Metallica

What is Quick Speedup 2018?The Malwarebytes research team has determined that Quick Speedup 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Quick Speedup 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Quick Speedup 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Quick Speedup 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Quick Speedup 2018? No, Malwarebytes removes Quick Speedup 2018 completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Quick Speedup 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername} C:\Windows\System32\Tasks\Quick Speedup 2018_Logon C:\Users\Public\Desktop\Quick Speedup 2018.lnk C:\ProgramData\Quick Speedup 2018 for {computername} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick Speedup 2018 for {computername} C:\Program Files\Quick Speedup 2018 for {computername} Quick Speedup 2018 (HKLM\...\{AA24BE31-BE74-4325-B22E-2056E6CDF8B5}_is1) (Version: 1.0.0.9 - ) Task: {A1E027A3-8708-4142-AF59-8D7B298CF585} - System32\Tasks\Quick Speedup 2018_Logon => C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe [2018-06-04] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Quick Speedup 2018 for {computername} Adds the file application.ico"="4/19/2018 8:39 PM, 94222 bytes, A Adds the file danish_iss.ini"="5/16/2018 11:25 AM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 11:25 AM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 11:25 AM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 11:25 AM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 11:25 AM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 11:25 AM, 2658 bytes, A Adds the file gtcmg.dll"="6/4/2018 7:04 PM, 1946000 bytes, A Adds the file HtmlRenderer.dll"="6/4/2018 7:04 PM, 228240 bytes, A Adds the file HtmlRenderer.WinForms.dll"="6/4/2018 7:04 PM, 66960 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="6/4/2018 7:04 PM, 55696 bytes, A Adds the file italian_iss.ini"="5/16/2018 11:25 AM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 11:25 AM, 1844 bytes, A Adds the file langs.db"="5/16/2018 2:50 PM, 449536 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="6/4/2018 7:04 PM, 177552 bytes, A Adds the file mpr.exe"="6/4/2018 7:04 PM, 2263440 bytes, A Adds the file mpr.exe.config"="6/4/2018 7:04 PM, 5799 bytes, A Adds the file NAudio.dll"="6/4/2018 7:04 PM, 477584 bytes, A Adds the file Newtonsoft.Json.dll"="6/4/2018 7:04 PM, 467344 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 11:25 AM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="6/4/2018 7:04 PM, 61840 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 11:25 AM, 2424 bytes, A Adds the file russian_iss.ini"="5/16/2018 11:25 AM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 11:25 AM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 11:25 AM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="6/4/2018 7:04 PM, 297360 bytes, A Adds the file TAFactory.IconPack.dll"="6/4/2018 7:04 PM, 43408 bytes, A Adds the file unins000.dat"="6/19/2018 10:26 AM, 85155 bytes, A Adds the file unins000.exe"="6/19/2018 10:26 AM, 1273232 bytes, A Adds the file unins000.msg"="6/19/2018 10:26 AM, 22701 bytes, A Adds the folder C:\Program Files\Quick Speedup 2018 for {computername}\x64 Adds the file SQLite.Interop.dll"="6/4/2018 7:04 PM, 1182096 bytes, A Adds the folder C:\Program Files\Quick Speedup 2018 for {computername}\x86 Adds the file SQLite.Interop.dll"="6/4/2018 7:04 PM, 861072 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick Speedup 2018 for {computername} Adds the file Buy Quick Speedup 2018.lnk"="6/19/2018 10:26 AM, 1000 bytes, A Adds the file Quick Speedup 2018.lnk"="6/19/2018 10:26 AM, 988 bytes, A Adds the file Uninstall Quick Speedup 2018.lnk"="6/19/2018 10:26 AM, 1019 bytes, A Adds the folder C:\ProgramData\Quick Speedup 2018 for {computername} Adds the file mdb.db"="5/16/2018 11:25 AM, 835584 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername} Adds the file Errorlog.txt"="6/19/2018 10:28 AM, 15766 bytes, A Adds the file exlist.bin"="6/19/2018 10:26 AM, 258019 bytes, A Adds the file pplan.xml"="6/19/2018 10:26 AM, 668 bytes, A Adds the file res.xml"="6/19/2018 10:28 AM, 9410 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Quick Speedup 2018.lnk"="6/19/2018 10:26 AM, 970 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Quick Speedup 2018_Logon"="6/19/2018 10:26 AM, 3078 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA24BE31-BE74-4325-B22E-2056E6CDF8B5}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe" "DisplayName"="REG_SZ", "Quick Speedup 2018" "DisplayVersion"="REG_SZ", "1.0.0.9" "EstimatedSize"="REG_DWORD", 12593 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Quick Speedup 2018 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180619" "InstallLocation"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Quick Speedup 2018 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Quick Speedup 2018 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Quick Speedup 2018 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trfactiv.com/install/qsp/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.quickwincleaner.com/qsp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}" "ipaddrurl"="REG_SZ", "http://www.trfactiv.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 23 "lstscandate"="REG_SZ", "6/19/2018 10:28:02 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 23 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.quickwincleaner.com/qsp/price?" "pxl"="REG_SZ", "qsp3509_qsp3437_qsp1625" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.quickwincleaner.com/qsp/renewal?" "runcam"="REG_DWORD", 0 "runpixel"="REG_DWORD", 0 "runsrc"="REG_DWORD", 0 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.quickwincleaner.com/help/" "TELNO"="REG_SZ", "(855)-332-0124" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "qspcl" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "qspcl" "WebURL"="REG_SZ", "http://www.quickwincleaner.com/" "wfoset"="REG_DWORD", 1 "x-fetch"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "qsp3509_qsp3437_qsp1625" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "qspcl" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "qspcl" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\UXVpY2sgU3BlZWR1cCAyMDE4\ACT] "data"="REG_BINARY, ..............................................................................................................................................................................................................................................................................................................................................................................................._............................... [HKEY_CURRENT_USER\Software\Quick Speedup 2018 For {computername}] "InstallString"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "qsp3509_qsp3437_qsp1625" "utm_campaign"="REG_SZ", "qspcl" "utm_source"="REG_SZ", "qspcl" [HKEY_CURRENT_USER\Software\Quick Speedup 2018 For {computername}\1.0.0.9] "Installstring"="REG_SZ", "C:\Program Files\Quick Speedup 2018 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/19/18 Scan Time: 11:00 AM Log File: 45f9d5ac-739f-11e8-b181-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5538 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238782 Threats Detected: 69 Threats Quarantined: 69 Time Elapsed: 2 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe, Quarantined, [3540], [531728],1.0.5538 Module: 7 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\PaddleCheckoutSDK.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3540], [531728],1.0.5538 Registry Key: 7 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Quick Speedup 2018_Logon, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A1E027A3-8708-4142-AF59-8D7B298CF585}, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{A1E027A3-8708-4142-AF59-8D7B298CF585}, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AA24BE31-BE74-4325-B22E-2056E6CDF8B5}_is1, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, HKCU\SOFTWARE\Quick Speedup 2018 For {computername}, Quarantined, [3540], [531734],1.0.5538 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\Quick Speedup 2018 For {computername}, Quarantined, [3540], [531733],1.0.5538 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR, Quarantined, [1110], [484510],1.0.5538 Registry Value: 3 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AA24BE31-BE74-4325-B22E-2056E6CDF8B5}_is1|DISPLAYNAME, Quarantined, [3540], [531735],1.0.5538 PUP.Optional.QuickSpeedup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A1E027A3-8708-4142-AF59-8D7B298CF585}|PATH, Quarantined, [3540], [531736],1.0.5538 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1110], [484510],1.0.5538 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.QuickSpeedup, C:\PROGRAMDATA\Quick Speedup 2018 for {computername}, Quarantined, [3540], [531730],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\x64, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\x86, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\PROGRAM FILES\Quick Speedup 2018 for {computername}, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername}\smico, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\USERS\{username}\APPDATA\ROAMING\Quick Speedup 2018 For {computername}, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Quick Speedup 2018 for {computername}, Quarantined, [3540], [531729],1.0.5538 File: 44 PUP.Optional.QuickSpeedup, C:\PROGRAMDATA\Quick Speedup 2018 for {computername}\mdb.db, Quarantined, [3540], [531730],1.0.5538 PUP.Optional.QuickSpeedup, C:\ProgramData\Quick Speedup 2018 for {computername}\pcspstartrepair_en.mp3, Quarantined, [3540], [531730],1.0.5538 PUP.Optional.QuickSpeedup, C:\PROGRAM FILES\Quick Speedup 2018 for {computername}\unins000.dat, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\x86\SQLite.Interop.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\application.ico, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\danish_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Dutch_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\english_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\finish_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\French_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\german_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\gtcmg.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\HtmlRenderer.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\italian_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\japanese_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\langs.db, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\mpr.exe.config, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\NAudio.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\Newtonsoft.Json.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\norwegian_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\PaddleCheckoutSDK.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\portuguese_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\russian_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\spanish_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\swedish_iss.ini, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\unins000.exe, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\Program Files\Quick Speedup 2018 for {computername}\unins000.msg, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\WINDOWS\SYSTEM32\TASKS\Quick Speedup 2018_Logon, Quarantined, [3540], [531728],1.0.5538 PUP.Optional.QuickSpeedup, C:\USERS\{username}\APPDATA\ROAMING\Quick Speedup 2018 For {computername}\Errorlog.txt, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername}\exlist.bin, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername}\pplan.xml, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\Users\{username}\AppData\Roaming\Quick Speedup 2018 For {computername}\res.xml, Quarantined, [3540], [531731],1.0.5538 PUP.Optional.QuickSpeedup, C:\USERS\PUBLIC\DESKTOP\Quick Speedup 2018.lnk, Quarantined, [3540], [531732],1.0.5538 PUP.Optional.QuickSpeedup, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick Speedup 2018 for {computername}\Buy Quick Speedup 2018.lnk, Quarantined, [3540], [531729],1.0.5538 PUP.Optional.QuickSpeedup, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick Speedup 2018 for {computername}\Quick Speedup 2018.lnk, Quarantined, [3540], [531729],1.0.5538 PUP.Optional.QuickSpeedup, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick Speedup 2018 for {computername}\Uninstall Quick Speedup 2018.lnk, Quarantined, [3540], [531729],1.0.5538 PUP.Optional.PCVARK, C:\DOWNLOADS\QSPSETUP.EXE, Quarantined, [410], [531751],1.0.5538 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Search Inspired?The Malwarebytes research team has determined that Search Inspired is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Search Inspired?You may see this entry in your list of installed Chrome extensions:and these warnings during install:you will see this icon in your Chrome menu-bar:and this changed setting:How did Search Inspired get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website:but it was also available in the webstore:How do I remove Search Inspired?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Inspired? No, Malwarebytes removes Search Inspired completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search Inspired hijacker. we block the site that spreads the extensions.Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchinspired.com/results.php?p=3000&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> Search Inspired CHR DefaultSuggestURL: Default -> hxxps://searchinspired.com/gjson.php?q={searchTerms} CHR Extension: (Search Inspired) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm [2018-06-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0 Adds the file background.js"="5/31/2018 7:08 PM, 88 bytes, A Adds the file manifest.json"="6/18/2018 9:19 AM, 1850 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\_metadata Adds the file computed_hashes.json"="6/18/2018 9:19 AM, 136 bytes, A Adds the file verified_contents.json"="5/31/2018 7:33 PM, 1531 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\icons Adds the file icon128.png"="6/18/2018 9:19 AM, 13610 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mnigdddmfgclhdagodnlljdnhkmcimpm"="REG_SZ", "8224AC44B6BEC0F73CDD4069BD48A00B7065BB0174AFC3487EB1862BF76530F0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/18/18 Scan Time: 11:27 AM Log File: e00f122c-72d9-11e8-a3ee-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5526 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238869 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 2 min, 59 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\_metadata, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\icons, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MNIGDDDMFGCLHDAGODNLLJDNHKMCIMPM, Quarantined, [14420], [532282],1.0.5526 File: 7 PUP.Optional.SearchInspired.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MNIGDDDMFGCLHDAGODNLLJDNHKMCIMPM\1.2_0\MANIFEST.JSON, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\icons\icon128.png, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\_metadata\computed_hashes.json, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\_metadata\verified_contents.json, Quarantined, [14420], [532282],1.0.5526 PUP.Optional.SearchInspired.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnigdddmfgclhdagodnlljdnhkmcimpm\1.2_0\background.js, Quarantined, [14420], [532282],1.0.5526 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is AutoClean Pro 2018?The Malwarebytes research team has determined that AutoClean Pro 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with AutoClean Pro 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did AutoClean Pro 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove AutoClean Pro 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of AutoClean Pro 2018? No, Malwarebytes removes AutoClean Pro 2018 completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the AutoClean Pro 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername} C:\Windows\System32\Tasks\AutoClean~Pro~2018_Logon C:\Users\Public\Desktop\AutoClean~Pro~2018.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoClean~Pro~2018 for {computername} C:\ProgramData\AutoClean~Pro~2018 for {computername} C:\Program Files\AutoClean~Pro~2018 for {computername} AutoClean~Pro~2018 (HKLM\...\{1166F93A-6814-4AA6-8932-202AA1D8EF1F}_is1) (Version: 2.2.0.0 - ) Task: {474C078E-648E-4649-AF72-C925FC5387A1} - System32\Tasks\AutoClean~Pro~2018_Logon => C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe [2018-02-21] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\AutoClean~Pro~2018 for {computername} Adds the file application.ico"="2/6/2018 10:43 AM, 56150 bytes, A Adds the file danish_iss.ini"="5/23/2017 6:31 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/23/2017 6:31 PM, 2600 bytes, A Adds the file english_iss.ini"="5/23/2017 6:31 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/23/2017 6:31 PM, 2368 bytes, A Adds the file French_iss.ini"="5/23/2017 6:31 PM, 2792 bytes, A Adds the file german_iss.ini"="5/23/2017 6:31 PM, 2658 bytes, A Adds the file gtcmg.dll"="2/21/2018 6:06 PM, 1784192 bytes, A Adds the file HtmlRenderer.dll"="2/21/2018 6:06 PM, 228224 bytes, A Adds the file HtmlRenderer.WinForms.dll"="2/21/2018 6:06 PM, 66944 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="2/21/2018 6:06 PM, 55680 bytes, A Adds the file italian_iss.ini"="5/23/2017 6:31 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/23/2017 6:32 PM, 1844 bytes, A Adds the file langs.db"="2/6/2018 4:13 PM, 446464 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="2/21/2018 6:06 PM, 177536 bytes, A Adds the file mysysm.exe"="2/21/2018 6:06 PM, 2036608 bytes, A Adds the file mysysm.exe.config"="2/21/2018 6:06 PM, 5458 bytes, A Adds the file NAudio.dll"="2/21/2018 6:06 PM, 477568 bytes, A Adds the file norwegian_iss.ini"="5/23/2017 6:32 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/23/2017 6:32 PM, 2424 bytes, A Adds the file russian_iss.ini"="5/23/2017 6:32 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/23/2017 6:32 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/23/2017 6:32 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="2/21/2018 6:06 PM, 297344 bytes, A Adds the file TAFactory.IconPack.dll"="2/21/2018 6:06 PM, 43392 bytes, A Adds the file unins000.dat"="6/15/2018 8:42 AM, 83715 bytes, A Adds the file unins000.exe"="6/15/2018 8:41 AM, 1235328 bytes, A Adds the file unins000.msg"="6/15/2018 8:42 AM, 22701 bytes, A Adds the folder C:\Program Files\AutoClean~Pro~2018 for {computername}\x64 Adds the file SQLite.Interop.dll"="2/21/2018 6:06 PM, 1182080 bytes, A Adds the folder C:\Program Files\AutoClean~Pro~2018 for {computername}\x86 Adds the file SQLite.Interop.dll"="2/21/2018 6:06 PM, 861056 bytes, A Adds the folder C:\ProgramData\AutoClean~Pro~2018 for {computername} Adds the file mdb.db"="10/3/2017 4:30 PM, 835584 bytes, A Adds the file pcspstartrepair_en.mp3"="3/2/2017 11:05 AM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoClean~Pro~2018 for {computername} Adds the file AutoClean~Pro~2018.lnk"="6/15/2018 8:42 AM, 1007 bytes, A Adds the file Buy AutoClean~Pro~2018.lnk"="6/15/2018 8:42 AM, 1019 bytes, A Adds the file Uninstall AutoClean~Pro~2018.lnk"="6/15/2018 8:42 AM, 1019 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername} Adds the file Errorlog.txt"="6/15/2018 8:44 AM, 13984 bytes, A Adds the file exlist.bin"="6/15/2018 8:42 AM, 258025 bytes, A Adds the file param.ini"="6/15/2018 8:42 AM, 346 bytes, A Adds the file res.xml"="6/15/2018 8:43 AM, 9434 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file AutoClean~Pro~2018.lnk"="6/15/2018 8:42 AM, 989 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file AutoClean~Pro~2018_Logon"="6/15/2018 8:42 AM, 3082 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\AutoClean~Pro~2018 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.entireactiv.com/install/acp/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "xx" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}" "ipaddrurl"="REG_SZ", "http://www.entireactiv.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 23 "lstscandate"="REG_SZ", "6/15/2018 8:43:18 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 23 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.entireactiv.com/ipfiles/" "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.winspeeduputils.com/acp/price?" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referurl"="REG_SZ", "" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.winspeeduputils.com/acp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.winspeeduputils.com/help/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "WebURL"="REG_SZ", "http://www.winspeeduputils.com/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "1588" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "4fd54e00-6fa2-11e8-bfb5-6d2904807861" "x-datetime"="REG_SZ", "06-15-2018 06:42:17 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1166F93A-6814-4AA6-8932-202AA1D8EF1F}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe" "DisplayName"="REG_SZ", "AutoClean~Pro~2018" "DisplayVersion"="REG_SZ", "2.2.0.0" "EstimatedSize"="REG_DWORD", 11461 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "AutoClean~Pro~2018 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180615" "InstallLocation"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 2 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\AutoClean~Pro~2018 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\AutoClean~Pro~2018 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QXV0b0NsZWFuflByb34yMDE4\ACT] "data"="REG_BINARY, ....................................................................................................................................................................................................................................................................................................._......................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "x-at"="REG_SZ", "1588" "x-context"="REG_SZ", "4fd54e00-6fa2-11e8-bfb5-6d2904807861" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\AutoClean~Pro~2018 for {computername}] "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "x-at"="REG_SZ", "1588" "x-context"="REG_SZ", "4fd54e00-6fa2-11e8-bfb5-6d2904807861" "x-datetime"="REG_SZ", "06-15-2018 06:42:17 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\AutoClean~Pro~2018 for {computername}\2.2.0.0] "Installstring"="REG_SZ", "C:\Program Files\AutoClean~Pro~2018 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/15/18 Scan Time: 8:49 AM Log File: 4f270ec2-7068-11e8-b181-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5494 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238728 Threats Detected: 68 Threats Quarantined: 68 Time Elapsed: 2 min, 59 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe, Quarantined, [3477], [512996],1.0.5494 Module: 6 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3477], [512996],1.0.5494 Registry Key: 9 PUP.Optional.CleanPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AutoClean~Pro~2018_Logon, Quarantined, [809], [507376],1.0.5494 PUP.Optional.CleanPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{474C078E-648E-4649-AF72-C925FC5387A1}, Quarantined, [809], [507376],1.0.5494 PUP.Optional.CleanPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{474C078E-648E-4649-AF72-C925FC5387A1}, Quarantined, [809], [507376],1.0.5494 PUP.Optional.AutoCleanPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1166F93A-6814-4AA6-8932-202AA1D8EF1F}_is1, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, HKCU\SOFTWARE\AutoClean~Pro~2018 for {computername}, Quarantined, [3477], [513002],1.0.5494 PUP.Optional.AutoCleanPro, HKLM\SOFTWARE\AutoClean~Pro~2018 For {computername}, Quarantined, [3477], [513001],1.0.5494 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASAPI32, Quarantined, [1269], [501684],1.0.5494 PUP.Optional.PCFixerPro, HKLM\SOFTWARE\MICROSOFT\TRACING\mysysm_RASMANCS, Quarantined, [1269], [501684],1.0.5494 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR, Quarantined, [1109], [484510],1.0.5494 Registry Value: 3 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1109], [484510],1.0.5494 PUP.Optional.CleanPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{474C078E-648E-4649-AF72-C925FC5387A1}|PATH, Quarantined, [809], [507377],1.0.5494 PUP.Optional.CleanPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1166F93A-6814-4AA6-8932-202AA1D8EF1F}_is1|DISPLAYNAME, Quarantined, [809], [507375],1.0.5494 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.AutoCleanPro, C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername}\smico, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\USERS\{username}\APPDATA\ROAMING\AutoClean~Pro~2018 For {computername}, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\x64, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\x86, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\PROGRAM FILES\AutoClean~Pro~2018 for {computername}, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\PROGRAMDATA\AutoClean~Pro~2018 for {computername}, Quarantined, [3477], [507601],1.0.5494 PUP.Optional.AutoCleanPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\AutoClean~Pro~2018 for {computername}, Quarantined, [3477], [512997],1.0.5494 File: 42 PUP.Optional.CleanPCPro, C:\WINDOWS\SYSTEM32\TASKS\AutoClean~Pro~2018_Logon, Quarantined, [809], [507376],1.0.5494 PUP.Optional.AutoCleanPro, C:\USERS\{username}\APPDATA\ROAMING\AutoClean~Pro~2018 For {computername}\Errorlog.txt, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername}\exlist.bin, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername}\param.ini, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\Users\{username}\AppData\Roaming\AutoClean~Pro~2018 For {computername}\res.xml, Quarantined, [3477], [512999],1.0.5494 PUP.Optional.AutoCleanPro, C:\PROGRAM FILES\AutoClean~Pro~2018 for {computername}\unins000.dat, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\x86\SQLite.Interop.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\italian_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\application.ico, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\danish_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\Dutch_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\english_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\finish_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\French_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\german_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\gtcmg.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\HtmlRenderer.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\japanese_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\langs.db, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\mysysm.exe.config, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\NAudio.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\norwegian_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\portuguese_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\russian_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\spanish_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\swedish_iss.ini, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\unins000.exe, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\Program Files\AutoClean~Pro~2018 for {computername}\unins000.msg, Quarantined, [3477], [512996],1.0.5494 PUP.Optional.AutoCleanPro, C:\PROGRAMDATA\AutoClean~Pro~2018 for {computername}\mdb.db, Quarantined, [3477], [507601],1.0.5494 PUP.Optional.AutoCleanPro, C:\ProgramData\AutoClean~Pro~2018 for {computername}\pcspstartrepair_en.mp3, Quarantined, [3477], [507601],1.0.5494 PUP.Optional.AutoCleanPro, C:\USERS\PUBLIC\DESKTOP\AutoClean~Pro~2018.lnk, Quarantined, [3477], [513000],1.0.5494 PUP.Optional.AutoCleanPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoClean~Pro~2018 for {computername}\AutoClean~Pro~2018.lnk, Quarantined, [3477], [512997],1.0.5494 PUP.Optional.AutoCleanPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoClean~Pro~2018 for {computername}\Buy AutoClean~Pro~2018.lnk, Quarantined, [3477], [512997],1.0.5494 PUP.Optional.AutoCleanPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoClean~Pro~2018 for {computername}\Uninstall AutoClean~Pro~2018.lnk, Quarantined, [3477], [512997],1.0.5494 PUP.Optional.AutoCleanPro, C:\USERS\{username}\DESKTOP\ACPSETUP.EXE, Quarantined, [3477], [513003],1.0.5494 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Play N Start?The Malwarebytes research team has determined that Play N Start is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Play N Start?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and you will see this icon in your Chrome menu bar:and this changed setting:How did Play N Start get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded through their website:that redirected us to the webstore:How do I remove Play N Start?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Play N Start? No, Malwarebytes removes Play N Start completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Play N Start hijacker. It would have blocked their site: Technical details for expertsPossible signs in FRST logs: CHR Extension: (Play N Start) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec [2018-06-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0 Adds the file index.html"="5/3/2018 7:32 AM, 4382 bytes, A Adds the file manifest.json"="6/14/2018 11:19 AM, 1212 bytes, A Adds the file privacy-policy.txt"="5/3/2018 7:32 AM, 6650 bytes, A Adds the file terms.txt"="5/3/2018 7:32 AM, 9833 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\_metadata Adds the file computed_hashes.json"="6/14/2018 11:19 AM, 7067 bytes, A Adds the file verified_contents.json"="5/3/2018 11:30 AM, 4229 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\css Adds the file style.css"="4/23/2018 12:06 PM, 2065 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons Adds the file amazon.png"="4/23/2018 12:06 PM, 2395 bytes, A Adds the file ebay.png"="4/23/2018 12:06 PM, 2510 bytes, A Adds the file facebook.png"="4/23/2018 12:06 PM, 1858 bytes, A Adds the file instagram.png"="4/23/2018 12:06 PM, 2262 bytes, A Adds the file linkedin.png"="4/23/2018 12:06 PM, 2006 bytes, A Adds the file pinterest.png"="4/23/2018 12:06 PM, 2728 bytes, A Adds the file twitter.png"="4/23/2018 12:06 PM, 2159 bytes, A Adds the file yahoo.png"="4/23/2018 12:06 PM, 2222 bytes, A Adds the file youtube.png"="4/23/2018 12:06 PM, 2298 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\imgs Adds the file icon128.png"="6/14/2018 11:19 AM, 16102 bytes, A Adds the file icon16.png"="6/14/2018 11:19 AM, 877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js Adds the file ac.js"="5/3/2018 7:32 AM, 2456 bytes, A Adds the file loader.js"="5/3/2018 7:32 AM, 5268 bytes, A Adds the file new_tab.js"="5/3/2018 7:32 AM, 2687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\official Adds the file bootstrap.min.js"="4/23/2018 12:06 PM, 35601 bytes, A Adds the file jquery.min.js"="4/23/2018 12:06 PM, 93099 bytes, A Adds the file jqueryui.min.js"="4/23/2018 12:06 PM, 228002 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical Adds the file icon_games.png"="4/23/2018 12:06 PM, 4093 bytes, A Adds the file icon_movies.png"="4/23/2018 12:06 PM, 3348 bytes, A Adds the file icon_music.png"="4/23/2018 12:06 PM, 3785 bytes, A Adds the file icon_tvsport.png"="4/24/2018 2:22 PM, 23993 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ccobcdnclejmeiiomfcpfjlmmdflleec"="REG_SZ", "A482AAF76718831881A5F31F7CD66ADBC369274851E28A8CED77B1574E011386" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/14/18 Scan Time: 11:28 AM Log File: 414250b8-6fb5-11e8-b181-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5476 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238576 Threats Detected: 39 Threats Quarantined: 39 Time Elapsed: 2 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\official, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\_metadata, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\imgs, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\css, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CCOBCDNCLEJMEIIOMFCPFJLMMDFLLEEC, Quarantined, [14268], [526129],1.0.5476 File: 30 PUP.Optional.PlayNSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CCOBCDNCLEJMEIIOMFCPFJLMMDFLLEEC\1.0.1_0\PRIVACY-POLICY.TXT, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\css\style.css, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\amazon.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\ebay.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\facebook.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\instagram.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\linkedin.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\pinterest.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\twitter.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\yahoo.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\icons\youtube.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\imgs\icon128.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\imgs\icon16.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\official\bootstrap.min.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\official\jquery.min.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\official\jqueryui.min.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\ac.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\loader.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\js\new_tab.js, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical\icon_games.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical\icon_movies.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical\icon_music.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\vertical\icon_tvsport.png, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\_metadata\verified_contents.json, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\index.html, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\manifest.json, Quarantined, [14268], [526129],1.0.5476 PUP.Optional.PlayNSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccobcdnclejmeiiomfcpfjlmmdflleec\1.0.1_0\terms.txt, Quarantined, [14268], [526129],1.0.5476 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Google Image Downloader?The Malwarebytes research team has determined that Google Image Downloader is a clicker and forced Chrome extension.How do I know if my computer is affected by Google Image Downloader?You may see these warnings during install:You would see this entry in your list of installed Chrome extensions:How did Google Image Downloader get on my computer?Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore.How do I remove Google Image Downloader?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Google Image Downloader? No, Malwarebytes removes Google Image Downloader completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them.Technical details for expertsPossible signs in FRST logs: CHR Extension: (Google Image Downloader) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon [2018-06-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0 Adds the file background.html"="5/25/2018 3:48 PM, 1058 bytes, A Adds the file background.js"="5/24/2018 4:30 PM, 62 bytes, A Adds the file manifest.json"="6/13/2018 10:57 AM, 1397 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\_metadata Adds the file computed_hashes.json"="6/13/2018 10:57 AM, 7030 bytes, A Adds the file verified_contents.json"="5/24/2018 6:06 PM, 2697 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\content Adds the file content.css"="5/24/2018 4:26 PM, 480 bytes, A Adds the file content.js"="5/24/2018 4:52 PM, 5563 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons Adds the file icon128.png"="6/13/2018 10:57 AM, 3378 bytes, A Adds the file icon16.png"="6/13/2018 10:57 AM, 388 bytes, A Adds the file icon256.png"="6/13/2018 10:57 AM, 6936 bytes, A Adds the file icon48.png"="6/13/2018 10:57 AM, 1299 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib Adds the file bootstrap.min.css"="5/24/2018 4:26 PM, 121200 bytes, A Adds the file bootstrap.min.js"="5/24/2018 4:26 PM, 37045 bytes, A Adds the file jquery-3.2.1.min.js"="5/24/2018 4:26 PM, 86659 bytes, A Adds the file vue.js"="5/24/2018 4:03 PM, 289714 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "anofmddinlmfgfjflpmjicidjdnddbon"="REG_SZ", "C6D370B5752A665F634B65FD020690F8996F7FBA92020250A23AE88846019966" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/13/18 Scan Time: 2:35 PM Log File: 40a03ee1-6f06-11e8-9c26-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5464 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238650 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 2 min, 41 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\_metadata, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\content, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ANOFMDDINLMFGFJFLPMJICIDJDNDDBON, Quarantined, [845], [531026],1.0.5464 File: 17 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\content\content.css, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\content\content.js, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons\icon128.png, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons\icon16.png, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons\icon256.png, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\icons\icon48.png, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib\bootstrap.min.css, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib\bootstrap.min.js, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib\jquery-3.2.1.min.js, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\lib\vue.js, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\_metadata\computed_hashes.json, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\_metadata\verified_contents.json, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\background.html, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\background.js, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anofmddinlmfgfjflpmjicidjdnddbon\1.0_0\manifest.json, Quarantined, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [845], [531026],1.0.5464 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [845], [531026],1.0.5464 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is FreeForms?The Malwarebytes research team has determined that FreeForms is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FreeForms is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by FreeForms?You may see this Firefox add-on:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did FreeForms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove FreeForms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FreeForms? No, Malwarebytes removes FreeForms completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FreeForms hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id} SearchScopes: HKCU -> DefaultScope {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} SearchScopes: HKCU -> {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Forms.xpi [2018-06-12] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Free Forms (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="6/12/2018 11:53 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Forms Adds the file storage.js"="6/12/2018 11:49 AM, 320 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Forms.xpi"="6/12/2018 11:49 AM, 9398 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{3BA6366D-96C9-451C-A641-A3C681E326A8}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BA6366D-96C9-451C-A641-A3C681E326A8}] "DisplayName"="REG_SZ", "Free Forms - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Free Forms" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{3BA6366D-96C9-451C-A641-A3C681E326A8}" "UninstallHomepage"="REG_SZ", "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hfreeforms.co&implementation_id=forms_spt__1.30&offer_id=_iei_&source={source}&sub_id=20180612&traffic_source=appfocus1&user_id={user-id}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1528796599&sgn=10cfe64824d0d4bf9a06f9337e638e5e792f1673&subid2=11.0.9600.19002&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/12/18 Scan Time: 12:02 PM Log File: b388d550-6e27-11e8-9c44-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5448 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238620 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 4 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [172], [373879],1.0.5448 Registry Value: 0 (No malicious items detected) Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [225], [530202],1.0.5448 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS, Quarantined, [1682], [508613],1.0.5448 File: 4 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@FORMS.XPI, Quarantined, [1682], [511643],1.0.5448 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS\STORAGE.JS, Quarantined, [1682], [508613],1.0.5448 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FREEFORMS-73519.EXE, Quarantined, [172], [490686],1.0.5448 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Private Searching?The Malwarebytes research team has determined that Private Searching is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Private Searching?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and you will see these warnings after the installation:How did Private Searching get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was offered as a privacy tool.How do I remove Private Searching?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Private Searching? No, Malwarebytes removes Private Searching completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Private Searching hijacker. It would have blocked the site promoting the extension and the search site it hijacks to:Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://private.securesearches.net/search/?category=web&s=73pr&q={searchTerms} CHR DefaultSearchKeyword: Default -> Private Searching CHR DefaultSuggestURL: Default -> hxxp://sug.securesearches.net/search/index_sg.php?q={searchTerms} CHR Extension: (Private Searching) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd [2018-06-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0 Adds the file app.js"="6/3/2018 10:02 AM, 8860 bytes, A Adds the file index.html"="6/3/2018 10:02 AM, 2257 bytes, A Adds the file jquery.min.js"="4/23/2018 12:06 PM, 85656 bytes, A Adds the file manifest.json"="6/11/2018 11:08 AM, 2006 bytes, A Adds the file plus_js.js"="6/3/2018 10:02 AM, 2449 bytes, A Adds the file policy.txt"="6/3/2018 10:02 AM, 6669 bytes, A Adds the file style.css"="6/3/2018 10:02 AM, 3237 bytes, A Adds the file terms-of-use.txt"="6/3/2018 10:02 AM, 9850 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\_metadata Adds the file computed_hashes.json"="6/11/2018 11:08 AM, 4901 bytes, A Adds the file verified_contents.json"="6/3/2018 1:07 PM, 3731 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images Adds the file dislike.png"="5/28/2018 12:44 PM, 1151 bytes, A Adds the file icon128.png"="6/11/2018 11:08 AM, 11242 bytes, A Adds the file icon16.png"="6/11/2018 11:08 AM, 813 bytes, A Adds the file icon38.png"="6/3/2018 10:01 AM, 5404 bytes, A Adds the file like.png"="5/28/2018 12:44 PM, 1108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare Adds the file close.png"="4/23/2018 12:06 PM, 1920 bytes, A Adds the file rate.jpg"="4/23/2018 12:06 PM, 102155 bytes, A Adds the file rate1.png"="4/23/2018 12:06 PM, 12334 bytes, A Adds the file share.jpg"="4/23/2018 12:06 PM, 17633 bytes, A Adds the file share1.png"="4/23/2018 12:06 PM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty Adds the file ty.css"="4/23/2018 12:06 PM, 3175 bytes, A Adds the file ty.html"="6/3/2018 10:02 AM, 846 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\images Adds the file bar.png"="6/3/2018 10:02 AM, 5757 bytes, A Adds the file incognito.png"="4/23/2018 12:06 PM, 1689 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ejbcicfkoiegmgdpgionplonkcjlcgpd"="REG_SZ", "F4EF7702B402D6FC4FA3C334186B4A4044BB2F227DC14CBFAA4354BC8D46F3BD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/11/18 Scan Time: 11:17 AM Log File: 40d68bdb-6d58-11e8-840f-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5432 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238711 Threats Detected: 33 Threats Quarantined: 33 Time Elapsed: 3 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\images, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\_metadata, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EJBCICFKOIEGMGDPGIONPLONKCJLCGPD, Quarantined, [14331], [526133],1.0.5432 File: 26 PUP.Optional.SearchComplete.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EJBCICFKOIEGMGDPGIONPLONKCJLCGPD\1.0.1_0\MANIFEST.JSON, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare\close.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare\rate.jpg, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare\rate1.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare\share.jpg, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\rateshare\share1.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\dislike.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\icon128.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\icon16.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\icon38.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\images\like.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\images\bar.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\images\incognito.png, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\ty.css, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\ty\ty.html, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\_metadata\verified_contents.json, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\app.js, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\index.html, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\jquery.min.js, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\plus_js.js, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\policy.txt, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\style.css, Quarantined, [14331], [526133],1.0.5432 PUP.Optional.SearchComplete.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbcicfkoiegmgdpgionplonkcjlcgpd\1.0.1_0\terms-of-use.txt, Quarantined, [14331], [526133],1.0.5432 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is FilmFanatic?The Malwarebytes research team has determined that FilmFanatic is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FilmFanatic is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by FilmFanatic?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did FilmFanatic get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove FilmFanatic?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FilmFanatic? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the FilmFanatic entry and confirm Removein the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FilmFanatic hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_paMembers_@www.filmfanatic.com.xpi [2018-06-08] CHR Extension: (FilmFanatic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim [2018-06-08] C:\Users\{username}\AppData\Local\FilmFanaticTooltab FilmFanatic Internet Explorer Homepage and New Tab (HKCU\...\FilmFanaticTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FilmFanaticTooltab Adds the file TooltabExtension.dll"="5/18/2018 1:07 AM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0 Adds the file manifest.json"="6/8/2018 1:06 PM, 2577 bytes, A Adds the file newtabproduct.html"="4/7/2018 1:22 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 1:22 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata Adds the file computed_hashes.json"="6/8/2018 1:06 PM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 1:22 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config Adds the file config.json"="4/7/2018 1:22 AM, 1725 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons Adds the file icon128.png"="6/8/2018 1:06 PM, 8895 bytes, A Adds the file icon16.png"="4/7/2018 1:22 AM, 1476 bytes, A Adds the file icon19disabled.png"="4/7/2018 1:22 AM, 1256 bytes, A Adds the file icon19on.png"="6/8/2018 1:06 PM, 484 bytes, A Adds the file icon48.png"="6/8/2018 1:06 PM, 2461 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js Adds the file ajax.js"="4/7/2018 1:22 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 1:22 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 1:22 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 1:22 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 1:22 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 1:22 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 1:22 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 1:22 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 1:22 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 1:22 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 1:22 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 1:22 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 1:22 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 1:22 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 1:22 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 1:22 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 1:22 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 1:22 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 1:22 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 1:22 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 1:22 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 1:22 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 1:22 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim Adds the file 000003.log"="6/8/2018 1:13 PM, 4769 bytes, A Adds the file CURRENT"="6/8/2018 1:06 PM, 16 bytes, A Adds the file LOCK"="6/8/2018 1:06 PM, 0 bytes, A Adds the file LOG"="6/8/2018 1:12 PM, 412 bytes, A Adds the file LOG.old"="6/8/2018 1:06 PM, 185 bytes, A Adds the file MANIFEST-000001"="6/8/2018 1:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_paMembers_@www.filmfanatic.com Adds the file storage.js"="6/8/2018 1:12 PM, 2307 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _paMembers_@www.filmfanatic.com.xpi"="6/8/2018 1:07 PM, 53941 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FilmFanatic] "Start Page"="REG_SZ", "http://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2=^Z1^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3DTTAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "igceeampmlmiikgbceecfkfdeeeehoim"="REG_SZ", "7CCD9F2E28F5A28FE8A816170FFAB5BA2E1BC0872CA9CC9C02A26E589A47DF78" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FilmFanaticTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FilmFanatic Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FilmFanaticTooltab\TooltabExtension.dll" U uninstall:FilmFanatic" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/8/18 Scan Time: 1:21 PM Log File: 0e298a8a-6b0e-11e8-9338-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5402 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238776 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 2 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab\TooltabExtension.dll, Quarantined, [1683], [356944],1.0.5402 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FilmFanaticTooltab Uninstall Internet Explorer, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark, HKCU\SOFTWARE\FilmFanatic, Quarantined, [532], [240576],1.0.5402 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FilmFanatic|START PAGE, Quarantined, [1683], [444113],1.0.5402 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FilmFanaticTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [532], [352442],1.0.5402 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [532], [293497],1.0.5402 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_paMembers_@www.filmfanatic.com, Quarantined, [1683], [468075],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGCEEAMPMLMIIKGBCEECFKFDEEEEHOIM, Quarantined, [1683], [467555],1.0.5402 File: 46 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab\TooltabExtension.dll, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_paMembers_@www.filmfanatic.com.xpi, Quarantined, [1683], [457930],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_paMembers_@www.filmfanatic.com\storage.js, Quarantined, [1683], [468075],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\000003.log, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\CURRENT, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOCK, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOG, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOG.old, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\MANIFEST-000001, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGCEEAMPMLMIIKGBCEECFKFDEEEEHOIM\13.611.13.2756_0\MANIFEST.JSON, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config\config.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon128.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon16.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon19disabled.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon19on.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon48.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\ajax.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\background.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\chrome.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\content_script.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\dlp.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\dlpHelper.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\extension_detect.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\genericLoadRemoteSettings.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\index.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\initOfferCEF.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\logger.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\offerService.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\pageUtils.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\PartnerId.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\product.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\storage.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\TabManager.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\TemplateParser.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\ul.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\urlFragmentActions.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\urlUtils.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\util.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\webtooltabAPI.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata\computed_hashes.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata\verified_contents.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\newtabproduct.html, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\stubby.html, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FILMFANATIC.EXE, Quarantined, [532], [365288],1.0.5402 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is GIMage Downloader?The Malwarebytes research team has determined that GIMage Downloader is a clicker and forced Chrome extension.How do I know if my computer is affected by GIMage Downloader?You may see these warnings during install:and see this entry in your list of installed Chrome extensions:After the install you may see sponsored ads added to your search results marked like this:How did GIMage Downloader get on my computer?Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore.How do I remove GIMage Downloader?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GIMage Downloader? No, Malwarebytes removes GIMage Downloader completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them:Technical details for expertsPossible signs in FRST logs: CHR Extension: (GImage Downloader) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk [2018-06-07] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0 Adds the file background.html"="5/30/2018 2:55 PM, 1058 bytes, A Adds the file background.js"="5/24/2018 4:30 PM, 62 bytes, A Adds the file manifest.json"="6/7/2018 8:53 AM, 1392 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\_metadata Adds the file computed_hashes.json"="6/7/2018 8:53 AM, 7030 bytes, A Adds the file verified_contents.json"="5/31/2018 1:51 PM, 2700 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\content Adds the file content.css"="5/24/2018 4:26 PM, 480 bytes, A Adds the file content.js"="5/24/2018 4:52 PM, 5563 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons Adds the file icon128.png"="6/7/2018 8:53 AM, 3221 bytes, A Adds the file icon16.png"="6/7/2018 8:53 AM, 389 bytes, A Adds the file icon256.png"="6/7/2018 8:53 AM, 6544 bytes, A Adds the file icon48.png"="6/7/2018 8:53 AM, 1212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib Adds the file bootstrap.min.css"="5/24/2018 4:26 PM, 121200 bytes, A Adds the file bootstrap.min.js"="5/24/2018 4:26 PM, 37045 bytes, A Adds the file jquery-3.2.1.min.js"="5/24/2018 4:26 PM, 86659 bytes, A Adds the file vue.js"="5/24/2018 4:03 PM, 289714 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kkifaokjmhkldhhobokehcgafkagjnnk"="REG_SZ", "E2E638F1CD7F6F2D10AD7476988A54D49234AE116955457E6DE5C460D35B324F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/7/18 Scan Time: 9:04 AM Log File: f62b0f47-6a20-11e8-9226-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5386 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238820 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 3 min, 26 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\_metadata, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\content, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\kkifaokjmhkldhhobokehcgafkagjnnk, Quarantined, [845], [527832],1.0.5386 File: 17 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\content\content.css, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\content\content.js, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons\icon128.png, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons\icon16.png, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons\icon256.png, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\icons\icon48.png, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib\bootstrap.min.css, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib\bootstrap.min.js, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib\jquery-3.2.1.min.js, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\lib\vue.js, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\_metadata\computed_hashes.json, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\_metadata\verified_contents.json, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\background.html, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\background.js, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkifaokjmhkldhhobokehcgafkagjnnk\2.0.4_0\manifest.json, Quarantined, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [845], [527832],1.0.5386 Rogue.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [845], [527832],1.0.5386 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Twinkling Stars Background?The Malwarebytes research team has determined that Twinkling Stars Background is adware and a forced Chrome extension.How do I know if my computer is affected by Twinkling Stars Background?You may see these warnings during install:and see this entry in your list of installed Chrome extensions:How did Twinkling Stars Background get on my computer?Forced extensions use a typical method for distributing themselves. This particular one was also available in the webstore:and through their site:How do I remove Twinkling Stars Background?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Twinkling Stars Background? No, Malwarebytes removes Twinkling Stars Background completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them:Technical details for expertsPossible signs in FRST logs: CHR Extension: (Twinkling Stars Background) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk [2018-06-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0 Adds the file background.html"="2/12/2018 3:20 PM, 671 bytes, A Adds the file manifest.json"="6/6/2018 8:51 AM, 1129 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\_metadata Adds the file computed_hashes.json"="6/6/2018 8:51 AM, 5696 bytes, A Adds the file verified_contents.json"="2/27/2018 11:54 AM, 2577 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\assets Adds the file 128.png"="6/6/2018 8:51 AM, 2842 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\css Adds the file option.css"="2/12/2018 3:17 PM, 38 bytes, A Adds the file popup.css"="2/12/2018 3:17 PM, 0 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\html Adds the file popup.html"="2/12/2018 3:17 PM, 438 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js Adds the file background.bundle.js"="2/27/2018 11:54 AM, 2311 bytes, A Adds the file content.bundle.js"="2/12/2018 3:19 PM, 721 bytes, A Adds the file option.bundle.js"="2/12/2018 3:23 PM, 1415 bytes, A Adds the file popup.bundle.js"="2/12/2018 3:19 PM, 199 bytes, A Adds the file vendor.bundle.js"="2/27/2018 11:53 AM, 224012 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\lib Adds the file easel.js"="2/12/2018 3:24 PM, 179571 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hodokkokcjmacjecbhdffdblnjfpdafk" = REG_SZ, "17575405B139A51B1066522FC8D21A2871D261D1D15E4C23F3751985901CC0C2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/6/18 Scan Time: 8:36 AM Log File: fbff6341-6953-11e8-a5b1-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5374 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238715 Threats Detected: 24 Threats Quarantined: 24 Time Elapsed: 7 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\_metadata, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\assets, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\html, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\css, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\lib, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HODOKKOKCJMACJECBHDFFDBLNJFPDAFK, Quarantined, [1059], [528314],1.0.5374 File: 16 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\assets\128.png, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\css\option.css, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\css\popup.css, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\html\popup.html, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js\background.bundle.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js\content.bundle.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js\option.bundle.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js\popup.bundle.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\js\vendor.bundle.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\lib\easel.js, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\_metadata\computed_hashes.json, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\_metadata\verified_contents.json, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\background.html, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodokkokcjmacjecbhdffdblnjfpdafk\10.4.8_0\manifest.json, Quarantined, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1059], [528314],1.0.5374 Adware.ForcedExtension, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1059], [528314],1.0.5374 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is PdfConverter?The Malwarebytes research team has determined that PdfConverter is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by PdfConverter?You may see these warnings during install:these browser add-ons:and these changed settings:How did PdfConverter get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove PdfConverter?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PdfConverter? No, Malwarebytes removes PdfConverter completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PdfConverter hijacker. It would have blocked the site that installed the extensions. Technical details for expertsPossible signs in FRST logs: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\pdfconverter-unlisted@mozilla.com.xpi [2018-06-05] CHR DefaultSearchURL: Default -> hxxps://pdfconverter.pro/search.php?query={searchTerms} CHR DefaultSearchKeyword: Default -> keyword.pdfconverter CHR DefaultSuggestURL: Default -> hxxps://pdfconverter.pro/suggest.php?query={searchTerms} CHR Extension: (pdfconverter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd [2018-06-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0 Adds the file gulpfile.js"="9/25/2017 4:25 AM, 369 bytes, A Adds the file manifest.json"="6/5/2018 9:11 AM, 2079 bytes, A Adds the file ping.js"="3/14/2018 11:11 AM, 639 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\_metadata Adds the file computed_hashes.json"="6/5/2018 9:11 AM, 173999 bytes, A Adds the file verified_contents.json"="3/15/2018 10:22 AM, 10772 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\css Adds the file font-awesome.min.css"="9/25/2017 4:27 AM, 32426 bytes, A Adds the file newTab.css"="3/5/2018 10:33 AM, 16203 bytes, A Adds the file weather.css"="9/25/2017 4:25 AM, 11571 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon Adds the file icomoon.eot"="10/18/2015 4:02 PM, 200628 bytes, A Adds the file icomoon.svg"="10/18/2015 4:02 PM, 652628 bytes, A Adds the file icomoon.ttf"="10/18/2015 4:02 PM, 200464 bytes, A Adds the file icomoon.woff"="10/18/2015 4:02 PM, 200540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html Adds the file contact.html"="2/13/2018 2:04 PM, 7702 bytes, A Adds the file eula.html"="2/13/2018 2:04 PM, 40477 bytes, A Adds the file newTab.html"="3/5/2018 11:02 AM, 5924 bytes, A Adds the file privacy.html"="2/13/2018 2:04 PM, 12921 bytes, A Adds the file uninstall.html"="2/13/2018 2:04 PM, 7941 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js Adds the file background.js"="3/14/2018 2:32 PM, 8473 bytes, A Adds the file jquery.min.js"="9/25/2017 4:25 AM, 86663 bytes, A Adds the file newTab.js"="3/14/2018 2:15 PM, 33906 bytes, A Adds the file pdfconverter.js"="3/27/2017 9:21 AM, 452 bytes, A Adds the file tmpl.min.js"="9/25/2017 4:25 AM, 1073 bytes, A Adds the file weatherDataParsers.js"="9/25/2017 4:25 AM, 1844 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\New folder Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd Adds the file 000003.log"="6/5/2018 9:12 AM, 157 bytes, A Adds the file CURRENT"="6/5/2018 9:11 AM, 16 bytes, A Adds the file LOCK"="6/5/2018 9:11 AM, 0 bytes, A Adds the file LOG"="6/5/2018 9:12 AM, 185 bytes, A Adds the file MANIFEST-000001"="6/5/2018 9:11 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\pdfconverter-unlisted@mozilla.com Adds the file storage.js"="6/5/2018 9:08 AM, 173 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file pdfconverter-unlisted@mozilla.com.xpi"="6/5/2018 9:08 AM, 2721362 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pgcbamhcnohldmlkbngdagaaabkakfgd"="REG_SZ", "73BD36E54F7DBED55462AF18E22FA56D6A4B308FCF2952466A6D81AE1773AE0C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/5/18 Scan Time: 8:57 AM Log File: c2043bdd-688d-11e8-a548-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5360 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240923 Threats Detected: 108 Threats Quarantined: 108 Time Elapsed: 4 min, 59 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 16 PUP.Optional.PDFConverter, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\PDFCONVERTER-UNLISTED@MOZILLA.COM, Quarantined, [309], [521469],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\New folder, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\_metadata, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\css, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PGCBAMHCNOHLDMLKBNGDAGAAABKAKFGD, Quarantined, [309], [505060],1.0.5360 File: 92 PUP.Optional.Converter, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\PDFCONVERTER-UNLISTED@MOZILLA.COM.XPI, Quarantined, [1693], [521476],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\pdfconverter-unlisted@mozilla.com\storage.js, Quarantined, [309], [521469],1.0.5360 PUP.Optional.PDFConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\000003.log, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\CURRENT, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\LOCK, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\LOG, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\LOG.old, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgcbamhcnohldmlkbngdagaaabkakfgd\MANIFEST-000001, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PGCBAMHCNOHLDMLKBNGDAGAAABKAKFGD\1.0.2_0\MANIFEST.JSON, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\css\font-awesome.min.css, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\css\newTab.css, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\css\weather.css, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\background.jpg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\bing.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\bing2.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\calendar.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\google.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\google2.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\todo.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\yahoo.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\data\yahoo2.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon\icomoon.eot, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon\icomoon.svg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon\icomoon.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\icomoon\icomoon.woff, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\fontawesome-webfont.eot, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\fontawesome-webfont.svg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\fontawesome-webfont.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\fontawesome-webfont.woff, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\fontawesome-webfont.woff2, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\FontAwesome.otf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\Lato-Bold.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\Lato-Light.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\Lato-Regular.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\OpenSans-Bold.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\OpenSans-Light.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\fonts\OpenSans-Regular.ttf, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html\contact.html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html\eula.html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html\newTab.html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html\privacy.html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\html\uninstall.html, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\facebook.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\google-drive.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\instagram.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\linkedin.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\pinterest.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\twitter.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\apps\youtube.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\128.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\16.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\32.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\48.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\amazon.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\arrow-bottom.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\arrow-top.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\background.jpg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\continue.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\ebay.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\fb.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\forrest-cavale-13484.jpg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\icon-chrome-color.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\im.jpg, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\linkedin.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\logo50x50.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\netflix.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\PHOTO 128X128.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\PHOTO 16X16.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\PHOTO 32X32.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\PHOTO 48X48.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\reddit.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\screen.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\search-frst.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\twitter.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\images\youtube.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\background.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\jquery.min.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\newTab.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\pdfconverter.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\tmpl.min.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\js\weatherDataParsers.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons\128.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons\16.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons\32.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons\48.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\resources\icons\64.png, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\_metadata\computed_hashes.json, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\_metadata\verified_contents.json, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\gulpfile.js, Quarantined, [309], [505060],1.0.5360 PUP.Optional.PDFConverter, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgcbamhcnohldmlkbngdagaaabkakfgd\1.0.2_0\ping.js, Quarantined, [309], [505060],1.0.5360 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is CryptoPriceResearch?The Malwarebytes research team has determined that CryptoPriceResearch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.CryptoPriceResearch is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by CryptoPriceResearch?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did CryptoPriceResearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove CryptoPriceResearch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CryptoPriceResearch? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the CryptoPriceResearch entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CryptoPriceResearch hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_qlMembers_@free.cryptopricesearch.com.xpi [2018-06-04] CHR Extension: (CryptoPriceSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph [2018-06-04] C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\cryptopricesearch.exe CryptoPriceSearch Internet Explorer Homepage and New Tab (HKCU\...\CryptoPriceSearchTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab Adds the file TooltabExtension.dll"="4/13/2018 11:03 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0 Adds the file manifest.json"="6/4/2018 8:42 AM, 2607 bytes, A Adds the file newtabproduct.html"="4/7/2018 1:10 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 1:10 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata Adds the file computed_hashes.json"="6/4/2018 8:42 AM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 1:10 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config Adds the file config.json"="4/7/2018 1:10 AM, 1782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons Adds the file icon128.png"="6/4/2018 8:42 AM, 16333 bytes, A Adds the file icon16.png"="4/7/2018 1:10 AM, 1640 bytes, A Adds the file icon19disabled.png"="4/7/2018 1:10 AM, 1787 bytes, A Adds the file icon19on.png"="6/4/2018 8:42 AM, 974 bytes, A Adds the file icon48.png"="6/4/2018 8:42 AM, 4230 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js Adds the file ajax.js"="4/7/2018 1:10 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 1:10 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 1:10 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 1:10 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 1:10 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 1:10 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 1:10 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 1:10 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 1:10 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 1:10 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 1:10 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 1:10 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 1:10 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 1:10 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 1:10 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 1:10 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 1:10 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 1:10 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 1:10 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 1:10 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 1:10 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 1:10 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 1:10 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qlMembers_@free.cryptopricesearch.com Adds the file storage.js"="6/4/2018 8:43 AM, 2460 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _qlMembers_@free.cryptopricesearch.com.xpi"="6/4/2018 8:39 AM, 64468 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\CryptoPriceSearch] "Start Page"="REG_SZ", "http://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2=^CXO^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3DTTAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjpnaeadmoccngapfbecpnllbcefklph"="REG_SZ", "A6C07D2817C6DAD3F28F7194DB912BDDBB0DFACE13E515F1CE5DE180AA5A385F" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CryptoPriceSearchTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "CryptoPriceSearch Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab\TooltabExtension.dll" U uninstall:CryptoPriceSearch" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/4/18 Scan Time: 8:49 AM Log File: 7f4ef857-67c3-11e8-a7d3-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5350 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240986 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 3 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1694], [356944],1.0.5350 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CryptoPriceSearchTooltab Uninstall Internet Explorer, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CryptoPriceSearch, Quarantined, [1694], [444113],1.0.5350 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CryptoPriceSearchTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [531], [352442],1.0.5350 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CryptoPriceSearch|START PAGE, Quarantined, [1694], [444113],1.0.5350 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [531], [293497],1.0.5350 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_qlMembers_@free.cryptopricesearch.com, Quarantined, [1694], [468075],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPNAEADMOCCNGAPFBECPNLLBCEFKLPH, Quarantined, [1694], [456843],1.0.5350 File: 46 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_qlMembers_@free.cryptopricesearch.com.xpi, Quarantined, [1694], [457930],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qlMembers_@free.cryptopricesearch.com\storage.js, Quarantined, [1694], [468075],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\000003.log, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\CURRENT, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOCK, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOG, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOG.old, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\MANIFEST-000001, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPNAEADMOCCNGAPFBECPNLLBCEFKLPH\13.611.13.2691_0\MANIFEST.JSON, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config\config.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon128.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon16.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon19disabled.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon19on.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon48.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\ajax.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\background.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\chrome.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\content_script.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\dlp.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\dlpHelper.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\extension_detect.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\genericLoadRemoteSettings.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\index.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\initOfferCEF.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\logger.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\offerService.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\pageUtils.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\PartnerId.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\product.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\storage.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\TabManager.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\TemplateParser.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\ul.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\urlFragmentActions.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\urlUtils.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\util.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\webtooltabAPI.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata\computed_hashes.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata\verified_contents.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\newtabproduct.html, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\stubby.html, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\CRYPTOPRICESEARCH.EXE, Quarantined, [531], [365288],1.0.5350 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Safest Way To Search?The Malwarebytes research team has determined that Safest Way To Search is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Safest Way To Search?You may see this Chrome extension in your list of installed extensions:and these warnings during install:this new startpage:and you will see this icon in your Chrome toolbar:How did Safest Way To Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website:but it was also available in the Webstore:How do I remove Safest Way To Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Safest Way To Search? No, Malwarebytes removes Safest Way To Search completely. If your browser was hijacked have a look at our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Safest Way To Search hijacker. It would have blocked the site that installs the extension, giving you a chance to stop it before it became too late.Technical details for expertsPossible signs in FRST logs: CHR HomePage: Default -> search.safestwaytosearch.com CHR DefaultSearchURL: Default -> hxxp://search.safestwaytosearch.com/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> safestwaytosearch.__MSG_url_domain__ CHR Extension: (safestwaytosearch.__MSG_url_domain__) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb [2018-06-01] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0 Adds the file background.js"="10/30/2017 3:25 PM, 210 bytes, A Adds the file manifest.json"="6/1/2018 9:11 AM, 1557 bytes, A Adds the file newtab.html"="10/30/2017 3:23 PM, 381 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\_metadata Adds the file computed_hashes.json"="6/1/2018 9:11 AM, 603 bytes, A Adds the file verified_contents.json"="10/30/2017 3:41 PM, 2227 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images Adds the file favicon.ico"="8/15/2017 2:41 PM, 15086 bytes, A Adds the file icon.png"="7/28/2017 3:21 PM, 580 bytes, A Adds the file icon_128.png"="6/1/2018 9:11 AM, 4074 bytes, A Adds the file icon_16.png"="6/1/2018 9:11 AM, 561 bytes, A Adds the file icon_48.png"="6/1/2018 9:11 AM, 1584 bytes, A Adds the file icon_96.png"="6/1/2018 9:11 AM, 6383 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "anlkjhfjpolioohimghchmploocpohhb"="REG_SZ", "FA984F1E186878FE36BD9F0C2E03A6D80DD0CFE1A01F3AE3BF6E4B142180066D" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/1/18 Scan Time: 9:20 AM Log File: 47688551-656c-11e8-9ef0-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5328 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240856 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 2 min, 41 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\_metadata, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ANLKJHFJPOLIOOHIMGHCHMPLOOCPOHHB, Quarantined, [14534], [517848],1.0.5328 File: 13 PUP.Optional.SafestWayToSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ANLKJHFJPOLIOOHIMGHCHMPLOOCPOHHB\0.1.6_0\MANIFEST.JSON, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\favicon.ico, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\icon.png, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\icon_128.png, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\icon_16.png, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\icon_48.png, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\images\icon_96.png, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\_metadata\computed_hashes.json, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\_metadata\verified_contents.json, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\background.js, Quarantined, [14534], [517848],1.0.5328 PUP.Optional.SafestWayToSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\anlkjhfjpolioohimghchmploocpohhb\0.1.6_0\newtab.html, Quarantined, [14534], [517848],1.0.5328 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is Auto Mechanic 2018?The Malwarebytes research team has determined that Auto Mechanic 2018 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Auto Mechanic 2018?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Auto Mechanic 2018 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Auto Mechanic 2018?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Auto Mechanic 2018? No, Malwarebytes removes Auto Mechanic 2018 completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Auto Mechanic 2018 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername} C:\Windows\System32\Tasks\Auto~ Mechanic~2018_Logon C:\Users\Public\Desktop\Auto~ Mechanic~2018.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~ Mechanic~2018 for {computername} C:\ProgramData\Auto~ Mechanic~2018 for {computername} C:\Program Files\Auto~ Mechanic~2018 for {computername} ( ) C:\Users\{username}\Desktop\aomsetup.exe Auto~ Mechanic~2018 (HKLM\...\{647EA527-0C1A-4096-BBCF-E0CA56AA8B1B}_is1) (Version: 1.0.6.0 - ) Task: {733E01C7-B577-480B-8AA7-05A7AEE2AD75} - System32\Tasks\Auto~ Mechanic~2018_Logon => C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe [2018-05-16] () () C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Auto~ Mechanic~2018 for {computername} Adds the file application.ico"="4/12/2018 11:38 AM, 94222 bytes, A Adds the file bpp.exe"="5/16/2018 12:03 PM, 2483640 bytes, A Adds the file bpp.exe.config"="5/16/2018 12:03 PM, 5442 bytes, A Adds the file danish_iss.ini"="5/23/2017 6:31 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/23/2017 6:31 PM, 2600 bytes, A Adds the file english_iss.ini"="5/23/2017 6:31 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/23/2017 6:31 PM, 2368 bytes, A Adds the file French_iss.ini"="5/23/2017 6:31 PM, 2792 bytes, A Adds the file german_iss.ini"="5/23/2017 6:31 PM, 2658 bytes, A Adds the file gtcmg.dll"="5/16/2018 12:03 PM, 1803672 bytes, A Adds the file HtmlRenderer.dll"="5/16/2018 12:03 PM, 228248 bytes, A Adds the file HtmlRenderer.WinForms.dll"="5/16/2018 12:03 PM, 66968 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/16/2018 12:03 PM, 55704 bytes, A Adds the file italian_iss.ini"="5/23/2017 6:31 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/23/2017 6:32 PM, 1844 bytes, A Adds the file langs.db"="2/6/2018 4:13 PM, 446464 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/16/2018 12:03 PM, 177560 bytes, A Adds the file NAudio.dll"="5/16/2018 12:03 PM, 477592 bytes, A Adds the file norwegian_iss.ini"="5/23/2017 6:32 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/23/2017 6:32 PM, 2424 bytes, A Adds the file russian_iss.ini"="5/23/2017 6:32 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/23/2017 6:32 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/23/2017 6:32 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="5/16/2018 12:03 PM, 297368 bytes, A Adds the file TAFactory.IconPack.dll"="5/16/2018 12:03 PM, 43416 bytes, A Adds the file unins000.dat"="5/31/2018 8:42 AM, 83947 bytes, A Adds the file unins000.exe"="5/31/2018 8:42 AM, 1273240 bytes, A Adds the file unins000.msg"="5/31/2018 8:42 AM, 22701 bytes, A Adds the folder C:\Program Files\Auto~ Mechanic~2018 for {computername}\x64 Adds the file SQLite.Interop.dll"="5/16/2018 12:03 PM, 1182104 bytes, A Adds the folder C:\Program Files\Auto~ Mechanic~2018 for {computername}\x86 Adds the file SQLite.Interop.dll"="5/16/2018 12:03 PM, 861080 bytes, A Adds the folder C:\ProgramData\Auto~ Mechanic~2018 for {computername} Adds the file mdb.db"="10/3/2017 4:30 PM, 835584 bytes, A Adds the file pcspstartrepair_en.mp3"="3/2/2017 11:05 AM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~ Mechanic~2018 for {computername} Adds the file Auto~ Mechanic~2018.lnk"="5/31/2018 8:42 AM, 995 bytes, A Adds the file Buy Auto~ Mechanic~2018.lnk"="5/31/2018 8:42 AM, 1007 bytes, A Adds the file Uninstall Auto~ Mechanic~2018.lnk"="5/31/2018 8:42 AM, 1026 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername} Adds the file Errorlog.txt"="5/31/2018 8:43 AM, 13868 bytes, A Adds the file exlist.bin"="5/31/2018 8:42 AM, 258021 bytes, A Adds the file param.ini"="5/31/2018 8:42 AM, 346 bytes, A Adds the file res.xml"="5/31/2018 8:43 AM, 9049 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Auto~ Mechanic~2018.lnk"="5/31/2018 8:42 AM, 977 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Auto~ Mechanic~2018_Logon"="5/31/2018 8:42 AM, 3080 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Auto~ Mechanic~2018 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/aom/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 22 "lstscandate"="REG_SZ", "5/31/2018 8:43:44 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 22 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.pcboostutils.com/aom/price?" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referurl"="REG_SZ", "" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.pcboostutils.com/aom/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.pcboostutils.com/help/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "WebURL"="REG_SZ", "http://www.pcboostutils.com/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "1588" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "27819560-5f34-11e8-835b-77521f1bd1b3" "x-datetime"="REG_SZ", "05-31-2018 06:42:31 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{647EA527-0C1A-4096-BBCF-E0CA56AA8B1B}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe" "DisplayName"="REG_SZ", "Auto~ Mechanic~2018" "DisplayVersion"="REG_SZ", "1.0.6.0" "EstimatedSize"="REG_DWORD", 12010 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Auto~ Mechanic~2018 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180531" "InstallLocation"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Auto~ Mechanic~2018 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Auto~ Mechanic~2018 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QXV0b34gTWVjaGFuaWN+MjAxOA==\ACT] "data"="REG_BINARY, ............................................................................................................................................................................................................................................................................................................................. [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "x-at"="REG_SZ", "1588" "x-context"="REG_SZ", "27819560-5f34-11e8-835b-77521f1bd1b3" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto~ Mechanic~2018 for {computername}] "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WAD3009_WAD2940_RUNT" "referurl"="REG_SZ", "" "utm_campaign"="REG_SZ", "wadsphere3" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "8979da6b" "utm_source"="REG_SZ", "wadsphere3" "x-at"="REG_SZ", "1588" "x-context"="REG_SZ", "27819560-5f34-11e8-835b-77521f1bd1b3" "x-datetime"="REG_SZ", "05-31-2018 06:42:31 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "90_145_230_242" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto~ Mechanic~2018 for {computername}\1.0.6.0] "Installstring"="REG_SZ", "C:\Program Files\Auto~ Mechanic~2018 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/31/18 Scan Time: 8:49 AM Log File: cd242ab1-649e-11e8-b65b-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5316 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240818 Threats Detected: 65 Threats Quarantined: 65 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe, Quarantined, [3499], [526098],1.0.5316 Module: 6 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3499], [526098],1.0.5316 Registry Key: 7 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\Auto~ Mechanic~2018 For {computername}, Quarantined, [3499], [526103],1.0.5316 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{733E01C7-B577-480B-8AA7-05A7AEE2AD75}, Quarantined, [3499], [526108],1.0.5316 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{733E01C7-B577-480B-8AA7-05A7AEE2AD75}, Quarantined, [3499], [526108],1.0.5316 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Auto~ Mechanic~2018_Logon, Quarantined, [3499], [526108],1.0.5316 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{647EA527-0C1A-4096-BBCF-E0CA56AA8B1B}_is1, Quarantined, [3499], [526105],1.0.5316 PUP.Optional.AutoMechanic, HKCU\SOFTWARE\Auto~ Mechanic~2018 for {computername}, Quarantined, [3499], [526104],1.0.5316 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR, Quarantined, [1113], [484510],1.0.5316 Registry Value: 3 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{647EA527-0C1A-4096-BBCF-E0CA56AA8B1B}_is1|DISPLAYNAME, Quarantined, [3499], [526105],1.0.5316 PUP.Optional.AutoMechanic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{733E01C7-B577-480B-8AA7-05A7AEE2AD75}|PATH, Quarantined, [3499], [526107],1.0.5316 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1113], [484510],1.0.5316 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.AutoMechanic, C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername}\smico, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\USERS\{username}\APPDATA\ROAMING\Auto~ Mechanic~2018 For {computername}, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\PROGRAMDATA\Auto~ Mechanic~2018 for {computername}, Quarantined, [3499], [526099],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\x64, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\x86, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\PROGRAM FILES\Auto~ Mechanic~2018 for {computername}, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Auto~ Mechanic~2018 for {computername}, Quarantined, [3499], [526100],1.0.5316 File: 41 PUP.Optional.AutoMechanic, C:\USERS\{username}\APPDATA\ROAMING\Auto~ Mechanic~2018 For {computername}\Errorlog.txt, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername}\exlist.bin, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername}\param.ini, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\Users\{username}\AppData\Roaming\Auto~ Mechanic~2018 For {computername}\res.xml, Quarantined, [3499], [526101],1.0.5316 PUP.Optional.AutoMechanic, C:\PROGRAMDATA\Auto~ Mechanic~2018 for {computername}\mdb.db, Quarantined, [3499], [526099],1.0.5316 PUP.Optional.AutoMechanic, C:\ProgramData\Auto~ Mechanic~2018 for {computername}\pcspstartrepair_en.mp3, Quarantined, [3499], [526099],1.0.5316 PUP.Optional.AutoMechanic, C:\WINDOWS\SYSTEM32\TASKS\AUTO~ MECHANIC~2018_LOGON, Quarantined, [3499], [526108],1.0.5316 PUP.Optional.AutoMechanic, C:\PROGRAM FILES\Auto~ Mechanic~2018 for {computername}\unins000.dat, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\x64\SQLite.Interop.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\x86\SQLite.Interop.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\application.ico, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\bpp.exe.config, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\danish_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\Dutch_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\english_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\finish_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\French_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\german_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\gtcmg.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\HtmlRenderer.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\italian_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\japanese_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\langs.db, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\NAudio.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\norwegian_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\portuguese_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\russian_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\spanish_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\swedish_iss.ini, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\System.Data.SQLite.DLL, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\TAFactory.IconPack.dll, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\unins000.exe, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\Program Files\Auto~ Mechanic~2018 for {computername}\unins000.msg, Quarantined, [3499], [526098],1.0.5316 PUP.Optional.AutoMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~ Mechanic~2018 for {computername}\Auto~ Mechanic~2018.lnk, Quarantined, [3499], [526100],1.0.5316 PUP.Optional.AutoMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~ Mechanic~2018 for {computername}\Buy Auto~ Mechanic~2018.lnk, Quarantined, [3499], [526100],1.0.5316 PUP.Optional.AutoMechanic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto~ Mechanic~2018 for {computername}\Uninstall Auto~ Mechanic~2018.lnk, Quarantined, [3499], [526100],1.0.5316 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\AOMSETUP.EXE, Quarantined, [408], [509472],1.0.5316 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.

What is PC Optimizer Pro?The Malwarebytes research team has determined that PC Optimizer Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Optimizer Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, your right-click menu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC Optimizer Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Optimizer Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC Optimizer Pro? No, Malwarebytes removes PC Optimizer Pro completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Optimizer Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Xportsoft Technologies) C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe C:\Windows\System32\Tasks\PC Optimizer Pro Updates C:\Windows\System32\Tasks\PC Optimizer Pro64 Scan C:\Windows\System32\Tasks\PC Optimizer Pro Idle C:\Windows\System32\Tasks\PC Optimizer Pro64 startups C:\Users\Public\Desktop\PC Optimizer Pro.lnk C:\Windows\Tasks\PC Optimizer Pro Updates.job C:\Windows\Tasks\PC Optimizer Pro Idle.job C:\Windows\Tasks\PC Optimizer Pro64 startups.job C:\Windows\Tasks\PC Optimizer Pro64 Scan.job C:\ProgramData\PC Optimizer Pro C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro C:\Program Files\PC Optimizer Pro PC Optimizer Pro (HKLM\...\PC Optimizer Pro) (Version: 8.1.1.3 - Xportsoft Technologies) <==== ATTENTION Task: {40C0E937-E245-4E4D-AFA0-ADF8A091AB63} - System32\Tasks\PC Optimizer Pro64 Scan => C:\Program Files\PC Optimizer Pro\StartApps.exe [2018-05-14] (Xportsoft Technologies) <==== ATTENTION Task: {B74B0B8F-207E-4606-A368-EB857B144DC9} - System32\Tasks\PC Optimizer Pro Idle => C:\Program Files\PC Optimizer Pro\StartApps.exe [2018-05-14] (Xportsoft Technologies) <==== ATTENTION Task: {C5B23C4D-31C2-446E-B432-247FDD101532} - System32\Tasks\PC Optimizer Pro64 startups => C:\Program Files\PC Optimizer Pro\StartApps.exe [2018-05-14] (Xportsoft Technologies) <==== ATTENTION Task: {D564F511-6242-41BA-975D-6AD0875B8DF0} - System32\Tasks\PC Optimizer Pro Updates => C:\Program Files\PC Optimizer Pro\StartApps.exe [2018-05-14] (Xportsoft Technologies) <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro Idle.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro Updates.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro64 Scan.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\PC Optimizer Pro Adds the file data.xml"="7/30/2012 9:57 AM, 3022 bytes, A Adds the file PCOptimizerPro.exe"="5/14/2018 11:56 AM, 15137008 bytes, A Adds the file PCOptProCtxMenu.dll"="5/14/2018 11:54 AM, 686080 bytes, A Adds the file PCOptProTrays.exe"="5/14/2018 11:56 AM, 3023600 bytes, A Adds the file StartApps.exe"="5/14/2018 11:56 AM, 433904 bytes, A Adds the file uninst.exe"="5/30/2018 10:26 AM, 87967 bytes, A Adds the file UpdatesDll.dll"="5/14/2018 11:57 AM, 1033448 bytes, A Adds the folder C:\Program Files\PC Optimizer Pro\Languages Adds the file DE.xml"="4/18/2018 9:53 AM, 48855 bytes, A Adds the file EN.xml"="4/18/2018 9:52 AM, 45684 bytes, A Adds the file ES.xml"="4/18/2018 9:53 AM, 50951 bytes, A Adds the file FR.xml"="4/18/2018 9:53 AM, 51828 bytes, A Adds the file IT.xml"="4/18/2018 9:53 AM, 49902 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro Adds the file Live Support.url"="5/30/2018 10:26 AM, 87 bytes, A Adds the file PC Optimizer Pro.lnk"="5/30/2018 10:26 AM, 916 bytes, A Adds the file Uninstallation Guide.url"="5/30/2018 10:26 AM, 90 bytes, A Adds the file Visit Website.url"="5/30/2018 10:26 AM, 56 bytes, A Adds the folder C:\ProgramData\PC Optimizer Pro\LOGS Adds the file REG_LOGS_05_30_2018_10_26_41_AM.log"="5/30/2018 10:27 AM, 85118 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file PC Optimizer Pro.lnk"="5/30/2018 10:26 AM, 942 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Optimizer Pro.lnk"="5/30/2018 10:26 AM, 918 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Optimizer Pro Idle"="5/30/2018 10:26 AM, 2876 bytes, A Adds the file PC Optimizer Pro Updates"="5/30/2018 10:26 AM, 3460 bytes, A Adds the file PC Optimizer Pro64 Scan"="5/30/2018 10:26 AM, 3390 bytes, A Adds the file PC Optimizer Pro64 startups"="5/30/2018 10:26 AM, 2854 bytes, A In the existing folder C:\Windows\Tasks Adds the file PC Optimizer Pro Idle.job"="5/30/2018 10:26 AM, 444 bytes, A Adds the file PC Optimizer Pro Updates.job"="5/30/2018 10:26 AM, 446 bytes, A Adds the file PC Optimizer Pro64 Scan.job"="5/30/2018 10:26 AM, 414 bytes, A Adds the file PC Optimizer Pro64 startups.job"="5/30/2018 10:26 AM, 422 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCProCtxMenu] "(Default)"="REG_SZ", "{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}] "(Default)"="REG_SZ", "PCProCtxMenu Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}] "(Default)"="REG_SZ", "IPCProCtxMenu" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib] "(Default)"="REG_SZ", "{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCProCtxMenu] "(Default)"="REG_SZ", "{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0] "(Default)"="REG_SZ", "PCOptProCtxMenu 1.0 Type Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files\PC Optimizer Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}] "(Default)"="REG_SZ", "IPCProCtxMenu" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib] "(Default)"="REG_SZ", "{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PCOptimizerPro.exe] "(Default)"="REG_SZ", "C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Optimizer Pro] "DisplayIcon"="REG_SZ", "C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe" "DisplayName"="REG_SZ", "PC Optimizer Pro" "DisplayVersion"="REG_SZ", "8.1.1.3" "HelpLink"="REG_SZ", "http://www.pcoptimizerpro.com/help/index.htm" "InstallLocation"="REG_SZ", "C:\Program Files\PC Optimizer Pro" "MajorVersion"="REG_SZ", "8.1.1.3" "MinorVersion"="REG_SZ", "8.1.1.3" "Publisher"="REG_SZ", "Xportsoft Technologies" "UninstallString"="REG_SZ", "C:\Program Files\PC Optimizer Pro\uninst.exe" "URLInfoAbout"="REG_SZ", "http://www.pcoptimizerpro.com/livesupport.aspx?bit=64&tid=STD" "VersionMajor"="REG_SZ", "8.1.1.3" "VersionMinor"="REG_SZ", "8.1.1.3" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "PC Optimizer Pro Idle.job"="REG_BINARY, ................................ "PC Optimizer Pro Idle.job.fp"="REG_DWORD", -1207985913 "PC Optimizer Pro Updates.job"="REG_BINARY, ................................ "PC Optimizer Pro Updates.job.fp"="REG_DWORD", -138673695 "PC Optimizer Pro64 Scan.job"="REG_BINARY, ................................ "PC Optimizer Pro64 Scan.job.fp"="REG_DWORD", 259349527 "PC Optimizer Pro64 startups.job"="REG_BINARY, ................................ "PC Optimizer Pro64 startups.job.fp"="REG_DWORD", -1460999399 [HKEY_LOCAL_MACHINE\SOFTWARE\PC Optimizer Pro] "???"="REG_SZ", "1" "Application Paths"="REG_SZ", "1" "bclck"="REG_SZ", "-1" "BrowCnt"="REG_SZ", "230" "C???"="REG_SZ", "0" "CApplication Paths"="REG_SZ", "0" "Cchcache"="REG_SZ", "0" "Cchcookies"="REG_SZ", "0" "CCOM/ActiveX"="REG_SZ", "0" "CCustom Controls"="REG_SZ", "0" "CDeep Scan"="REG_SZ", "0" "Cdochis"="REG_SZ", "0" "Cdskerrlgfls"="REG_SZ", "0" "Cdwntmpfldr"="REG_SZ", "0" "Cffcache"="REG_SZ", "0" "Cffcookies"="REG_SZ", "0" "CFile Associations"="REG_SZ", "0" "CFile Extensions"="REG_SZ", "0" "Cflesrchhis"="REG_SZ", "0" "chcache"="REG_SZ", "1" "chcookies"="REG_SZ", "1" "CHelp && Resources"="REG_SZ", "0" "Cieautocomple"="REG_SZ", "0" "Ciecache"="REG_SZ", "0" "Ciecookies"="REG_SZ", "0" "Clgfls"="REG_SZ", "0" "Cnscache"="REG_SZ", "0" "Cnscookies"="REG_SZ", "0" "COM/ActiveX"="REG_SZ", "1" "Copcache"="REG_SZ", "0" "Copcookies"="REG_SZ", "0" "Cpgfls"="REG_SZ", "0" "Cprgshcts"="REG_SZ", "0" "Creclbn"="REG_SZ", "0" "CRnCmdHis"="REG_SZ", "0" "CShared Dlls"="REG_SZ", "0" "Cstmnckhis"="REG_SZ", "0" "Cstmnorhis"="REG_SZ", "0" "Ctmpfldr"="REG_SZ", "0" "Ctmpwndupfldr"="REG_SZ", "0" "CUninstall Entries"="REG_SZ", "0" "Custom Controls"="REG_SZ", "1" "CWindows Fonts"="REG_SZ", "0" "CwndTmpfls"="REG_SZ", "0" "Deep Scan"="REG_SZ", "1" "dochis"="REG_SZ", "1" "dskerrlgfls"="REG_SZ", "1" "dwntmpfldr"="REG_SZ", "1" "F???"="REG_SZ", "0" "FApplication Paths"="REG_SZ", "0" "Fchcache"="REG_SZ", "0" "Fchcookies"="REG_SZ", "0" "FCOM/ActiveX"="REG_SZ", "0" "FCustom Controls"="REG_SZ", "0" "FDeep Scan"="REG_SZ", "0" "Fdochis"="REG_SZ", "0" "Fdskerrlgfls"="REG_SZ", "0" "Fdwntmpfldr"="REG_SZ", "0" "ffcache"="REG_SZ", "1" "ffcookies"="REG_SZ", "1" "Fffcache"="REG_SZ", "0" "Fffcookies"="REG_SZ", "0" "FFile Associations"="REG_SZ", "0" "FFile Extensions"="REG_SZ", "0" "Fflesrchhis"="REG_SZ", "0" "FHelp && Resources"="REG_SZ", "0" "Fieautocomple"="REG_SZ", "0" "Fiecache"="REG_SZ", "0" "Fiecookies"="REG_SZ", "0" "File Associations"="REG_SZ", "1" "File Extensions"="REG_SZ", "1" "FixBrowCnt"="REG_SZ", "0" "FixInvCnt"="REG_SZ", "0" "FixJnkCnt"="REG_SZ", "0" "flesrchhis"="REG_SZ", "1" "Flgfls"="REG_SZ", "0" "Fnscache"="REG_SZ", "0" "Fnscookies"="REG_SZ", "0" "Fopcache"="REG_SZ", "0" "Fopcookies"="REG_SZ", "0" "Fpgfls"="REG_SZ", "0" "Fprgshcts"="REG_SZ", "0" "Freclbn"="REG_SZ", "0" "FRnCmdHis"="REG_SZ", "0" "FShared Dlls"="REG_SZ", "0" "Fstmnckhis"="REG_SZ", "0" "Fstmnorhis"="REG_SZ", "0" "Ftmpfldr"="REG_SZ", "0" "Ftmpwndupfldr"="REG_SZ", "0" "FUninstall Entries"="REG_SZ", "0" "FWindows Fonts"="REG_SZ", "0" "FwndTmpfls"="REG_SZ", "0" "Help && Resources"="REG_SZ", "1" "ieautocomple"="REG_SZ", "1" "iecache"="REG_SZ", "1" "iecookies"="REG_SZ", "1" "InvCnt"="REG_SZ", "25" "isthere"="REG_SZ", "1" "JnkCnt"="REG_SZ", "493" "lastScan"="REG_SZ", "30-05-2018 10:26:46" "lgfls"="REG_SZ", "1" "mnrptint"="REG_SZ", "230" "mnrptjnk"="REG_SZ", "493" "mnrptreg"="REG_SZ", "25" "nscache"="REG_SZ", "1" "nscookies"="REG_SZ", "1" "opcache"="REG_SZ", "1" "opcookies"="REG_SZ", "1" "pgfls"="REG_SZ", "1" "prgshcts"="REG_SZ", "1" "reclbn"="REG_SZ", "1" "RnCmdHis"="REG_SZ", "1" "Scanned"="REG_SZ", "206124" "Shared Dlls"="REG_SZ", "1" "startonrun"="REG_SZ", "0" "stateBrowCnt"="REG_SZ", "11" "stateInvCnt"="REG_SZ", "11" "stateJnkCnt"="REG_SZ", "14" "status"="REG_SZ", "1" "stmnckhis"="REG_SZ", "0" "stmnorhis"="REG_SZ", "1" "TErrors"="REG_SZ", "748" "TFixed"="REG_SZ", "0" "TFSpace"="REG_SZ", "384.67 MB" "tmpfldr"="REG_SZ", "1" "tmpwndupfldr"="REG_SZ", "1" "TTFixed"="REG_SZ", "0" "Uninstall Entries"="REG_SZ", "1" "Windows Fonts"="REG_SZ", "1" "wndTmpfls"="REG_SZ", "1" [HKEY_CURRENT_USER\Software\PC Optimizer Pro] "isains"="REG_SZ", "1" "isent"="REG_SZ", "1" "Lang"="REG_SZ", "EN" "lcerr"="REG_SZ", "" "LNID"="REG_SZ", "0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/30/18 Scan Time: 10:34 AM Log File: 54d13cad-63e4-11e8-bf52-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5302 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240721 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 2 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTIMIZERPRO.EXE, Quarantined, [1261], [392397],1.0.5302 Module: 2 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTPROCTXMENU.DLL, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTIMIZERPRO.EXE, Quarantined, [1261], [392397],1.0.5302 Registry Key: 23 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Optimizer Pro64 Scan, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{40C0E937-E245-4E4D-AFA0-ADF8A091AB63}, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{40C0E937-E245-4E4D-AFA0-ADF8A091AB63}, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Optimizer Pro64 startups, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C5B23C4D-31C2-446E-B432-247FDD101532}, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C5B23C4D-31C2-446E-B432-247FDD101532}, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Optimizer Pro Idle, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B74B0B8F-207E-4606-A368-EB857B144DC9}, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{B74B0B8F-207E-4606-A368-EB857B144DC9}, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Optimizer Pro Updates, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D564F511-6242-41BA-975D-6AD0875B8DF0}, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{D564F511-6242-41BA-975D-6AD0875B8DF0}, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, HKCU\SOFTWARE\PC OPTIMIZER PRO, Quarantined, [1261], [260294],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PC OPTIMIZER PRO, Quarantined, [1261], [260298],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\PC Optimizer Pro, Quarantined, [1261], [333185],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\INTERFACE\{12AB121E-44C6-488B-8773-B0AE25E662E1}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{12AB121E-44C6-488B-8773-B0AE25E662E1}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{12AB121E-44C6-488B-8773-B0AE25E662E1}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\TYPELIB\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\CLASSES\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}, Quarantined, [1261], [333184],1.0.5302 Registry Value: 12 PUP.Optional.PCOptimizerPro, HKCU\SOFTWARE\PC OPTIMIZER PRO|ISAINS, Quarantined, [1261], [260294],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO64 STARTUPS.JOB, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO64 STARTUPS.JOB.FP, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO UPDATES.JOB, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO UPDATES.JOB.FP, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO IDLE.JOB, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO IDLE.JOB.FP, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO64 SCAN.JOB, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES|PC OPTIMIZER PRO64 SCAN.JOB.FP, Quarantined, [1261], [411376],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PC OPTIMIZER PRO|PUBLISHER, Quarantined, [1261], [260298],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{40C0E937-E245-4E4D-AFA0-ADF8A091AB63}|PATH, Quarantined, [1261], [325241],1.0.5302 PUP.Optional.PCOptimizerPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C5B23C4D-31C2-446E-B432-247FDD101532}|PATH, Quarantined, [1261], [325241],1.0.5302 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.PCOptimizerPro, C:\ProgramData\PC Optimizer Pro\LOGS, Quarantined, [1261], [182300],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAMDATA\PC OPTIMIZER PRO, Quarantined, [1261], [182300],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC OPTIMIZER PRO, Quarantined, [1261], [182301],1.0.5302 File: 20 PUP.Optional.PCOptimizerPro, C:\USERS\PUBLIC\DESKTOP\PC OPTIMIZER PRO.LNK, Quarantined, [1261], [260289],1.0.5302 PUP.Optional.PCOptimizerPro, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\PC OPTIMIZER PRO.LNK, Quarantined, [1261], [260312],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\SYSTEM32\TASKS\PC Optimizer Pro64 Scan, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\SYSTEM32\TASKS\PC Optimizer Pro64 startups, Quarantined, [1261], [325246],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\SYSTEM32\TASKS\PC Optimizer Pro Idle, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\SYSTEM32\TASKS\PC Optimizer Pro Updates, Quarantined, [1261], [260291],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\TASKS\PC Optimizer Pro64 Scan.job, Quarantined, [1261], [325247],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\TASKS\PC Optimizer Pro64 startups.job, Quarantined, [1261], [325247],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\TASKS\PC Optimizer Pro Idle.job, Quarantined, [1261], [260292],1.0.5302 PUP.Optional.PCOptimizerPro, C:\WINDOWS\TASKS\PC Optimizer Pro Updates.job, Quarantined, [1261], [260292],1.0.5302 PUP.Optional.PCOptimizerPro, C:\ProgramData\PC Optimizer Pro\LOGS\REG_LOGS_05_30_2018_10_26_41_AM.log, Quarantined, [1261], [182300],1.0.5302 PUP.Optional.PCOptimizerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro\Live Support.url, Quarantined, [1261], [182301],1.0.5302 PUP.Optional.PCOptimizerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro\PC Optimizer Pro.lnk, Quarantined, [1261], [182301],1.0.5302 PUP.Optional.PCOptimizerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro\Uninstallation Guide.url, Quarantined, [1261], [182301],1.0.5302 PUP.Optional.PCOptimizerPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro\Visit Website.url, Quarantined, [1261], [182301],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTPROCTXMENU.DLL, Quarantined, [1261], [333184],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTIMIZERPRO.EXE, Quarantined, [1261], [392397],1.0.5302 PUP.Optional.PCOptimizerPro, C:\USERS\{username}\DESKTOP\PCOPTIMIZERPROINSTALLER.EXE, Quarantined, [1261], [392397],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\PCOPTPROTRAYS.EXE, Quarantined, [1261], [115333],1.0.5302 PUP.Optional.PCOptimizerPro, C:\PROGRAM FILES\PC OPTIMIZER PRO\UNINST.EXE, Quarantined, [1261], [392397],1.0.5302 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.