 AM, 2097 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/23/2020 8:56 AM, 6088 bytes, A Adds the file verified_contents.json"="10/11/2019 6:59 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons Adds the file 128x128.png"="1/23/2020 8:56 AM, 5776 bytes, A Adds the file 16x16.png"="1/23/2020 8:56 AM, 551 bytes, A Adds the file 64x64.png"="1/23/2020 8:56 AM, 2801 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts Adds the file background.js"="10/3/2019 7:28 PM, 511630 bytes, A Adds the file sitecontent.js"="10/3/2019 7:28 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gpaghkhgcphifedcphoomdcjidnfhpjb Adds the file The Cooking Club.ico"="1/23/2020 8:56 AM, 189776 bytes, A Adds the file The Cooking Club.ico.md5"="1/23/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gpaghkhgcphifedcphoomdcjidnfhpjb"="REG_SZ", "9F7F72C0999F624F27A10A4AD540C7CFEE466FE42850109DFF50E50118A1822A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/23/20 Scan Time: 9:13 AM Log File: 31d94ae6-3db8-11ea-97e5-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18112 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236001 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TheCookingClub, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gpaghkhgcphifedcphoomdcjidnfhpjb, Quarantined, 435, 750351, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPAGHKHGCPHIFEDCPHOOMDCJIDNFHPJB, Quarantined, 435, 750351, 1.0.18112, , ame, File: 12 PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPAGHKHGCPHIFEDCPHOOMDCJIDNFHPJB\3.0.3_0\MANIFEST.JSON, Quarantined, 435, 750351, 1.0.18112, , ame, PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\128x128.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\16x16.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\64x64.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts\background.js, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts\sitecontent.js, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata\verified_contents.json, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750349, 1.0.18112, , ame, PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750349, 1.0.18112, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Security Reviver? The Malwarebytes research team has determined that Security Reviver is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Security Reviver? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these warnings during install: and this type of screens during "operations": You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did Security Reviver get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove Security Reviver? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Security Reviver? No, Malwarebytes removes Security Reviver completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Security Reviver installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (Corel Corporation -> Corel Corporation) C:\Program Files (x86)\Security Reviver\SecRev.exe Task: {2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2} - System32\Tasks\sr_notifier_executor => C:\Program Files (x86)\Security Reviver\notifier.exe [1873432 2020-01-09] (Corel Corporation -> Corel Corporation) Task: {C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB} - System32\Tasks\Security Reviver_startup => C:\Program Files (x86)\Security Reviver\SecRev.exe [7627288 2020-01-09] (Corel Corporation -> Corel Corporation) C:\Users\{username}\AppData\Local\ReviverSoft C:\Windows\system32\Tasks\sr_notifier_executor C:\Windows\system32\Tasks\Security Reviver_startup C:\Users\Public\Desktop\Security Reviver.lnk C:\ProgramData\Desktop\Security Reviver.lnk C:\Users\{username}\AppData\Roaming\ReviverSoft C:\ProgramData\ReviverSoft C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver C:\Program Files (x86)\Security Reviver (Corel Corporation) C:\Windows\system32\secrevnative64.exe (Security Reviver ) C:\Users\{username}\Desktop\SecurityReviverSetup.exe Security Reviver (HKLM-x32\...\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1) (Version: 2.1.1000.26600 - Security Reviver) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Security Reviver Adds the file AppManager.exe"="1/9/2020 3:36 PM, 484376 bytes, A Adds the file AppResource.dll"="1/9/2020 3:36 PM, 13068824 bytes, A Adds the file categories.ini"="6/12/2017 1:15 PM, 42820 bytes, A Adds the file Chinese_asp_ZH-CN.ini"="12/19/2018 2:13 PM, 54406 bytes, A Adds the file danish_asp_DA.ini"="12/19/2018 2:13 PM, 96598 bytes, A Adds the file dutch_asp_NL.ini"="12/19/2018 2:13 PM, 96826 bytes, A Adds the file eng_asp_en.ini"="1/3/2020 10:32 AM, 52795 bytes, A Adds the file Finnish_asp_FI.ini"="12/19/2018 2:14 PM, 96608 bytes, A Adds the file french_asp_FR.ini"="12/19/2018 2:14 PM, 107768 bytes, A Adds the file german_asp_DE.ini"="12/19/2018 2:14 PM, 106344 bytes, A Adds the file helper.dll"="1/9/2020 3:36 PM, 2322968 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/9/2020 3:36 PM, 55320 bytes, A Adds the file italian_asp_IT.ini"="12/19/2018 2:14 PM, 101580 bytes, A Adds the file japanese_asp_JA.ini"="12/19/2018 1:16 PM, 66162 bytes, A Adds the file lci.lci"="1/22/2020 8:38 AM, 675 bytes, H Adds the file loading_withWhiteBG.avi"="6/12/2017 1:15 PM, 103936 bytes, A Adds the file Microsoft.Win32.TaskScheduler.DLL"="1/9/2020 3:36 PM, 121368 bytes, A Adds the file norwegian_asp_NO.ini"="12/19/2018 1:16 PM, 92240 bytes, A Adds the file notifier.exe"="1/9/2020 3:36 PM, 1873432 bytes, A Adds the file portuguese_asp_PT-BR.ini"="12/19/2018 2:15 PM, 98598 bytes, A Adds the file russian_asp_ru.ini"="12/19/2018 1:17 PM, 98740 bytes, A Adds the file scandll.dll"="1/9/2020 3:36 PM, 66584 bytes, A Adds the file SecRev.exe"="1/9/2020 3:36 PM, 7627288 bytes, A Adds the file SecRev.exe.config"="1/3/2020 2:46 PM, 6466 bytes, A Adds the file spanish_asp_ES.ini"="12/19/2018 1:17 PM, 103814 bytes, A Adds the file sr.ico"="6/12/2017 1:15 PM, 17542 bytes, A Adds the file swedish_asp_SV.ini"="12/19/2018 1:17 PM, 93652 bytes, A Adds the file System.Core.dll"="1/9/2020 3:36 PM, 673816 bytes, A Adds the file System.Data.SQLite.dll"="1/9/2020 3:36 PM, 892440 bytes, A Adds the file tray.exe"="1/9/2020 3:36 PM, 2041368 bytes, A Adds the file unins000.dat"="1/22/2020 8:38 AM, 95695 bytes, A Adds the file unins000.exe"="1/22/2020 8:38 AM, 1198616 bytes, A Adds the file unins000.msg"="1/22/2020 8:38 AM, 22701 bytes, A Adds the file unrar.dll"="1/9/2020 3:36 PM, 174616 bytes, A Adds the file Xceed.Compression.dll"="1/9/2020 3:36 PM, 108568 bytes, A Adds the file Xceed.Compression.Formats.dll"="1/9/2020 3:36 PM, 71704 bytes, A Adds the file Xceed.FileSystem.dll"="1/9/2020 3:36 PM, 129048 bytes, A Adds the file Xceed.Zip.dll"="1/9/2020 3:36 PM, 202776 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver Adds the file Register Security Reviver.lnk"="1/22/2020 8:38 AM, 1095 bytes, A Adds the file Security Reviver.lnk"="1/22/2020 8:38 AM, 1069 bytes, A Adds the file Uninstall Security Reviver.lnk"="1/22/2020 8:38 AM, 1081 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver Adds the file AddonSafelist"="6/12/2017 1:15 PM, 13312 bytes, A Adds the file log.xslt"="6/12/2017 1:15 PM, 24753 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver\signatures Adds the file completedatabase.db"="1/22/2020 8:45 AM, 209821696 bytes, A Adds the file Cookies.bin"="1/22/2020 8:45 AM, 233928 bytes, A Adds the file DigSign.bin"="1/22/2020 8:45 AM, 132216 bytes, A Adds the file FilePaths.bin"="1/22/2020 8:45 AM, 5838576 bytes, A Adds the file FileSignature.bin"="1/22/2020 8:45 AM, 26693928 bytes, A Adds the file Folders.bin"="1/22/2020 8:45 AM, 1689184 bytes, A Adds the file Md5.bin"="1/22/2020 8:45 AM, 63720808 bytes, A Adds the file Registry.bin"="1/22/2020 8:45 AM, 39185360 bytes, A Adds the file SetupSign.bin"="1/22/2020 8:45 AM, 13472 bytes, A Adds the file StrSetupSign.bin"="1/22/2020 8:45 AM, 1792 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver\updates Adds the file 3262completedatabase.zip"="1/22/2020 8:40 AM, 36169813 bytes, A Adds the file 4025mupdate.zip"="1/22/2020 8:44 AM, 57688093 bytes, A Adds the file 4026update.zip"="1/22/2020 8:44 AM, 128602 bytes, A Adds the folder C:\Users\{username}\AppData\Local\ReviverSoft\Security Reviver Adds the file ScanEngineErrorLog.txt"="1/22/2020 8:48 AM, 6083 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver Adds the file ASPLog.txt"="1/22/2020 8:50 AM, 5553 bytes, A Adds the file QDetail.db"="1/22/2020 8:38 AM, 4096 bytes, A Adds the file Settings.db"="1/22/2020 8:48 AM, 12288 bytes, A Adds the file Update.ini"="1/22/2020 8:39 AM, 2356 bytes, A Adds the file uuid.txt"="1/22/2020 8:38 AM, 35 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs Adds the file log_22-01-20_08-48-21.xml"="1/22/2020 8:48 AM, 42979 bytes, A Adds the file SMLog.xml"="1/22/2020 8:48 AM, 1550 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Security Reviver.lnk"="1/22/2020 8:38 AM, 1051 bytes, A In the existing folder C:\Windows\System32 Adds the file secrevnative64.exe"="1/9/2020 3:36 PM, 27672 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Security Reviver_startup"="1/22/2020 8:38 AM, 3068 bytes, A Adds the file sr_notifier_executor"="1/22/2020 8:38 AM, 3602 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Security Reviver\SecRev.exe" "DisplayName"="REG_SZ", "Security Reviver" "DisplayVersion"="REG_SZ", "2.1.1000.26600" "EstimatedSize"="REG_DWORD", 31851 "HelpLink"="REG_SZ", "https://www.reviversoft.com/security-reviver/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "Inno Setup: Icon Group"="REG_SZ", "Security Reviver" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200122" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Security Reviver\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 1 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Security Reviver" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Security Reviver\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Security Reviver\unins000.exe"" "URLInfoAbout"="REG_SZ", "https://www.reviversoft.com/security-reviver/" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Params] "affiliateid"="REG_SZ", "" "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Security Reviver] "affiliateid"="REG_SZ", "" "afterInstallUrl"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Install&BuildID=0&t=" "buildid"="REG_SZ", "0" "BuyNowURL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Purchase&BuildID=0&t=" "BuyNowURLADU"="REG_SZ", "" "BuyNowURLASP"="REG_SZ", "" "BuyNowURLPB"="REG_SZ", "" "BuyNowURLRCP"="REG_SZ", "" "cmd_t"="REG_SZ", "" "Expired"="REG_DWORD", 0 "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "isphone"="REG_SZ", "0" "IsScanOptional"="REG_DWORD", 1 "issilent"="REG_DWORD", 1 "MaxFixLimit"="REG_DWORD", 0 "REGVER"="REG_DWORD", 0 "REGVER-UNINSTALL"="REG_DWORD", 0 "RenewNowURL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Renew&BuildID=0&t=" "RenewNowURLADU"="REG_SZ", "" "RenewNowURLASP"="REG_SZ", "" "RenewNowURLPB"="REG_SZ", "" "RenewNowURLRCP"="REG_SZ", "" "showbc"="REG_DWORD", 1 "showfth"="REG_DWORD", 0 "showfthsetting"="REG_DWORD", 0 "showpb"="REG_DWORD", 0 "showsm"="REG_DWORD", 1 "SUPPORT_URL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Support&BuildID=0&t=" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "uid"="REG_SZ", "72205a28-a34819b8-a4bb0795-f972a54c" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Security Reviver\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\ReviverSoft\params] "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver] "affiliateid"="REG_SZ", "" "buildid"="REG_SZ", "0" "cmd_t"="REG_SZ", "" "CurrentScanTime"="REG_BINARY, ........ "FirstInstallDate"="REG_SZ", "22-01-2020" "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "StrLastErrorsFixed"="REG_SZ", "0" "StrLastScanResults"="REG_SZ", "56" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_days"="REG_SZ", "0" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver\2.1.1000.26600] [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/22/20 Scan Time: 9:00 AM Log File: 46fe135a-3ced-11ea-b033-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18084 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236070 Threats Detected: 96 Threats Quarantined: 96 Time Elapsed: 31 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , Module: 10 PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\helper.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Interop.IWshRuntimeLibrary.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Microsoft.Win32.TaskScheduler.DLL, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\scandll.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\System.Data.SQLite.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unrar.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.FileSystem.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Zip.dll, Quarantined, 1521, 183639, , , , Registry Key: 9 PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SECURITY REVIVER_STARTUP, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB}, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB}, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\sr_notifier_executor, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2}, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2}, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKCU\SOFTWARE\REVIVERSOFT\Security Reviver, Quarantined, 1521, 259287, 1.0.18084, , ame, PUP.Optional.SecurityReviver, HKLM\SOFTWARE\WOW6432NODE\REVIVERSOFT\Security Reviver, Quarantined, 1521, 259289, 1.0.18084, , ame, Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\PROGRAMDATA\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 182114, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\USERS\{username}\APPDATA\ROAMING\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 182114, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY REVIVER, Quarantined, 1521, 182115, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\USERS\{username}\APPDATA\LOCAL\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 502489, 1.0.18084, , ame, File: 69 PUP.Optional.SecurityReviver, C:\USERS\PUBLIC\DESKTOP\SECURITY REVIVER.LNK, Quarantined, 1521, 183638, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\completedatabase.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Cookies.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\DigSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\FilePaths.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\FileSignature.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Folders.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Md5.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Registry.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\SetupSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\StrSetupSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\3262completedatabase.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\4025mupdate.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\4026update.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\AddonSafelist, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\log.xslt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\TASKS\SECURITY REVIVER_STARTUP, Quarantined, 1521, 183641, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs\log_22-01-20_08-48-21.xml, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs\SMLog.xml, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\ASPLog.txt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\QDetail.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Settings.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Update.ini, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\uuid.txt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\PROGRAM FILES (X86)\SECURITY REVIVER\unins000.dat, Quarantined, 1521, 183639, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\AppManager.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\AppResource.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\categories.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Chinese_asp_ZH-CN.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\danish_asp_DA.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\dutch_asp_NL.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\eng_asp_en.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Finnish_asp_FI.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\french_asp_FR.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\german_asp_DE.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\helper.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Interop.IWshRuntimeLibrary.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\italian_asp_IT.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\japanese_asp_JA.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\lci.lci, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\loading_withWhiteBG.avi, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Microsoft.Win32.TaskScheduler.DLL, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\norwegian_asp_NO.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\notifier.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\portuguese_asp_PT-BR.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\russian_asp_ru.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\scandll.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe.config, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\spanish_asp_ES.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\sr.ico, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\swedish_asp_SV.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\System.Data.SQLite.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\tray.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unins000.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unins000.msg, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unrar.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.Formats.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.FileSystem.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Zip.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Security Reviver.lnk, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\TASKS\sr_notifier_executor, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Register Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Uninstall Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Local\ReviverSoft\Security Reviver\ScanEngineErrorLog.txt, Quarantined, 1521, 502489, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\SECREVNATIVE64.EXE, Quarantined, 1521, 783064, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\USERS\{username}\DESKTOP\SECURITYREVIVERSETUP.EXE, Quarantined, 1521, 338021, 1.0.18084, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Gamez 4 Us Search? The Malwarebytes research team has determined that Gamez 4 Us Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Gamez 4 Us Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Gamez 4 Us Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Gamez 4 Us Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Gamez 4 Us Search? No, Malwarebytes removes Gamez 4 Us Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Gamez 4 Us Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.gamez4us.com/?q={searchTerms}&publisher=fctry_gamez4us&barcodeid=531200000000000 CHR DefaultSearchKeyword: Default -> Gamez4us CHR DefaultSuggestURL: Default -> hxxps://api.gamez4us.com/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.gamez4us.com CHR Extension: (Gamez4us) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm [2020-01-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0 Adds the file manifest.json"="1/21/2020 9:10 AM, 2054 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/21/2020 9:10 AM, 6088 bytes, A Adds the file verified_contents.json"="11/12/2019 12:48 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons Adds the file 128x128.png"="1/21/2020 9:10 AM, 9460 bytes, A Adds the file 16x16.png"="1/21/2020 9:10 AM, 631 bytes, A Adds the file 64x64.png"="1/21/2020 9:10 AM, 3841 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts Adds the file background.js"="11/12/2019 12:48 PM, 511565 bytes, A Adds the file sitecontent.js"="11/12/2019 12:48 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fojaflpemffikbpfpabbmfnkdoadcbkm Adds the file Gamez 4 Us Search.ico"="1/21/2020 9:10 AM, 197115 bytes, A Adds the file Gamez 4 Us Search.ico.md5"="1/21/2020 9:10 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fojaflpemffikbpfpabbmfnkdoadcbkm"="REG_SZ", "B2F1247B2AE8E24F60B8B38297B7E7C13EF57344DDF0EF1C9806C2EA1C616A1A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/21/20 Scan Time: 9:22 AM Log File: 2b3fcb7a-3c27-11ea-a91c-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18036 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235957 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 22 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Gamez4Us, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fojaflpemffikbpfpabbmfnkdoadcbkm, Quarantined, 15044, 519677, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FOJAFLPEMFFIKBPFPABBMFNKDOADCBKM, Quarantined, 15044, 519677, 1.0.18036, , ame, File: 10 PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FOJAFLPEMFFIKBPFPABBMFNKDOADCBKM\3.0.3_0\MANIFEST.JSON, Quarantined, 15044, 519677, 1.0.18036, , ame, PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\128x128.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\16x16.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\64x64.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts\background.js, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts\sitecontent.js, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata\verified_contents.json, Quarantined, 15044, 519677, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Free Games by FunPopularGames?The Malwarebytes research team has determined that Free Games by FunPopularGames is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Free Games by FunPopularGames is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by Free Games by FunPopularGames?You may see this browser extension:these warnings during install:and this new setting:You may see this entry in your list of installed software:and this new homepage/newtab in the affected browsers:How did Free Games by FunPopularGames get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove Free Games by FunPopularGames?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Free Games by FunPopularGames? No, Malwarebytes' Anti-Malware removes Free Games by FunPopularGames completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Free Games by FunPopularGames hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium as well as Browser Guard block traffic to their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://nmdhldfcnebjfhkmgnelkbomklikmjbo/ntp1.html" CHR Extension: (Free Games by FunPopularGames) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo [2020-01-19] C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\FunPopularGames.exe Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab Adds the file TooltabExtension.dll"="11/27/2019 8:44 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0 Adds the file manifest.json"="1/19/2020 1:41 PM, 2523 bytes, A Adds the file ntp1.html"="1/13/2020 5:44 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata Adds the file computed_hashes.json"="1/19/2020 1:41 PM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 5:44 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config Adds the file config.json"="1/13/2020 5:44 PM, 1437 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons Adds the file icon128.png"="1/19/2020 1:41 PM, 13884 bytes, A Adds the file icon16.png"="1/13/2020 5:44 PM, 1659 bytes, A Adds the file icon19disabled.png"="1/13/2020 5:44 PM, 1805 bytes, A Adds the file icon19on.png"="1/19/2020 1:41 PM, 994 bytes, A Adds the file icon48.png"="1/19/2020 1:41 PM, 3662 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js Adds the file ajax.js"="1/13/2020 5:44 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 5:44 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 5:44 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 5:44 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 5:44 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 5:44 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 5:44 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 5:44 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 5:44 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 5:44 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 5:44 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 5:44 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 5:44 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 5:44 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 5:44 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 5:44 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 5:44 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 5:44 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 5:44 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 5:44 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 5:44 PM, 875 bytes, A Adds the file product.js"="1/13/2020 5:44 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 5:44 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 5:44 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 5:44 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 5:44 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 5:44 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 5:44 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 5:44 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 5:44 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 5:44 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 5:44 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 5:44 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo Adds the file 000003.log"="1/19/2020 1:41 PM, 4453 bytes, A Adds the file CURRENT"="1/19/2020 1:41 PM, 16 bytes, A Adds the file LOCK"="1/19/2020 1:41 PM, 0 bytes, A Adds the file LOG"="1/19/2020 1:41 PM, 184 bytes, A Adds the file MANIFEST-000001"="1/19/2020 1:41 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Fun Popular Games] "Start Page"="REG_SZ", "https://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={p2}&ptb={ptb}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nmdhldfcnebjfhkmgnelkbomklikmjbo"="REG_SZ", "3027DF1507C41D2C03FD49569E6B9E290E44AB40872B54DCEF9E2A9DC9E8A4C3" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fun Popular GamesTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "Fun Popular Games Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab\TooltabExtension.dll" U uninstall:Fun Popular Games" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/19/20 Scan Time: 2:02 PM Log File: faefb9b0-3abb-11ea-acf4-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17944 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236180 Threats Detected: 87 Threats Quarantined: 87 Time Elapsed: 39 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab\TooltabExtension.dll, Quarantined, 1790, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Fun Popular GamesTooltab Uninstall Internet Explorer, Quarantined, 1790, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games, Quarantined, 1790, 444113, 1.0.17944, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games|START PAGE, Quarantined, 1790, 444113, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games|UNINSTALLSURVEYURL, Quarantined, 1790, 769449, 1.0.17944, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Fun Popular GamesTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 680, 352442, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nmdhldfcnebjfhkmgnelkbomklikmjbo, Quarantined, 1790, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 680, 293497, 1.0.17944, , ame, Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab, Quarantined, 1790, 356944, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es_419, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_BR, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_PT, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\de, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\en, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\fr, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\it, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\ja, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMDHLDFCNEBJFHKMGNELKBOMKLIKMJBO, Quarantined, 1790, 443121, 1.0.17944, , ame, File: 61 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab\TooltabExtension.dll, Quarantined, 1790, 356944, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\000003.log, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\CURRENT, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\LOCK, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\LOG, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\MANIFEST-000001, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMDHLDFCNEBJFHKMGNELKBOMKLIKMJBO\13.921.17.11176_0\MANIFEST.JSON, Quarantined, 1790, 443121, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config\config.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon128.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon16.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon19disabled.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon19on.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon48.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dlpHelper.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\ajax.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babClickHandler.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babContentScript.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babContentScriptAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\background.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\browserUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\chrome.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\contentScriptConnectionManager.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dateTimeUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dlp.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\extensionDetect.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\index.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\localStorageContentScript.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\logger.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\meta.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\offerService.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\pageUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\PartnerId.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\polyfill.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\product.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\remoteConfigLoader.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\searchBoxFocusSetterEdge.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\splashPageRedirectHandler.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\storageUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\TemplateParser.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\ul.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\urlFragmentActions.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\urlUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\util.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\webtooltabAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\webTooltabAPIProxy.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\de\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\en\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es_419\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\fr\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\it\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\ja\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_BR\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_PT\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata\computed_hashes.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata\verified_contents.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\ntp1.html, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FUNPOPULARGAMES.EXE, Quarantined, 680, 365288, 1.0.17944, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is EasyPDFCombine for Chrome? The Malwarebytes research team has determined that EasyPDFCombine for Chrome is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by EasyPDFCombine for Chrome? You may see this browser extension: these warnings during install: You may see this icon in your browsers menu-bar: this new startpage: and this new setting: How did EasyPDFCombine for Chrome get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove EasyPDFCombine for Chrome? Our program Malwarebytes can detect and remove this potentially unwanted program. [Mindspark only]You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of EasyPDFCombine for Chrome? No, Malwarebytes' Anti-Malware removes EasyPDFCombine for Chrome completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the EasyPDFCombine for Chrome hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://dmpghkabedbjaabdjfchnafeciefnjnk/ntp1.html" CHR Extension: (EasyPDFCombine for Chrome) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk [2020-01-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0 Adds the file manifest.json"="1/17/2020 11:39 AM, 2556 bytes, A Adds the file ntp1.html"="11/13/2019 8:35 PM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_metadata Adds the file computed_hashes.json"="1/17/2020 11:39 AM, 5504 bytes, A Adds the file verified_contents.json"="11/13/2019 8:35 PM, 7407 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\config Adds the file config.json"="11/13/2019 8:35 PM, 1532 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons Adds the file icon128.png"="1/17/2020 11:39 AM, 7553 bytes, A Adds the file icon16.png"="11/13/2019 8:35 PM, 1998 bytes, A Adds the file icon19disabled.png"="11/13/2019 8:35 PM, 1703 bytes, A Adds the file icon19on.png"="1/17/2020 11:39 AM, 872 bytes, A Adds the file icon48.png"="1/17/2020 11:39 AM, 2648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js Adds the file ajax.js"="11/13/2019 8:35 PM, 3263 bytes, A Adds the file babAPI.js"="11/13/2019 8:35 PM, 5703 bytes, A Adds the file babClickHandler.js"="11/13/2019 8:35 PM, 11430 bytes, A Adds the file babContentScript.js"="11/13/2019 8:35 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="11/13/2019 8:35 PM, 9842 bytes, A Adds the file background.js"="11/13/2019 8:35 PM, 18106 bytes, A Adds the file browserUtils.js"="11/13/2019 8:35 PM, 1536 bytes, A Adds the file chrome.js"="11/13/2019 8:35 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="11/13/2019 8:35 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="11/13/2019 8:35 PM, 1213 bytes, A Adds the file dlp.js"="11/13/2019 8:35 PM, 5783 bytes, A Adds the file dlpHelper.js"="11/13/2019 8:35 PM, 1835 bytes, A Adds the file extensionDetect.js"="11/13/2019 8:35 PM, 4354 bytes, A Adds the file index.js"="11/13/2019 8:35 PM, 49 bytes, A Adds the file localStorageContentScript.js"="11/13/2019 8:35 PM, 2236 bytes, A Adds the file logger.js"="11/13/2019 8:35 PM, 531 bytes, A Adds the file meta.js"="11/13/2019 8:35 PM, 1610 bytes, A Adds the file offerService.js"="11/13/2019 8:35 PM, 16953 bytes, A Adds the file pageUtils.js"="11/13/2019 8:35 PM, 2905 bytes, A Adds the file PartnerId.js"="11/13/2019 8:35 PM, 16402 bytes, A Adds the file polyfill.js"="11/13/2019 8:35 PM, 875 bytes, A Adds the file product.js"="11/13/2019 8:35 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="11/13/2019 8:35 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="11/13/2019 8:35 PM, 2821 bytes, A Adds the file storageUtils.js"="11/13/2019 8:35 PM, 1718 bytes, A Adds the file TemplateParser.js"="11/13/2019 8:35 PM, 3153 bytes, A Adds the file ul.js"="11/13/2019 8:35 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="11/13/2019 8:35 PM, 2453 bytes, A Adds the file urlUtils.js"="11/13/2019 8:35 PM, 5906 bytes, A Adds the file util.js"="11/13/2019 8:35 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="11/13/2019 8:35 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="11/13/2019 8:35 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk Adds the file 000003.log"="1/17/2020 11:39 AM, 4381 bytes, A Adds the file CURRENT"="1/17/2020 11:39 AM, 16 bytes, A Adds the file LOCK"="1/17/2020 11:39 AM, 0 bytes, A Adds the file LOG"="1/17/2020 11:39 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/17/2020 11:39 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dmpghkabedbjaabdjfchnafeciefnjnk"="REG_SZ", "7A295AFD57BFABE99246D4ED36C88CBE4277FFD1C68EFD86DAED1BCDFAF76095" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/17/20 Scan Time: 11:53 AM Log File: 8afe072e-3917-11ea-b298-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17836 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236115 Threats Detected: 82 Threats Quarantined: 82 Time Elapsed: 38 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dmpghkabedbjaabdjfchnafeciefnjnk, Quarantined, 1792, 443121, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 20 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\es_419, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\pt_BR, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\pt_PT, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ar, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\de, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\en, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\es, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\fr, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\it, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ja, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ko, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\nl, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_metadata, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\config, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DMPGHKABEDBJAABDJFCHNAFECIEFNJNK, Quarantined, 1792, 443121, 1.0.17836, , ame, File: 61 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk\000003.log, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk\CURRENT, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk\LOCK, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk\LOG, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmpghkabedbjaabdjfchnafeciefnjnk\MANIFEST-000001, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DMPGHKABEDBJAABDJFCHNAFECIEFNJNK\13.917.16.52171_0\MANIFEST.JSON, Quarantined, 1792, 443121, 1.0.17836, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\config\config.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons\icon128.png, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons\icon16.png, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons\icon19disabled.png, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons\icon19on.png, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\icons\icon48.png, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\dlpHelper.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\ajax.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\babAPI.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\babClickHandler.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\babContentScript.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\babContentScriptAPI.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\background.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\browserUtils.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\chrome.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\contentScriptConnectionManager.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\dateTimeUtils.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\dlp.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\extensionDetect.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\index.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\localStorageContentScript.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\logger.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\meta.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\offerService.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\pageUtils.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\PartnerId.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\polyfill.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\product.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\remoteConfigLoader.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\splashPageRedirectHandler.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\storageUtils.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\TemplateParser.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\ul.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\urlFragmentActions.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\urlUtils.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\util.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\webtooltabAPI.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\js\webTooltabAPIProxy.js, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ar\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\de\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\en\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\es\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\es_419\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\fr\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\it\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ja\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\ko\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\nl\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\pt_BR\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_locales\pt_PT\messages.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_metadata\computed_hashes.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\_metadata\verified_contents.json, Quarantined, 1792, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpghkabedbjaabdjfchnafeciefnjnk\13.917.16.52171_0\ntp1.html, Quarantined, 1792, 443121, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Ultra PDF Converter Plus?The Malwarebytes research team has determined that Ultra PDF Converter Plus is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Ultra PDF Converter Plus?You may see this entry in your list of installed extensions:this icon in the menu-bar of the affected browser:this changed setting:and these warnings during install:How did Ultra PDF Converter Plus get on my computer?Browser hijackers use different methods for distributing themselves. This particualr one is particular was downloaded from their website:The Chrome extension after a redirect to the webstore:How do I remove Ultra PDF Converter Plus?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Ultra PDF Converter Plus? No, Malwarebytes removes Ultra PDF Converter Plus completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes, as well as Malwarebytes Browser Guard would have protected you against the Ultra PDF Converter Plus hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: (PDF Converter Tool) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{90e61a54-35d6-44c8-bb33-88623e6a03ae}.xpi [2020-01-15] [UpdateUrl:hxxps://addons.pdfsearchtools.net/jkff/updates.json] CHR DefaultSearchURL: Default -> hxxp://www.ultrapdfconverterplussearch.com/search/?category=web&s=q7ds&vert=pdf&q={searchTerms} CHR DefaultSearchKeyword: Default -> Ultra PDF Converter Plus CHR DefaultSuggestURL: Default -> hxxp://sug.ultrapdfconverterplussearch.com/search/index_sg.php?q={searchTerms} CHR Extension: (Ultra PDF Converter Plus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh [2020-01-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0 Adds the file config.js"="9/4/2019 3:25 PM, 1478 bytes, A Adds the file manifest.json"="1/15/2020 10:47 AM, 2195 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\_metadata Adds the file computed_hashes.json"="1/15/2020 10:47 AM, 11051 bytes, A Adds the file verified_contents.json"="9/16/2019 4:19 PM, 6165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\bg Adds the file background.html"="9/4/2019 1:46 PM, 205 bytes, A Adds the file background.js"="9/16/2019 3:44 PM, 1766 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\browser_action Adds the file popup.html"="8/29/2019 3:35 PM, 1006 bytes, A Adds the file popup.js"="9/10/2019 5:04 PM, 841 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img Adds the file close-icon.png"="5/27/2019 11:10 AM, 230 bytes, A Adds the file cog-icon.png"="5/27/2019 11:10 AM, 393 bytes, A Adds the file icon128.png"="1/15/2020 10:47 AM, 2536 bytes, A Adds the file icon16.png"="1/15/2020 10:47 AM, 369 bytes, A Adds the file icon48.png"="1/15/2020 10:47 AM, 1061 bytes, A Adds the file loader.svg"="8/19/2019 2:32 PM, 1722 bytes, A Adds the file pdf_converter_presentation2.gif"="5/27/2019 11:10 AM, 117798 bytes, A Adds the file type-jpg.svg"="5/27/2019 11:10 AM, 3521 bytes, A Adds the file type-pjpg.svg"="5/27/2019 11:10 AM, 4369 bytes, A Adds the file type-png.svg"="5/27/2019 11:10 AM, 3250 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare Adds the file close.png"="5/27/2019 11:10 AM, 1920 bytes, A Adds the file rate.jpg"="5/27/2019 11:10 AM, 102155 bytes, A Adds the file rate1.png"="5/27/2019 11:10 AM, 12334 bytes, A Adds the file share.jpg"="5/27/2019 11:10 AM, 17633 bytes, A Adds the file share1.png"="5/27/2019 11:10 AM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\inject Adds the file onInstallCallback.js"="7/18/2019 12:20 PM, 690 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery Adds the file jquery.cookie.js"="5/27/2019 11:10 AM, 4341 bytes, A Adds the file jquery.min.js"="5/27/2019 11:10 AM, 84249 bytes, A Adds the file jquery-ui.custom.min.js"="5/27/2019 11:10 AM, 228088 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css Adds the file jquery-ui.custom.css"="5/27/2019 11:10 AM, 20579 bytes, A Adds the file override-page.css"="5/27/2019 11:10 AM, 5513 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images Adds the file ui-bg_flat_55_999999_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_flat_75_aaaaaa_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_glass_45_0078ae_1x400.png"="5/27/2019 11:10 AM, 136 bytes, A Adds the file ui-bg_glass_55_f8da4e_1x400.png"="5/27/2019 11:10 AM, 131 bytes, A Adds the file ui-bg_glass_75_79c9ec_1x400.png"="5/27/2019 11:10 AM, 132 bytes, A Adds the file ui-bg_gloss-wave_50_38cfff_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_gloss-wave_75_2191c0_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_inset-hard_100_fcfdfd_1x100.png"="5/27/2019 11:10 AM, 88 bytes, A Adds the file ui-icons_056b93_256x240.png"="5/27/2019 11:10 AM, 5355 bytes, A Adds the file ui-icons_d8e7f3_256x240.png"="5/27/2019 11:10 AM, 4369 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\rate Adds the file rate.js"="9/15/2019 2:56 PM, 2299 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile).default\extensions Adds the file {90e61a54-35d6-44c8-bb33-88623e6a03ae}.xpi"="1/15/2020 10:42 AM, 312582 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "olhpgnhdfgahddncnopopakbaabhiikh"="REG_SZ", "9D6A00B87F42340CCD5CF246718D8FA3F673E8ADC41F4BB684C287D5C6BA71FC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/16/20 Scan Time: 9:45 AM Log File: 7fdb7524-383c-11ea-8d33-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.17790 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236085 Threats Detected: 58 Threats Quarantined: 58 Time Elapsed: 26 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UltraPDFConverterPlus, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|olhpgnhdfgahddncnopopakbaabhiikh, Quarantined, 446, 781596, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\browser_action, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\_metadata, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\inject, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\rate, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\bg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLHPGNHDFGAHDDNCNOPOPAKBAABHIIKH, Quarantined, 446, 781596, 1.0.17790, , ame, File: 45 PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile).default\EXTENSIONS\{F8890846-FCC1-479F-A90B-DCE3E486B0BA}.XPI, Quarantined, 446, 781597, 1.0.17790, , ame, PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLHPGNHDFGAHDDNCNOPOPAKBAABHIIKH\1.0.0_0\MANIFEST.JSON, Quarantined, 446, 781596, 1.0.17790, , ame, PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\bg\background.html, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\bg\background.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\browser_action\popup.html, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\browser_action\popup.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare\close.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare\rate.jpg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare\rate1.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare\share.jpg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\rateshare\share1.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\close-icon.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\cog-icon.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\icon128.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\icon16.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\icon48.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\loader.svg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\pdf_converter_presentation2.gif, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\type-jpg.svg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\type-pjpg.svg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\img\type-png.svg, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\inject\onInstallCallback.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_flat_55_999999_40x100.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_flat_75_aaaaaa_40x100.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_glass_45_0078ae_1x400.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_glass_55_f8da4e_1x400.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_glass_75_79c9ec_1x400.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_50_38cfff_500x100.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_75_2191c0_500x100.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-bg_inset-hard_100_fcfdfd_1x100.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-icons_056b93_256x240.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\images\ui-icons_d8e7f3_256x240.png, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\jquery-ui.custom.css, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\css\override-page.css, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\jquery-ui.custom.min.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\jquery.cookie.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\jquery\jquery.min.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\rate\rate.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\_metadata\computed_hashes.json, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\_metadata\verified_contents.json, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olhpgnhdfgahddncnopopakbaabhiikh\1.0.0_0\config.js, Quarantined, 446, 781596, , , , PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 446, 781594, 1.0.17790, , ame, PUP.Optional.UltraPDFConverterPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 446, 781594, 1.0.17790, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is nJoyMusic Search Plus? The Malwarebytes research team has determined that nJoyMusic Search Plus is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by nJoyMusic Search Plus? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did nJoyMusic Search Plus get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove nJoyMusic Search Plus? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of nJoyMusic Search Plus? No, Malwarebytes removes nJoyMusic Search Plus completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the nJoyMusic Search Plus hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://musix.eanswers.com/search/?category=web&s=nxdp&vert=music&var=plus&q={searchTerms} CHR DefaultSearchKeyword: Default -> nJoyMusic CHR DefaultSuggestURL: Default -> hxxp://sug.eanswers.com/search/index_sg.php?q={searchTerms} CHR Extension: (nJoyMusic Search Plus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak [2020-01-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0 Adds the file manifest.json"="1/15/2020 11:39 AM, 2293 bytes, A Adds the file popup.html"="5/8/2017 11:16 AM, 5793 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\_metadata Adds the file computed_hashes.json"="1/15/2020 11:39 AM, 16525 bytes, A Adds the file verified_contents.json"="5/8/2017 11:16 AM, 4304 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css Adds the file style.css"="4/18/2017 5:14 PM, 4085 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts Adds the file material-icons.css"="4/18/2017 5:14 PM, 1037 bytes, A Adds the file MaterialIcons-Regular.eot"="4/18/2017 5:14 PM, 143258 bytes, A Adds the file MaterialIcons-Regular.ijmap"="4/18/2017 5:14 PM, 28416 bytes, A Adds the file MaterialIcons-Regular.svg"="4/18/2017 5:14 PM, 284031 bytes, A Adds the file MaterialIcons-Regular.ttf"="4/18/2017 5:14 PM, 128180 bytes, A Adds the file MaterialIcons-Regular.woff"="4/18/2017 5:14 PM, 78776 bytes, A Adds the file MaterialIcons-Regular.woff2"="4/18/2017 5:14 PM, 42304 bytes, A Adds the file RobotoCondensed-Light.ttf"="4/18/2017 5:14 PM, 126168 bytes, A Adds the file RobotoCondensed-Regular.ttf"="4/18/2017 5:14 PM, 125332 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images Adds the file icon128.png"="1/15/2020 11:39 AM, 8355 bytes, A Adds the file icon16.png"="1/15/2020 11:39 AM, 620 bytes, A Adds the file icon38.png"="1/15/2020 11:39 AM, 1931 bytes, A Adds the file icon45.png"="4/18/2017 5:14 PM, 3574 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js Adds the file base.js"="4/18/2017 5:14 PM, 17761 bytes, A Adds the file init.js"="4/18/2017 5:14 PM, 331 bytes, A Adds the file main.js"="5/8/2017 11:16 AM, 4599 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\official Adds the file bootstrap.min.js"="4/18/2017 5:14 PM, 36874 bytes, A Adds the file jquery.min.js"="4/18/2017 5:14 PM, 85660 bytes, A Adds the file material.min.js"="4/18/2017 5:14 PM, 62359 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\vertical Adds the file 440x280.jpg"="4/18/2017 5:14 PM, 80648 bytes, A Adds the file init.js"="4/18/2017 5:14 PM, 605 bytes, A Adds the file pop.js"="4/18/2017 5:14 PM, 2563 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mmknijdjkplcnomiifmhakkjdjccfeak"="REG_SZ", "093E7E1E13C2BF71B1F823E5001C23B8DA2DFD7B27F56E1052ACC7275DF8E0C0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/15/20 Scan Time: 11:55 AM Log File: 7a9e61be-3785-11ea-9427-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17752 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236050 Threats Detected: 41 Threats Quarantined: 41 Time Elapsed: 12 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.NJoyApps.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mmknijdjkplcnomiifmhakkjdjccfeak, Quarantined, 15096, 443091, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\official, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\_metadata, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\vertical, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MMKNIJDJKPLCNOMIIFMHAKKJDJCCFEAK, Quarantined, 15096, 443091, 1.0.17752, , ame, File: 31 PUP.Optional.NJoyApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MMKNIJDJKPLCNOMIIFMHAKKJDJCCFEAK\1.0.1_0\MANIFEST.JSON, Quarantined, 15096, 443091, 1.0.17752, , ame, PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\material-icons.css, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.eot, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.ijmap, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.svg, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.ttf, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.woff, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\MaterialIcons-Regular.woff2, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\RobotoCondensed-Light.ttf, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\fonts\RobotoCondensed-Regular.ttf, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\css\style.css, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images\icon128.png, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images\icon16.png, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images\icon38.png, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\images\icon45.png, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\official\bootstrap.min.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\official\jquery.min.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\official\material.min.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\base.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\init.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\js\main.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\vertical\440x280.jpg, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\vertical\init.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\vertical\pop.js, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\_metadata\computed_hashes.json, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\_metadata\verified_contents.json, Quarantined, 15096, 443091, , , , PUP.Optional.NJoyApps.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmknijdjkplcnomiifmhakkjdjccfeak\1.0.1_0\popup.html, Quarantined, 15096, 443091, , , , PUP.Optional.Eanswers.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 253, 495659, 1.0.17752, , ame, PUP.Optional.Eanswers.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 253, 495659, 1.0.17752, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is TrustedLogos?The Malwarebytes research team has determined that TrustedLogos is adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by TrustedLogos?You may see these warnings during install:an extra section in your Google search results:and these changed proxy settings:How did TrustedLogos get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.How do I remove TrustedLogos?Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TrustedLogos? No, Malwarebytes removes TrustedLogos completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the TrustedLogos adware. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003] => Proxy is enabled. ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003] => 127.0.0.1:8003 FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\a.js [2020-01-14] R2 TrustedLogos; C:\Windows\trustedlogos\TrustedLogos.exe [11328 2019-09-19] (Gelbe vom Ei GmbH -> ) C:\Windows\trustedlogos Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Program Files (x86)\Mozilla Firefox\defaults\pref Adds the file a.js"="1/14/2020 9:12 AM, 82 bytes, A Adds the folder C:\Windows\trustedlogos Adds the file BrotliSharpLib.dll"="2/7/2019 12:24 AM, 1324032 bytes, A Adds the file crashed"="1/14/2020 9:12 AM, 0 bytes, A Adds the file crashed.log"="1/14/2020 9:12 AM, 5807 bytes, A Adds the file LICENSE.txt"="7/29/2019 7:25 PM, 1300 bytes, A Adds the file Newtonsoft.Json.dll"="11/27/2018 7:07 PM, 675240 bytes, A Adds the file ProxyLibrary.dll"="9/19/2019 6:16 PM, 117312 bytes, A Adds the file rootCert.pfx"="1/14/2020 9:12 AM, 2726 bytes, A Adds the file StreamExtended.dll"="4/12/2019 3:44 PM, 76800 bytes, A Adds the file System.Runtime.CompilerServices.Unsafe.dll"="9/18/2018 8:38 PM, 23600 bytes, A Adds the file Titanium.Web.Proxy.dll"="4/16/2019 5:47 PM, 234496 bytes, A Adds the file TrustedLogos.exe"="9/19/2019 6:16 PM, 11328 bytes, A Adds the file unins000.dat"="1/14/2020 9:12 AM, 17977 bytes, A Adds the file unins000.exe"="1/14/2020 9:11 AM, 2555217 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrustedLogos] "CampaignId"="REG_SZ", "null" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedLogos] "DisplayName"="REG_SZ", "TrustedLogos" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ...................... "ImagePath"="REG_EXPAND_SZ, "C:\Windows\trustedlogos\TrustedLogos.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7BB77DF0E1EFABD187A98233A4DABEB7D915A6E3] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable REG_DWORD, 0 ==> REG_DWORD, 1 "ProxyOverride"="REG_SZ", "*.a*.*;*.b*.*;*.c*.*;*.d*.*;*.e*.*;*.f*.*;*.h*.*;*.i*.*;*.j*.*;*.k*.*;*.l*.*;*.m*.*;*.n*.*;*.o*.*;*.p*.*;*.q*.*;*.r*.*;*.s*.*;*.u*.*;*.v*.*;*.w*.*;*.x*.*;*.y*.*;*.z*.*;*.0*.*;*.1*.*;*.2*.*;*.3*.*;*.4*.*;*.5*.*;*.6*.*;*.7*.*;*.8*.*;*.9*.*;*.*a.*;*.*b.*;*.*d.*;*.*f.*;*.*g.*;*.*h.*;*.*i.*;*.*j.*;*.*k.*;*.*l.*;*.*m.*;*.*n.*;*.*o.*;*.*p.*;*.*q.*;*.*r.*;*.*t.*;*.*u.*;*.*v.*;*.*w.*;*.*x.*;*.*y.*;*.*z.*;*.*0.*;*.*1.*;*.*2.*;*.*3.*;*.*4.*;*.*5.*;*.*6.*;*.*7.*;*.*8.*;*.*9.*;*.g0*.*;*.g1*.*;*.g2*.*;*.g3*.*;*.g4*.*;*.g5*.*;*.g6*.*;*.g7*.*;*.g8*.*;*.g9*.*;*.t0*.*;*.t1*.*;*.t2*.*;*.t3*.*;*.t4*.*;*.t5*.*;*.t6*.*;*.t7*.*;*.t8*.*;*.t9*.*;*.ga*.*;*.gb*.*;*.gc*.*;*.gd*.*;*.ge*.*;*.gf*.*;*.gg*.*;*.gh*.*;*.gi*.*;*.gj*.*;*.gk*.*;*.gl*.*;*.gm*.*;*.gn*.*;*.gp*.*;*.gq*.*;*.gr*.*;*.gs*.*;*.gt*.*;*.gu*.*;*.gv*.*;*.gw*.*;*.gx*.*;*.gy*.*;*.gz*.*;*.ta*.*;*.tc*.*;*.td*.*;*.te*.*;*.tf*.*;*.tg*.*;*.th*.*;*.ti*.*;*.tj*.*;*.tk*.*;*.tl*.*;*.tm*.*;*.tn*.*;*.to*.*;*.tp*.*;*.tq*.*;*.tr*.*;*.ts*.*;*.tt*.*;*.tu*.*;*.tv*.*;*.tw*.*;*.tx*.*;*.ty*.*;*.tz*.*;*ae.*;*be.*;*ce.*;*de.*;*ee.*;*fe.*;*ge.*;*he.*;*ie.*;*je.*;*ke.*;*me.*;*ne.*;*oe.*;*pe.*;*qe.*;*re.*;*se.*;*te.*;*ue.*;*ve.*;*we.*;*xe.*;*ye.*;*ze.*;*as.*;*bs.*;*cs.*;*ds.*;*fs.*;*gs.*;*hs.*;*js.*;*ks.*;*ls.*;*ms.*;*ns.*;*os.*;*ps.*;*qs.*;*rs.*;*ss.*;*ts.*;*us.*;*vs.*;*ws.*;*xs.*;*ys.*;*zs.*;*ac.*;*bc.*;*cc.*;*dc.*;*ec.*;*fc.*;*gc.*;*hc.*;*jc.*;*kc.*;*lc.*;*mc.*;*nc.*;*oc.*;*pc.*;*qc.*;*rc.*;*sc.*;*tc.*;*uc.*;*vc.*;*wc.*;*xc.*;*yc.*;*zc.*;*.*0e.*;*.*1e.*;*.*2e.*;*.*3e.*;*.*4e.*;*.*5e.*;*.*6e.*;*.*7e.*;*.*8e.*;*.*9e.*;*.*0s.*;*.*1s.*;*.*2s.*;*.*3s.*;*.*4s.*;*.*5s.*;*.*6s.*;*.*7s.*;*.*8s.*;*.*9s.*;*.*0c.*;*.*1c.*;*.*2c.*;*.*3c.*;*.*4c.*;*.*5c.*;*.*6c.*;*.*7c.*;*.*8c.*;*.*9c.*;0*;1*;2*;3*;4*;5*;6*;7*;8*;9*;*0;*1;*2;*3;*4;*5;*6;*7;*8;*9;b*.*;c*.*;d*.*;f*.*;h*.*;i*.*;j*.*;k*.*;l*.*;n*.*;m*.*;o*.*;p*.*;q*.*;r*.*;s*.*;t*.*;u*.*;v*.*;x*.*;y*.*;z*.*;*a.*;*b.*;*f.*;*g.*;*h.*;*j.*;*k.*;*l.*;*m.*;*n.*;*o.*;*p.*;*q.*;*r.*;*t.*;*u.*;*v.*;*x.*;*y.*;*z.*" "ProxyServer"="REG_SZ", "127.0.0.1:8003" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/14/20 Scan Time: 9:30 AM Log File: 1401dfa4-36a8-11ea-9084-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.17714 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236078 Threats Detected: 27 Threats Quarantined: 27 Time Elapsed: 16 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Adware.ProxyAgent.PrxySvrRST, C:\WINDOWS\TRUSTEDLOGOS\TRUSTEDLOGOS.EXE, Quarantined, 6190, 780877, , , , Module: 1 Adware.ProxyAgent.PrxySvrRST, C:\WINDOWS\TRUSTEDLOGOS\TRUSTEDLOGOS.EXE, Quarantined, 6190, 780877, , , , Registry Key: 3 Adware.ProxyAgent.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TRUSTEDLOGOS, Quarantined, 6190, 780877, 1.0.17714, , ame, Adware.ProxyAgent.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent, HKLM\SOFTWARE\WOW6432NODE\TRUSTEDLOGOS, Quarantined, 6952, 780878, 1.0.17714, , ame, Registry Value: 8 Adware.ProxyAgent.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TRUSTEDLOGOS|IMAGEPATH, Quarantined, 6190, 780877, 1.0.17714, , ame, Adware.ProxyAgent.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, 6190, -1, 0.0.0, , action, Adware.ProxyAgent, HKLM\SOFTWARE\WOW6432NODE\TRUSTEDLOGOS|CAMPAIGNID, Quarantined, 6952, 780878, 1.0.17714, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 14 Adware.ProxyAgent.PrxySvrRST, C:\WINDOWS\TRUSTEDLOGOS\TRUSTEDLOGOS.EXE, Quarantined, 6190, 780877, , , , Adware.ProxyAgent.PrxySvrRST, C:\WINDOWS\TRUSTEDLOGOS\UNINS000.DAT, Quarantined, 6190, 780876, 1.0.17714, , ame, Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\BrotliSharpLib.dll, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\crashed, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\crashed.log, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\LICENSE.txt, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\Newtonsoft.Json.dll, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\ProxyLibrary.dll, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\rootCert.pfx, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\StreamExtended.dll, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\Titanium.Web.Proxy.dll, Quarantined, 6190, 780876, , , , Adware.ProxyAgent.PrxySvrRST, C:\Windows\trustedlogos\unins000.exe, Quarantined, 6190, 780876, , , , Adware.ProxyAgent, C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\DEFAULTS\PREF\A.JS, Quarantined, 6952, 780880, 1.0.17714, , ame, Adware.ProxyAgent, C:\USERS\{username}\DESKTOP\F38A3195ED35404496C4DD69324F4538849E64B05171668F380598D2465372E6.EXE, Quarantined, 6952, 780872, 1.0.17714, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Get Video Converter Search? The Malwarebytes research team has determined that Get Video Converter Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Get Video Converter Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Get Video Converter Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Get Video Converter Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Get Video Converter Search? No, Malwarebytes removes Get Video Converter Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Get Video Converter Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.getvideoconverter.com/?q={searchTerms}&publisher=getvideoconverter&barcodeid=560800000000000 CHR DefaultSearchKeyword: Default -> GetVideoConverter CHR DefaultSuggestURL: Default -> hxxps://api.getvideoconverter.com/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.getvideoconverter.com CHR Extension: (GetVideoConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb [2020-01-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0 Adds the file manifest.json"="1/13/2020 8:46 AM, 2162 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\_metadata Adds the file computed_hashes.json"="1/13/2020 8:46 AM, 6088 bytes, A Adds the file verified_contents.json"="10/4/2019 2:10 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images\icons Adds the file 128x128.png"="1/13/2020 8:46 AM, 3735 bytes, A Adds the file 16x16.png"="1/13/2020 8:46 AM, 475 bytes, A Adds the file 64x64.png"="1/13/2020 8:46 AM, 1969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\scripts Adds the file background.js"="9/26/2019 2:31 PM, 511681 bytes, A Adds the file sitecontent.js"="9/26/2019 2:31 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmcgbndmoiekgndobmbmohmkchoajnbb Adds the file Get Video Converter Search.ico"="1/13/2020 8:47 AM, 174596 bytes, A Adds the file Get Video Converter Search.ico.md5"="1/13/2020 8:47 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nmcgbndmoiekgndobmbmohmkchoajnbb"="REG_SZ", "FEDCAE84CAA51EBCD220EA1CB12B15DB6B4389E43D9BD4B08604788C9742FFA0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/13/20 Scan Time: 9:01 AM Log File: da71e6b2-35da-11ea-99ac-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17661 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236074 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 58 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GetVideoConverter, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nmcgbndmoiekgndobmbmohmkchoajnbb, Quarantined, 336, 745556, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images\icons, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\_metadata, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\scripts, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMCGBNDMOIEKGNDOBMBMOHMKCHOAJNBB, Quarantined, 336, 745556, 1.0.17661, , ame, File: 12 PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMCGBNDMOIEKGNDOBMBMOHMKCHOAJNBB\1.0.3_0\MANIFEST.JSON, Quarantined, 336, 745556, 1.0.17661, , ame, PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images\icons\128x128.png, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images\icons\16x16.png, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\images\icons\64x64.png, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\scripts\background.js, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\scripts\sitecontent.js, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\_metadata\computed_hashes.json, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcgbndmoiekgndobmbmohmkchoajnbb\1.0.3_0\_metadata\verified_contents.json, Quarantined, 336, 745556, , , , PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 745553, 1.0.17661, , ame, PUP.Optional.GetVideoConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 336, 745553, 1.0.17661, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Search Defender Prime? The Malwarebytes research team has determined that Search Defender Prime is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Search Defender Prime? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Search Defender Prime get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Search Defender Prime? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Defender Prime? No, Malwarebytes removes Search Defender Prime completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard as well as the full version of Malwarebytes would have protected you against the Search Defender Prime hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.searchdefenderprime.com/search.php?type=search&id=MTMwNTk&q={searchTerms} CHR DefaultSearchKeyword: Default -> Yahoo CHR DefaultSuggestURL: Default -> hxxps://auto.searchdefenderprime.com/autocomplete.js?omni=true&appId=MTMwNTk&q={searchTerms} CHR Notifications: Default -> hxxps://www.searchdefenderprime.com CHR Extension: (Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp [2020-01-10] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0 Adds the file manifest.json"="1/10/2020 9:01 AM, 2236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\_metadata Adds the file computed_hashes.json"="1/10/2020 9:01 AM, 17716 bytes, A Adds the file verified_contents.json"="12/18/2019 10:42 AM, 9208 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\core Adds the file content.js"="12/18/2019 10:42 AM, 9402 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\block Adds the file block.html"="12/18/2019 10:42 AM, 2075 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\css Adds the file annotations.css"="12/18/2019 10:42 AM, 151009 bytes, A Adds the file blockedPage.css"="12/18/2019 10:42 AM, 4772 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons Adds the file alert.svg"="12/18/2019 10:42 AM, 1093 bytes, A Adds the file facebook.png"="12/18/2019 10:42 AM, 75607 bytes, A Adds the file linkedIn.png"="12/18/2019 10:42 AM, 18567 bytes, A Adds the file security.svg"="12/18/2019 10:42 AM, 1028 bytes, A Adds the file twitter.png"="12/18/2019 10:42 AM, 7977 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\js Adds the file content-ui.js"="12/18/2019 10:42 AM, 5690 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\popup Adds the file popup.html"="12/18/2019 10:42 AM, 11869 bytes, A Adds the file popup.js"="12/18/2019 10:42 AM, 13484 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\icons Adds the file icon128.png"="1/10/2020 9:01 AM, 8684 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\js Adds the file blockpage.js"="12/18/2019 10:42 AM, 2065 bytes, A Adds the file custombackground.js"="12/18/2019 10:42 AM, 20833 bytes, A Adds the file jquery-3.2.1.min.js"="12/18/2019 10:42 AM, 86659 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission Adds the file fetch.js"="12/18/2019 10:42 AM, 9444 bytes, A Adds the file index.html"="12/18/2019 10:42 AM, 13699 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\img Adds the file faviconfinal.ico"="12/18/2019 10:42 AM, 101036 bytes, A Adds the file hyper-pp.jpg"="12/18/2019 10:42 AM, 188901 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp Adds the file 000003.log"="1/10/2020 9:02 AM, 159 bytes, A Adds the file CURRENT"="1/10/2020 9:01 AM, 16 bytes, A Adds the file LOCK"="1/10/2020 9:01 AM, 0 bytes, A Adds the file LOG"="1/10/2020 9:05 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/10/2020 9:01 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp Adds the file 000003.log"="1/10/2020 9:01 AM, 110 bytes, A Adds the file CURRENT"="1/10/2020 9:01 AM, 16 bytes, A Adds the file LOCK"="1/10/2020 9:01 AM, 0 bytes, A Adds the file LOG"="1/10/2020 9:05 AM, 183 bytes, A Adds the file MANIFEST-000001"="1/10/2020 9:01 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "igghlpcpomdigedgdbaoakpdjplllinp"="REG_SZ", "A972918237595C574C9DCDBE2CA89866049E01F61B08DDB2238A0744A747F7BA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/10/20 Scan Time: 9:13 AM Log File: 1ea5e45c-3381-11ea-8162-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.17517 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236110 Threats Detected: 97 Threats Quarantined: 97 Time Elapsed: 35 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchDefenderPrime, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|igghlpcpomdigedgdbaoakpdjplllinp, Quarantined, 273, 760389, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 17 PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\block, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\popup, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\img, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\css, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\_metadata, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\icons, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\core, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGGHLPCPOMDIGEDGDBAOAKPDJPLLLINP, Quarantined, 273, 760389, 1.0.17517, , ame, File: 79 PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\000003.log, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\CURRENT, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\LOCK, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\LOG, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\MANIFEST-000001, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\000003.log, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\CURRENT, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\LOCK, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\LOG, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\igghlpcpomdigedgdbaoakpdjplllinp\MANIFEST-000001, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGGHLPCPOMDIGEDGDBAOAKPDJPLLLINP\2.7.9.22_0\MANIFEST.JSON, Quarantined, 273, 760389, 1.0.17517, , ame, PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\core\content.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\block\block.html, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\css\annotations.css, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\css\blockedPage.css, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons\alert.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons\facebook.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons\linkedIn.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons\security.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\icons\twitter.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\annotations-sprite_new.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\at-risk-icon.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\bg.jpg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\btn-search.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\caution.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\caution_.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\close-pop.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\footer-bg1-new.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\img-blocked.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\layer.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\pointer.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\popupimage.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\safe-icon.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\safe.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\safe_.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\search-icon-2.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\search.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\searchdefender-logo.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\searchdefenderprime-logo.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\searchicon.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\searchmagnifier.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\sf-magni.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\sf-sprite.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\sf_overlay_sprite.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\small-search.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\srch.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\ss-logo.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\tick.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\trans1.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\untested-icon.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\untested.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\untested_.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\warning-icon.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\warning.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\warning_.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\website.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\welcome-box-bg.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\_earth.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\_logo.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\_logo.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\_safe.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\img\_unsafe.svg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\js\content-ui.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\popup\popup.html, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\homepage\popup\popup.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\icons\icon128.png, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\js\blockpage.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\js\custombackground.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\js\jquery-3.2.1.min.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\img\faviconfinal.ico, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\img\hyper-pp.jpg, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\fetch.js, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\permission\index.html, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\_metadata\computed_hashes.json, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igghlpcpomdigedgdbaoakpdjplllinp\2.7.9.22_0\_metadata\verified_contents.json, Quarantined, 273, 760389, , , , PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 273, 760388, 1.0.17517, , ame, PUP.Optional.SearchDefenderPrime, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 273, 760388, 1.0.17517, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is ProPDFConverter?The Malwarebytes research team has determined that ProPDFConverter is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.ProPDFConverter is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by ProPDFConverter?You may see this browser extension:these warnings during install:You may see this entry in your list of installed software:this changed setting:and this new homepage in the affected browsers:How did ProPDFConverter get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove ProPDFConverter?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of ProPDFConverter? No, Malwarebytes' Anti-Malware removes ProPDFConverter completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the ProPDFConverter hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/propdfconverter/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://glmfdkfmoamfkgkncklicdngnfabhaim/ntp1.html" CHR Extension: (PDF Viewer & Converter by ProPDFConverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim [2020-01-09] C:\Users\{username}\AppData\Local\ProPDFConverterTooltab ProPDFConverter Internet Explorer Homepage and New Tab (HKCU\...\ProPDFConverterTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0 Adds the file manifest.json"="1/9/2020 10:51 AM, 2560 bytes, A Adds the file ntp1.html"="11/13/2019 8:51 PM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_metadata Adds the file computed_hashes.json"="1/9/2020 10:51 AM, 5504 bytes, A Adds the file verified_contents.json"="11/13/2019 8:51 PM, 7407 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\config Adds the file config.json"="11/13/2019 8:51 PM, 1539 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons Adds the file icon128.png"="1/9/2020 10:51 AM, 3750 bytes, A Adds the file icon16.png"="11/13/2019 8:51 PM, 1378 bytes, A Adds the file icon19disabled.png"="11/13/2019 8:51 PM, 1486 bytes, A Adds the file icon19on.png"="1/9/2020 10:51 AM, 629 bytes, A Adds the file icon48.png"="1/9/2020 10:51 AM, 1595 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js Adds the file ajax.js"="11/13/2019 8:51 PM, 3263 bytes, A Adds the file babAPI.js"="11/13/2019 8:51 PM, 5703 bytes, A Adds the file babClickHandler.js"="11/13/2019 8:51 PM, 11430 bytes, A Adds the file babContentScript.js"="11/13/2019 8:51 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="11/13/2019 8:51 PM, 9842 bytes, A Adds the file background.js"="11/13/2019 8:51 PM, 18106 bytes, A Adds the file browserUtils.js"="11/13/2019 8:51 PM, 1536 bytes, A Adds the file chrome.js"="11/13/2019 8:51 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="11/13/2019 8:51 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="11/13/2019 8:51 PM, 1213 bytes, A Adds the file dlp.js"="11/13/2019 8:51 PM, 5783 bytes, A Adds the file dlpHelper.js"="11/13/2019 8:51 PM, 1835 bytes, A Adds the file extensionDetect.js"="11/13/2019 8:51 PM, 4354 bytes, A Adds the file index.js"="11/13/2019 8:51 PM, 49 bytes, A Adds the file localStorageContentScript.js"="11/13/2019 8:51 PM, 2236 bytes, A Adds the file logger.js"="11/13/2019 8:51 PM, 531 bytes, A Adds the file meta.js"="11/13/2019 8:51 PM, 1610 bytes, A Adds the file offerService.js"="11/13/2019 8:51 PM, 16953 bytes, A Adds the file pageUtils.js"="11/13/2019 8:51 PM, 2905 bytes, A Adds the file PartnerId.js"="11/13/2019 8:51 PM, 16402 bytes, A Adds the file polyfill.js"="11/13/2019 8:51 PM, 875 bytes, A Adds the file product.js"="11/13/2019 8:51 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="11/13/2019 8:51 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="11/13/2019 8:51 PM, 2821 bytes, A Adds the file storageUtils.js"="11/13/2019 8:51 PM, 1718 bytes, A Adds the file TemplateParser.js"="11/13/2019 8:51 PM, 3153 bytes, A Adds the file ul.js"="11/13/2019 8:51 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="11/13/2019 8:51 PM, 2453 bytes, A Adds the file urlUtils.js"="11/13/2019 8:51 PM, 5906 bytes, A Adds the file util.js"="11/13/2019 8:51 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="11/13/2019 8:51 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="11/13/2019 8:51 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim Adds the file 000003.log"="1/9/2020 10:51 AM, 4709 bytes, A Adds the file CURRENT"="1/9/2020 10:51 AM, 16 bytes, A Adds the file LOCK"="1/9/2020 10:51 AM, 0 bytes, A Adds the file LOG"="1/9/2020 10:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/9/2020 10:51 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\ProPDFConverterTooltab Adds the file TooltabExtension.dll"="11/21/2019 8:15 PM, 266864 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "glmfdkfmoamfkgkncklicdngnfabhaim"="REG_SZ", "5F8DD0B2A901525B98D8A4E1FDAD119AA793E9CC7811B032D00113A88D9AFCB9" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/propdfconverter/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ProPDFConverterTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "ProPDFConverter Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\ProPDFConverterTooltab\TooltabExtension.dll" U uninstall:ProPDFConverter" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\ProPDFConverter] "Start Page"="REG_SZ", "https://hp.myway.com/propdfconverter/ttab02/index.html?n={n}&p2=^CRB^xdm266^TTAB02^nl&ptb={ptb}&si={si}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=https%253A%252F%252Fhp.myway.com%252Fuo%252Fo1%252Findex.html%253Fc%253D{ptb}%2526ptb%253{ptb}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/9/20 Scan Time: 11:09 AM Log File: 2b2ebf50-32c8-11ea-9ee9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17475 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236042 Threats Detected: 93 Threats Quarantined: 93 Time Elapsed: 18 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProPDFConverterTooltab\TooltabExtension.dll, Quarantined, 1797, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ProPDFConverterTooltab Uninstall Internet Explorer, Quarantined, 1797, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\ProPDFConverter, Quarantined, 1797, 444113, 1.0.17475, , ame, Registry Value: 4 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ProPDFConverterTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 681, 352442, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\ProPDFConverter|START PAGE, Quarantined, 1797, 444113, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\ProPDFConverter|UNINSTALLSURVEYURL, Quarantined, 1797, 769449, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|glmfdkfmoamfkgkncklicdngnfabhaim, Quarantined, 1797, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 681, 293497, 1.0.17475, , ame, Data Stream: 0 (No malicious items detected) Folder: 21 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProPDFConverterTooltab, Quarantined, 1797, 356944, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\es_419, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\pt_BR, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\pt_PT, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ar, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\de, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\en, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\es, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\fr, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\it, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ja, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ko, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\nl, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_metadata, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\config, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLMFDKFMOAMFKGKNCKLICDNGNFABHAIM, Quarantined, 1797, 443121, 1.0.17475, , ame, File: 64 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProPDFConverterTooltab\TooltabExtension.dll, Quarantined, 1797, 356944, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\000003.log, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\CURRENT, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\LOCK, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\LOG, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\LOG.old, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glmfdkfmoamfkgkncklicdngnfabhaim\MANIFEST-000001, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLMFDKFMOAMFKGKNCKLICDNGNFABHAIM\13.917.16.52866_0\MANIFEST.JSON, Quarantined, 1797, 443121, 1.0.17475, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\config\config.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons\icon128.png, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons\icon16.png, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons\icon19disabled.png, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons\icon19on.png, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\icons\icon48.png, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\dlpHelper.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\ajax.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\babAPI.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\babClickHandler.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\babContentScript.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\babContentScriptAPI.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\background.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\browserUtils.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\chrome.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\contentScriptConnectionManager.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\dateTimeUtils.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\dlp.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\extensionDetect.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\index.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\localStorageContentScript.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\logger.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\meta.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\offerService.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\pageUtils.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\PartnerId.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\polyfill.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\product.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\remoteConfigLoader.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\splashPageRedirectHandler.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\storageUtils.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\TemplateParser.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\ul.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\urlFragmentActions.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\urlUtils.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\util.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\webtooltabAPI.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\js\webTooltabAPIProxy.js, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ar\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\de\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\en\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\es\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\es_419\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\fr\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\it\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ja\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\ko\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\nl\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\pt_BR\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_locales\pt_PT\messages.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_metadata\computed_hashes.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\_metadata\verified_contents.json, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmfdkfmoamfkgkncklicdngnfabhaim\13.917.16.52866_0\ntp1.html, Quarantined, 1797, 443121, , , , PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\PROPDFCONVERTER.{coid}.EXE, Quarantined, 681, 365288, 1.0.17475, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Utilitool? The Malwarebytes research team has determined that Utilitool is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Utilitool? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Utilitool get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Utilitool? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Utilitool? No, Malwarebytes removes Utilitool completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard as well as the full version of Malwarebytes would have protected you against the Utilitool hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.utilitooltech.com/?q={searchTerms}&publisher=utilitool&barcodeid=522780000000000 CHR DefaultSearchKeyword: Default -> utilitool CHR DefaultSuggestURL: Default -> hxxps://api.utilitooltech.com/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.utilitooltech.com CHR Extension: (Utilitool Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb [2020-01-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0 Adds the file manifest.json"="1/8/2020 10:49 AM, 2080 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/8/2020 10:49 AM, 6088 bytes, A Adds the file verified_contents.json"="10/4/2019 2:15 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images\icons Adds the file 128x128.png"="1/8/2020 10:49 AM, 6855 bytes, A Adds the file 16x16.png"="1/8/2020 10:49 AM, 611 bytes, A Adds the file 64x64.png"="1/8/2020 10:49 AM, 3217 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\scripts Adds the file background.js"="9/20/2019 2:58 PM, 511546 bytes, A Adds the file sitecontent.js"="9/20/2019 2:58 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_opfbaflpjjkcjalnnlnancomdfmeelgb Adds the file Utilitool.ico"="1/8/2020 10:50 AM, 193129 bytes, A Adds the file Utilitool.ico.md5"="1/8/2020 10:50 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "opfbaflpjjkcjalnnlnancomdfmeelgb"="REG_SZ", "A92F377F503BDE7A1C5C3DE012B2D576EAAFEBDFA1922DCBF9C133655F228B4B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/8/20 Scan Time: 11:02 AM Log File: fbffad0e-31fd-11ea-8c32-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17423 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235943 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 1 hr, 4 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UtilToolTech, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|opfbaflpjjkcjalnnlnancomdfmeelgb, Quarantined, 2234, 520404, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images\icons, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\_metadata, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\scripts, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OPFBAFLPJJKCJALNNLNANCOMDFMEELGB, Quarantined, 2234, 520404, 1.0.17423, , ame, File: 10 PUP.Optional.UtilToolTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OPFBAFLPJJKCJALNNLNANCOMDFMEELGB\3.0.3_0\MANIFEST.JSON, Quarantined, 2234, 520404, 1.0.17423, , ame, PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images\icons\128x128.png, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images\icons\16x16.png, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\images\icons\64x64.png, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\scripts\background.js, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\scripts\sitecontent.js, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 2234, 520404, , , , PUP.Optional.UtilToolTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\opfbaflpjjkcjalnnlnancomdfmeelgb\3.0.3_0\_metadata\verified_contents.json, Quarantined, 2234, 520404, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is MediaConverterOnline Promos?The Malwarebytes research team has determined that MediaConverterOnline Promos is adware. These adware applications display advertisements not originating from the sites you are browsing.This particular one also promotes thnrough notifications.How do I know if my computer is affected by MediaConverterOnline Promos?You may see this warning during install:this type of notifications:and this changed setting:How did MediaConverterOnline Promos get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.How do I remove MediaConverterOnline Promos?Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MediaConverterOnline Promos? No, Malwarebytes removes MediaConverterOnline Promos completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below both the full version of Malwarebytes and Browser Guard would have protected you against the MediaConverterOnline Promos adware. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (MediaConverterOnline Promos) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl [2020-01-07] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0 Adds the file manifest.json"="1/7/2020 8:50 AM, 2959 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\_metadata Adds the file computed_hashes.json"="1/7/2020 8:50 AM, 17400 bytes, A Adds the file verified_contents.json"="9/26/2019 2:39 PM, 2952 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\background Adds the file main.js"="9/26/2019 1:45 PM, 337972 bytes, A Adds the file preload.js"="9/26/2019 8:43 AM, 2544 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\bb-ta-template Adds the file main.js"="9/26/2019 12:14 PM, 141810 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\content Adds the file main.js"="9/26/2019 1:38 PM, 201794 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\data-frame Adds the file main.js"="9/26/2019 1:39 PM, 164148 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\project-frame Adds the file main.js"="9/26/2019 12:14 PM, 146850 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\serving-frame Adds the file main.js"="9/26/2019 12:14 PM, 446611 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl Adds the file 000003.log"="1/7/2020 8:53 AM, 2957 bytes, A Adds the file CURRENT"="1/7/2020 8:50 AM, 16 bytes, A Adds the file LOCK"="1/7/2020 8:50 AM, 0 bytes, A Adds the file LOG"="1/7/2020 8:50 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/7/2020 8:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl Adds the file 000003.log"="1/7/2020 8:51 AM, 45 bytes, A Adds the file CURRENT"="1/7/2020 8:50 AM, 16 bytes, A Adds the file LOCK"="1/7/2020 8:50 AM, 0 bytes, A Adds the file LOG"="1/7/2020 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="1/7/2020 8:50 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocmddfoccjoifjbgbhknealbdgifmldl"="REG_SZ", "2BED7E43C808CAF363B5DA378A1400376E47906170D08D9BC0F0F13461D4A74F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/7/20 Scan Time: 9:02 AM Log File: 0e190e70-3124-11ea-8b37-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17367 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235935 Threats Detected: 45 Threats Quarantined: 45 Time Elapsed: 15 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.AdvertisingExt, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ocmddfoccjoifjbgbhknealbdgifmldl, Quarantined, 1801, 629211, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\bb-ta-template, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\project-frame, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\serving-frame, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\background, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\data-frame, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\content, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\_metadata, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCMDDFOCCJOIFJBGBHKNEALBDGIFMLDL, Quarantined, 1801, 629211, 1.0.17367, , ame, File: 31 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\000003.log, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\CURRENT, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOCK, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOG, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOG.old, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\MANIFEST-000001, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\000003.log, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\CURRENT, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOCK, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOG, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\LOG.old, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocmddfoccjoifjbgbhknealbdgifmldl\MANIFEST-000001, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCMDDFOCCJOIFJBGBHKNEALBDGIFMLDL\259.15225.1058.43_0\MANIFEST.JSON, Quarantined, 1801, 629211, 1.0.17367, , ame, PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\background\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\background\preload.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\bb-ta-template\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\content\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\data-frame\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\project-frame\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\js\serving-frame\main.js, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\128.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\16.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\19.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\32.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\38.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\48.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\logos\64.png, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\_metadata\computed_hashes.json, Quarantined, 1801, 629211, , , , PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocmddfoccjoifjbgbhknealbdgifmldl\259.15225.1058.43_0\_metadata\verified_contents.json, Quarantined, 1801, 629211, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is MoFinder? The Malwarebytes research team has determined that MoFinder is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by MoFinder? You may see these tasks in your Scheduled Tasks: and this entry in your list of installed Programs and Features: How did MoFinder get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from their website: How do I remove MoFinder? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MoFinder? No, Malwarebytes removes MoFinder completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the MoFinder adware. It would have blocked the installer. Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have blocked their website, giving you another chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: Task: {1C147E03-68EC-4C86-872A-18C825A5AD00} - System32\Tasks\Microsoft\Windows\Finder\Backup => {D24E981B-1F7C-4484-ADE7-0C834CD1F5FA} C:\ProgramData\MoFinder\ModFinder64.dll [546680 2020-01-06] (Hubei Yinyue Ecommerce Co., Ltd. -> 湖北音悦电子商务有限公司) Task: {2C46383A-022C-4F7F-ACF2-8E97008BC4DE} - System32\Tasks\Microsoft\Windows\Finder\Update => {73833D31-E0F9-42E7-ACCD-3B76E8D1C280} C:\ProgramData\MoFinder\ModFinder64.dll [546680 2020-01-06] (Hubei Yinyue Ecommerce Co., Ltd. -> 湖北音悦电子商务有限公司) C:\ProgramData\MoFinder C:\Program Files (x86)\MoFinder (湖北音悦电子商务有限公司) C:\Users\{username}\Desktop\install.exe MoFinder (HKLM-x32\...\MoFinder) (Version: 7.6.1.22 - ºþ±±ÒôÔõç×ÓÉÌÎñÓÐÏÞ¹«Ë¾) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\MoFinder Adds the file ModFinder32.dll"="1/6/2020 9:09 AM, 395640 bytes, A Adds the file ModFinder64.dll"="1/6/2020 9:09 AM, 546680 bytes, A Adds the file MoFinder.exe"="1/6/2020 9:09 AM, 2572664 bytes, A Adds the file uninst.exe"="1/6/2020 9:09 AM, 838520 bytes, A Adds the folder C:\ProgramData\MoFinder Adds the file ModFinder64.dll"="1/6/2020 9:09 AM, 546680 bytes, A Adds the folder C:\Windows\System32\Tasks\Microsoft\Windows\Finder Adds the file Backup"="1/6/2020 9:09 AM, 3924 bytes, A Adds the file Update"="1/6/2020 9:09 AM, 3444 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96FCEA60-242D-4568-9A7A-B52583D7D132}] "(Default)"="REG_SZ", "ComHandler" "DllSurrogate"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\CoolTask.DLL] "AppID"="REG_SZ", "{96FCEA60-242D-4568-9A7A-B52583D7D132}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73833D31-E0F9-42E7-ACCD-3B76E8D1C280}] "(Default)"="REG_SZ", "TaskHandler Class" "AppID"="REG_SZ", "{96FCEA60-242D-4568-9A7A-B52583D7D132}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73833D31-E0F9-42E7-ACCD-3B76E8D1C280}\InprocServer32] "(Default)"="REG_SZ", "C:\ProgramData\MoFinder\ModFinder64.dll" "ThreadingModel"="REG_SZ", "Both" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D24E981B-1F7C-4484-ADE7-0C834CD1F5FA}] "(Default)"="REG_SZ", "ShutdownTask Class" "AppID"="REG_SZ", "{96FCEA60-242D-4568-9A7A-B52583D7D132}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D24E981B-1F7C-4484-ADE7-0C834CD1F5FA}\InprocServer32] "(Default)"="REG_SZ", "C:\ProgramData\MoFinder\ModFinder64.dll" "ThreadingModel"="REG_SZ", "Both" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC430D32-27AA-4772-872B-5C62A8243B4C}\1.0] "(Default)"="REG_SZ", "MoFunctionLib" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC430D32-27AA-4772-872B-5C62A8243B4C}\1.0\0\win64] "(Default)"="REG_SZ", "C:\ProgramData\MoFinder\ModFinder64.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC430D32-27AA-4772-872B-5C62A8243B4C}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC430D32-27AA-4772-872B-5C62A8243B4C}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\ProgramData\MoFinder" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoFinder] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\MoFinder\MoFinder.exe" "DisplayName"="REG_SZ", "MoFinder" "DisplayVersion"="REG_SZ", "7.6.1.22" "Publisher"="REG_SZ", "ºþ±±ÒôÔõç×ÓÉÌÎñÓÐÏÞ¹«Ë¾" "UninstallString"="REG_SZ", "C:\Program Files (x86)\MoFinder\uninst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MoFinder] "code"="REG_SZ", "6000" "instdir"="REG_SZ", "C:\Program Files (x86)\MoFinder\MoFinder.exe" "pusid"="REG_SZ", "" "pversion"="REG_SZ", "7.6.1.22" "sect"="REG_SZ", "921d69e9c9c6f18788cc684fbc6558c0" "uscnt"="REG_SZ", "0" "usid"="REG_SZ", "98676eb24dee40bfbf759d398e3505e7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/6/20 Scan Time: 9:20 AM Log File: 6334cf2e-305d-11ea-9420-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17315 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235850 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 1 hr, 12 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MoFinder, C:\PROGRAMDATA\MOFINDER\MODFINDER64.DLL, Quarantined, 640, 774847, , , , Registry Key: 8 PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\CLSID\{73833D31-E0F9-42E7-ACCD-3B76E8D1C280}, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\CLSID\{73833D31-E0F9-42E7-ACCD-3B76E8D1C280}\InprocServer32, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\CLSID\{D24E981B-1F7C-4484-ADE7-0C834CD1F5FA}, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\CLSID\{D24E981B-1F7C-4484-ADE7-0C834CD1F5FA}\InprocServer32, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\TYPELIB\{DC430D32-27AA-4772-872B-5C62A8243B4C}, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{DC430D32-27AA-4772-872B-5C62A8243B4C}, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{DC430D32-27AA-4772-872B-5C62A8243B4C}, Quarantined, 640, 774847, , , , PUP.Optional.MoFinder, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MoFinder, Quarantined, 640, 774847, , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 7 PUP.Optional.MoFinder, C:\PROGRAMDATA\MOFINDER\MODFINDER64.DLL, Quarantined, 640, 774847, 1.0.17315, , ame, PUP.Optional.MoFinder, C:\PROGRAM FILES (X86)\MOFINDER\MODFINDER32.DLL, Quarantined, 640, 774847, 1.0.17315, , ame, PUP.Optional.MoFinder, C:\DOWNLOADS\INSTALL.EXE, Quarantined, 640, 774847, 1.0.17315, EC84707F0BEFC9A1669F9A96, dds, 00533234 PUP.Optional.MoFinder, C:\PROGRAM FILES (X86)\MOFINDER\MODFINDER64.DLL, Quarantined, 640, 774847, 1.0.17315, , ame, PUP.Optional.MoFinder, C:\PROGRAM FILES (X86)\MOFINDER\UNINST.EXE, Quarantined, 640, 774847, 1.0.17315, , ame, PUP.Optional.MoFinder, C:\PROGRAM FILES (X86)\MOFINDER\MOFINDER.EXE, Quarantined, 640, 774847, 1.0.17315, , ame, PUP.Optional.MoFinder, C:\USERS\{username}\DESKTOP\INSTALL.EXE, Quarantined, 640, 774847, 1.0.17315, EC84707F0BEFC9A1669F9A96, dds, 00533267 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.